The Register® — Biting the hand that feeds IT

Feeds

Linux vulnerable to Windows-style autorun exploits

Caveats abound

By John Leyden, 9th February 2011
  • print
  • alert

Agentless Backup is Not a Myth

A security researcher has demonstrated how it might be possible to perform autorun-style attacks against weakly secured Linux PCs.

Windows worms including Conficker and Stuxnet have often spread onto networks after infected USB sticks were plugged into PCs. This has happened automatically in cases where autorun was enabled, as it did in default on older versions of Windows until a change pushed by Microsoft on Tuesday. With autorun-enabled executable files run with minimal user interaction.

Research by Jon Larimer, of IBM's X-Force security division, shows that the issue of autorun causing possible mischief is not (as might have been previously thought) wholly irrelevant to Linux boxes. Larimer developed a demo to show how it might be possible to insert a USB stick with modified code into a Ubuntu PC to get rid of a screensaver without entering a password – and display the user's desktop.

The demo relied on taking advantage of a flaw in GNOME Evince document viewer that was patched in January and, even so, was kind of "weak" because it was shown on a machine with in-built exploit mitigation disabled, as Larimer himself clearly explains.

During a talk at last weekend's ShmooCon security conference Larimer explains how these mitigations – namely ASLR and AppArmor – might be defeated. This aspect of his research was not included in the demo simply to make sure that the demonstration was reliable and he didn't have to mess around trying to run a brute-force attack on ASLR in front of a live audience.

The upshot of the research is that you might be able to do things you aren't supposed to do on a Linux box by misusing autorun functionality. It doesn't mean that Linux autorun worms might be created using the sort of jiggery-pokery illustrated by Larimer.

Even leaving aside the fact that the minuscule ecosystem of Linux malware strains are dwarfed by orders of magnitude by the Windows virus hoard, plenty of other caveats apply, as Larimer makes clear.

More on Larimer's research can be found in a blog post here and in a YouTube video clip of his presentation. ®

Steps to Take Before Choosing a Business Continuity Partner

COMMENTS

House Rules Send Corrections
All Reader Comments (37)
Highly Rated
Anonymous Coward

So......

If you turn off security measures and use a vulnerability in a product (that has already been patched) , then you might be able to do something to a linux box. ... wow I'm quaking in my boots.

The fact that he only explained how these security measures "might" be defeated is a bit weak - it reminds me of that bit in Independence Day when Jeff Goldblum's character says "all we need to do is fly up to their space ship, get past their defences and inject the virus".

Would you be impressed if a car security expert showed how someone can steal your car if they managed to work round the security systems, but declined to show you how that it could be done and instead had your car sitting there with the alarm and immobiliser turned off and the doors unlocked - just so he could make sure his demonstration went well?

17
2
The BigYin

Thin end of the wedge?

Another chink in the penguin's armour? Maybe not. If someone has physcial access, all bets are off. Really. And whilst I realise that users/admin will have had to have been pretty stupid to let this exploit work but let's face it, people *ARE* stupid (and I include myself). So there is only one answer - kill any form of autorun dead. Now.

The most *ANY* OS should do is mount the device and indicate, by some means, how the user can access it. That is all. No launch, no dialog, no guessing from content what is to be done, no offering to run a program, no bullshit. Just mount the fecker and be done with it.

---

"This device contains music, do you want to open it in RhythmBox?"

No. No I do chuffin' well not. It has videos, documents, pictures, encypted files and all sorts. Why not offer me an application for every media type on the drive, you stupid desktop.

Actually, here. Open this *thump*

9
0
Greg J Preece

So this is...

...a bug that only affects unpatched software, if you've deliberately made the system weak enough for it to work, and it still couldn't do anything catastrophic to the system, or spread a worm.

Excuse me while I panic.

9
2

More from The Register

breaking news
Number of cops abusing Police National Computer access on the rise
Only a telegram from the Queen can get you off it
136
breaking news
NSA PRISM snoop-gate: Won't someone think of the children, wails Apple
10,000 things probed, mostly about missing kids, Alzheimer patients, we're told
96
Flash flaw potentially makes every webcam or laptop a PEEPHOLE
But it's a Google problem - Chrome only, insists Adobe
60
Internet fraud still stings suckers
Australians twice as gullible as Americans
36
breaking news
NSA PRISM-gate: Relax, GCHQ spooks 'keep us safe', says Cameron
Whatever they are up to, it's all above board, we're told
90
breaking news
Yahoo! joins! rivals! in! PRISM! data! request! admission!
Keep calm and carry on using American tech firms, folks
41
PRISM snitch claims NSA hacked Chinese targets since 2009
Snowden suddenly looks safer in Hong Kong after revelations
33
breaking news
US chief spook: Look, we only want to spy on 6.66 BEELLLION of you
Americans assured they are not in the NSA's sights
68
Speech-to-text drives motorists to distraction
Will talking to you mean I crash into that car up ahead, Siri?
30
DHS warns of vulns in hospital medical equipment
Has your doctor's anasthesia machine been hacked?
17