Linux vulnerable to Windows-style autorun exploits
A security researcher has demonstrated how it might be possible to perform autorun-style attacks against weakly secured Linux PCs.
Windows worms including Conficker and Stuxnet have often spread onto networks after infected USB sticks were plugged into PCs. This has happened automatically in cases where autorun was enabled, as it did in default on older versions of Windows until a change pushed by Microsoft on Tuesday. With autorun-enabled executable files run with minimal user interaction.
Research by Jon Larimer, of IBM's X-Force security division, shows that the issue of autorun causing possible mischief is not (as might have been previously thought) wholly irrelevant to Linux boxes. Larimer developed a demo to show how it might be possible to insert a USB stick with modified code into a Ubuntu PC to get rid of a screensaver without entering a password – and display the user's desktop.
The demo relied on taking advantage of a flaw in GNOME Evince document viewer that was patched in January and, even so, was kind of "weak" because it was shown on a machine with in-built exploit mitigation disabled, as Larimer himself clearly explains.
During a talk at last weekend's ShmooCon security conference Larimer explains how these mitigations – namely ASLR and AppArmor – might be defeated. This aspect of his research was not included in the demo simply to make sure that the demonstration was reliable and he didn't have to mess around trying to run a brute-force attack on ASLR in front of a live audience.
The upshot of the research is that you might be able to do things you aren't supposed to do on a Linux box by misusing autorun functionality. It doesn't mean that Linux autorun worms might be created using the sort of jiggery-pokery illustrated by Larimer.
Even leaving aside the fact that the minuscule ecosystem of Linux malware strains are dwarfed by orders of magnitude by the Windows virus hoard, plenty of other caveats apply, as Larimer makes clear.
If you turn off security measures and use a vulnerability in a product (that has already been patched) , then you might be able to do something to a linux box. ... wow I'm quaking in my boots.
The fact that he only explained how these security measures "might" be defeated is a bit weak - it reminds me of that bit in Independence Day when Jeff Goldblum's character says "all we need to do is fly up to their space ship, get past their defences and inject the virus".
Would you be impressed if a car security expert showed how someone can steal your car if they managed to work round the security systems, but declined to show you how that it could be done and instead had your car sitting there with the alarm and immobiliser turned off and the doors unlocked - just so he could make sure his demonstration went well?
Thin end of the wedge?
Another chink in the penguin's armour? Maybe not. If someone has physcial access, all bets are off. Really. And whilst I realise that users/admin will have had to have been pretty stupid to let this exploit work but let's face it, people *ARE* stupid (and I include myself). So there is only one answer - kill any form of autorun dead. Now.
The most *ANY* OS should do is mount the device and indicate, by some means, how the user can access it. That is all. No launch, no dialog, no guessing from content what is to be done, no offering to run a program, no bullshit. Just mount the fecker and be done with it.
"This device contains music, do you want to open it in RhythmBox?"
No. No I do chuffin' well not. It has videos, documents, pictures, encypted files and all sorts. Why not offer me an application for every media type on the drive, you stupid desktop.
Actually, here. Open this *thump*
So this is...
...a bug that only affects unpatched software, if you've deliberately made the system weak enough for it to work, and it still couldn't do anything catastrophic to the system, or spread a worm.
Excuse me while I panic.