By Jake Edge
February 9, 2011
The Windows "AutoRun" feature, which automatically (or semi-automatically
after a
user prompt) runs programs from removable storage devices, has been a regular
source of security problems. It has been present since Windows 95, but
Microsoft finally recognized the problem and
largely disabled the "feature" in Windows 7—and issued an update on
February 8 that disables it for XP and Vista. Various attacks (ab)used
AutoRun on USB storage devices to propagate, including Conficker and
Stuxnet. Could Linux suffer from a similar flaw? The answer, from a SchmooCon 2011
presentation, is, perhaps unsurprisingly, "yes".
At SchmooCon, Jon Larimer demonstrated a way to circumvent the screensaver
lock on an
Ubuntu 10.10 system just by inserting a USB storage device. Because the
system will automatically mount the USB drive and the Nautilus file browser
will try to thumbnail any documents it finds there, he was able to shut
down the screensaver and access the system. While his demo disabled both
address-space layout randomization (ASLR) and AppArmor, that was only done
to make the demo run quickly. On 32-bit systems, ASLR can be brute-forced
to find needed library addresses, given some time. AppArmor is more
difficult to
bypass, but he has some plausible ideas on doing that as well.
Larimer's exploit took advantage of a hole in the
evince-thumbnailer, which was fixed back in January (CVE-2010-2640).
A crafted DVI file could be constructed and used to execute arbitrary code
when processed
by evince. In his presentation
[PDF], he shows in some detail how to use this vulnerability to execute
a program
stored on the USB device.
Killing the screensaver is just one of the things that could be done from
that shell script, of course. Larimer points to possibilities like putting
a .desktop file into ~/.config/autostart, which will then
be executed every time the user logs in. The same kind of thing could be
done using .bash_profile or similar files. Either of those could
make for a Conficker-like attack against Linux systems. In addition, because
the user is logged in, any encrypted home directory or partition will be
decrypted and available for copying the user's private data.
While Larimer's demonstration is interesting, even though the specifics of
his attack may be of
little practical use, there is much to be considered in the rest of his
presentation. As he points out, automatically mounting USB storage devices
and accessing their contents invokes an enormous amount of code, from the
USB drivers and filesystem code, to the desktop daemons and applications
that display the contents of those devices. Each of those components could
have—many have had—security vulnerabilities.
That should give anyone pause about automatically mounting those kinds of
devices. One could certainly imagine crafted devices or filesystems that
exploit holes in the kernel code, which would be a route that would likely
avoid AppArmor (or SELinux) entirely. While Linux may not automatically
run code from USB storage devices, it does enough processing of the,
quite possibly malicious, data on them that the effect may be largely the same.
Larimer offers some recommendations to avoid this kind of problem, starting
with the obvious: turn off auto-mounting of removable storage. He also
recommends disabling the automatic thumbnailing of files on removable
media. In addition, using grsecurity/PaX makes brute-forcing ASLR harder
on 32-bit systems because it uses more bits of entropy to randomize the
library locations. Of course, a 64-bit system allows a much wider range of
potential library addresses, so that makes breaking ASLR harder still.
One clear theme of his talk is that "automatically" doing things can be
quite dangerous. It may be easier and more convenient, but it can also
lead to potentially serious holes. Convenience and security are often at
odds.
Comments (16 posted)
Brief items
The world of open source is full of cases where openness of information and
process allow properly-functioning
open-by-rule communities to address
security issues fast. This is the real meaning of the idea that open source
is good for security; no magic, just symbiosis.
--
Simon
Phipps
Okay, so he's an idiot. And a bastard. But the real piece of news here is how easy it is for a UK immigration officer to put someone on the no-fly list with absolutely no evidence that that person belongs there. And how little auditing is done on that list. Once someone is on, they're on for good.
That's simply no way to run a free country.
--
Bruce
Schneier
Comments (2 posted)
The PostgreSQL project has issued a new set of releases to fix a security
problem. "
This update includes a security fix which prevents a buffer overrun in
the contrib module intarray's input function for the query_int type.
This bug is a security risk since the function's return address could
be overwritten by malicious code." Sites which are not using the
"intarray" contrib module are not vulnerable.
Full Story (comments: none)
An updated version of the
Mozilla CA
Certificate Policy has been released. The policy governs how Mozilla
will add Certification Authorities' (CAs) root certificates into Mozilla
products, the responsibilities of the CAs so that their certificates remain
in the Mozilla root stores, and how the policy will be enforced. The
changes made from version 1.2 of the policy can be tracked in
Mozilla bug #609945.
Comments (none posted)
New vulnerabilities
asterisk: arbitrary code execution
| Package(s): | asterisk |
CVE #(s): | CVE-2011-0495
|
| Created: | February 4, 2011 |
Updated: | February 21, 2011 |
| Description: |
From the CVE entry:
Stack-based buffer overflow in the ast_uri_encode function in main/utils.c in Asterisk Open Source before 1.4.38.1, 1.4.39.1, 1.6.1.21, 1.6.2.15.1, 1.6.2.16.1, 1.8.1.2, 1.8.2.; and Business Edition before C.3.6.2; when running in pedantic mode allows remote authenticated users to execute arbitrary code via crafted caller ID data in vectors involving the (1) SIP channel driver, (2) URIENCODE dialplan function, or (3) AGI dialplan function. |
| Alerts: |
|
Comments (none posted)
bugzilla: multiple vulnerabilities
| Package(s): | bugzilla |
CVE #(s): | CVE-2010-4568
CVE-2010-2761
CVE-2010-4411
CVE-2010-4572
CVE-2010-4569
CVE-2010-4570
CVE-2010-4567
CVE-2011-0048
CVE-2011-0046
|
| Created: | February 3, 2011 |
Updated: | October 10, 2011 |
| Description: |
From the bugzilla advisory:
CVE-2010-4568:
It was possible for a user to gain unauthorized access to
any Bugzilla account in a very short amount of time (short
enough that the attack is highly effective). This is a
critical vulnerability that should be patched immediately
by all Bugzilla installations.
CVE-2010-2761, CVE-2010-4411, CVE-2010-4572:
By inserting particular strings into certain URLs, it was
possible to inject both headers and content to any
browser.
CVE-2010-4569:
Bugzilla 3.7.x and 4.0rc1 have a new client-side
autocomplete mechanism for all fields where a username
is entered. This mechanism was vulnerable to a cross-site
scripting attack.
CVE-2010-4570:
Bugzilla 3.7.x and 4.0rc1 have a new mechanism on the
bug entry page for automatically detecting if the bug
you are filing is a duplicate of another existing bug.
This mechanism was vulnerable to a cross-site scripting
attack.
CVE-2010-4567, CVE-2011-0048:
Bugzilla has a "URL" field that can contain several types
of URL, including "javascript:" and "data:" URLs. However,
it does not make "javascript:" and "data:" URLs into
clickable links, to protect against cross-site scripting
attacks or other attacks. It was possible to bypass this
protection by adding spaces into the URL in places that
Bugzilla did not expect them. Also, "javascript:" and
"data:" links were *always* shown as clickable to
logged-out users.
CVE-2011-0046:
Various pages were vulnerable to Cross-Site Request
Forgery attacks. Most of these issues are not as serious
as previous CSRF vulnerabilities. Some of these issues
were only addressed on more recent branches of Bugzilla
and not fixed in earlier branches, in order to avoid
changing behavior that external applications may depend
on. The links below in "References" describe which issues
were fixed on which branches.
|
| Alerts: |
|
Comments (none posted)
dhcp: denial of service
| Package(s): | dhcp |
CVE #(s): | CVE-2011-0413
|
| Created: | February 4, 2011 |
Updated: | April 19, 2011 |
| Description: |
From the CVE entry:
The DHCPv6 server in ISC DHCP 4.0.x and 4.1.x before 4.1.2-P1, 4.0-ESV and 4.1-ESV before 4.1-ESV-R1, and 4.2.x before 4.2.1b1 allows remote attackers to cause a denial of service (assertion failure and daemon crash) by sending a message over IPv6 for a declined and abandoned address. |
| Alerts: |
|
Comments (none posted)
exim: symlink attack
| Package(s): | exim |
CVE #(s): | CVE-2011-0017
|
| Created: | February 8, 2011 |
Updated: | February 22, 2011 |
| Description: |
From the CVE entry:
The open_log function in log.c in Exim 4.72 and earlier does not check the return value from (1) setuid or (2) setgid system calls, which allows local users to append log data to arbitrary files via a symlink attack. |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | |
| Created: | February 8, 2011 |
Updated: | February 9, 2011 |
| Description: |
From rPath RPL-3199:
When Intel VT is enabled in the BIOS of some systems which use intel_iommu,
a kernel oops, and possibly a system crash, may occur. Adding
intel_iommu=off to the boot parameter list works around the issue. |
| Alerts: |
|
Comments (none posted)
krb5: denial of service
| Package(s): | krb5 |
CVE #(s): | CVE-2010-4022
CVE-2011-0281
CVE-2011-0282
|
| Created: | February 9, 2011 |
Updated: | April 15, 2011 |
| Description: |
The krb5 server suffers from three independent vulnerabilities allowing a remote attacker to crash or hang the "key distribution center" process. |
| Alerts: |
|
Comments (none posted)
opera: multiple vulnerabilities
| Package(s): | Opera |
CVE #(s): | CVE-2011-0681
CVE-2011-0682
CVE-2011-0683
CVE-2011-0684
CVE-2011-0685
CVE-2011-0686
CVE-2011-0687
|
| Created: | February 7, 2011 |
Updated: | February 9, 2011 |
| Description: |
From the CVE entries:
Opera before 11.01 does not properly restrict the use of opera: URLs, which makes it easier for remote attackers to conduct clickjacking attacks via a crafted web site. (CVE-2011-0683)
Opera before 11.01 does not properly handle redirections and unspecified other HTTP responses, which allows remote web servers to obtain sufficient access to local files to use these files as page resources, and consequently obtain potentially sensitive information from the contents of the files, via an unknown response manipulation. (CVE-2011-0684)
The Delete Private Data feature in Opera before 11.01 does not properly implement the "Clear all email account passwords" option, which might allow physically proximate attackers to access an e-mail account via an unattended workstation. (CVE-2011-0685)
Unspecified vulnerability in Opera before 11.01 allows remote attackers to cause a denial of service (application crash) via unknown content on a web page, as demonstrated by vkontakte.ru. (CVE-2011-0686)
Opera before 11.01 does not properly implement Wireless Application Protocol (WAP) dropdown lists, which allows user-assisted remote attackers to cause a denial of service (application crash) via a crafted WAP document. (CVE-2011-0687)
The Cascading Style Sheets (CSS) Extensions for XML implementation in Opera before 11.01 recognizes links to javascript: URLs in the -o-link property, which makes it easier for remote attackers to bypass CSS filtering via a crafted URL. (CVE-2011-0681)
Opera before 11.01 does not properly handle large form inputs, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted HTML document. (CVE-2011-0682) |
| Alerts: |
|
Comments (none posted)
postgresql: arbitrary code execution
| Package(s): | postgresql-8.3 |
CVE #(s): | CVE-2010-4015
|
| Created: | February 4, 2011 |
Updated: | April 15, 2011 |
| Description: |
From the CVE entry:
Buffer overflow in the gettoken function in contrib/intarray/_int_bool.c in the intarray array module in PostgreSQL 9.0.x before 9.0.3, 8.4.x before 8.4.7, 8.3.x before 8.3.14, and 8.2.x before 8.2.20 allows remote authenticated users to cause a denial of service (crash) and possibly execute arbitrary code via integers with a large number of digits to unspecified functions. |
| Alerts: |
|
Comments (none posted)
vlc: code execution
| Package(s): | vlc vlc-firefox |
CVE #(s): | CVE-2011-0522
|
| Created: | February 3, 2011 |
Updated: | February 9, 2011 |
| Description: |
From the VUPEN advisory:
Two vulnerabilities have been identified in VLC Media Player, which could be exploited by attackers to compromise a vulnerable system. These issues are caused by buffer overflow errors in the "StripTags()" function within the USF and Text subtitles decoders ["modules/codec/subtitles/subsdec.c" and "modules/codec/subtitles/subsusf.c"] when processing malformed data, which could be exploited by attackers to crash an affected application or execute arbitrary by convincing a user to open a malicious media file. |
| Alerts: |
|
Comments (none posted)
Page editor: Jake Edge
Next page: Kernel development>>
