Security
Desktop malware risk gets raised and patched
One of the most common claims about GNU/Linux is that it is supposed to be relatively immune to viruses and malware. However, for the past few weeks, that claim has been more closely scrutinized, thanks to a blog posting by "foobar" entitled "How to write a Linux virus in 5 easy steps." Specifically, the posting gives a high-level explanation of how malware can take advantage of the behavior of application launchers on the GNOME and KDE desktops to infect a user account — and possibly gain root access as well. The result has been endless Internet discussions and coordinated efforts by both GNOME and KDE to minimize the problem.
The method described by foobar depends on social engineering: That is, manipulating users into saving an attachment to their GNOME or KDE desktop, and then into executing it. Ordinarily, foobar points out, a saved email attachment would not have executable permission. However, GNOME and KDE share a common format for desktop launchers (*.desktop), and allows them to run without an executable flag. This exception makes it easy to run a script (foobar suggests Python as a likely language) that will download a piece of malware, especially since a custom icon and name can disguise the nature of the program that the launcher runs. Furthermore, by adding a link in the desktop environment's autostart directory, the malware can then run each time that a user logs into the account.
From the perspective of security architecture, gaining root access is
considered the goal of malware. However, foobar emphasizes that the method
described can do damage without logging into the root account. Still,
foobar suggests that the use of sudo and temporary root logins for
graphical administration tools provide a backdoor for gaining root
access. According to foobar, all that a piece of malware would need to do
is make a local copy of an administration tool, then run the malware
referencing the local copy. A user would then enter the root password for
the tool, and not notice that the malware command was also receiving root
access. Alternatively, the malware could add a similar command to the path
definition of the current account. Either way, foobar writes,
"there's a good chance that you will get [root access] eventually if
you are patient.
"
These suggestions are not new. LWN pointed out the basic problem nearly three years ago, and the potential vulnerabilities of sudo were pointed out two years ago in an Ubuntu forum. All the same, foobar's post has been widely discussed since it first appeared. Besides the comments below the post, it has been discussed in such places as Linux Today, LWN, Slashdot, the KDE Community Forums, and the Ubuntu Forums.
Much of this discussion is repetitive, and beside the point. For example,
some users quibble that foobar is technically referring to a trojan, not a
virus at all. Others, like "Felice" below the original post, dismiss
foobar's analysis on the grounds that, "There will never be any
protection against the user's stupidity.
" Others, like "friends of
the one law" (also beneath the original post) insists that such exploits
are less likely on GNU/Linux than on Windows because "The
installation and/or maintenance of a basic linux desktop requires a level
of knowledge _and_ intellect somewhat more developed than that required for
a basic Micro$oft product.
" All these comments, however, are side
issues that do not alter the basic problem in any way, even though they
each contain some degree of truth.
Other comments were more to the point. Expanding on a comment by foobar, "Colin" posted beneath the original post with a link to the code snippet that prevents Thunar, the Xfce file manager, from having the same desktop vulnerability. Still others tried to correct foobar's suggested code or variations on the basic method outlined.
Some of the most focused responses appeared as comments to LWN's initial coverage of the story. "drag" suggested using a tool like SELinux to create a security context for downloads to the desktop that flags them as untrusted until they are specifically marked as trusted. The same commenter suggested that downloads should be savable only to a designated directory off the desktop — although, as foobar pointed out in the followup blog post, whether this idea would work is uncertain.
In the last few days, both GNOME and KDE have been taking concrete steps to
alleviate the problem, with discussions taking place on the XDG
(Free Desktop) list. In a blog
post, Michael Pyne proposes a policy that will allow files with a .desktop
extension to run if they are owned by root (and therefore part of a
standard installation), or installed from "a known location for
services, applications, and XDG-compliant applications
" (that is,
ones that meet the shared Free Desktop standards). A whitelist will track
all .desktop files that are permitted to run.
Pyne tells LWN that a major challenge of implementation is getting the white list correct. His first whitelist excluded autostart entries, and discussion raised a number of other cases, such as whether existing .desktop files needed to be updated, and how to handle launchers created from a menu or panel.
Another issue raised on the XDG list is whether a header should be added to untrusted .desktop files to prevent them from being run from the command line. While some developers questioned the need, Pyne seems to have decided that the precaution is necessary.
Still another concern is to write a clear dialog window that opens when a user tries to launch a .desktop file that is not whitelisted and is therefore not executable. The language is still being improved, but will probably explain the potential danger and when you should and should not continue to run the program, as well as giving the complete path to the command.
GNOME developer Alexander Larsson, although writing that the issue is
"all
pretty overblown,
" is working along similar lines. When the
changes are implemented, GNOME will add an executable permission to all
existing .desktop files when upgrading — a move that KDE, for now,
will not follow. "We thought about it but opted to start with the
dialog,
" Pyne tells LWN. "Some kind of dialog will be required
no matter what, and any auto-upgrade we do in KDE would have to be done
with the user's permission. We may still do it, but it not set yet.
"
Another difference in GNOME is that any .desktop files that are executable but not in a system directory will be flagged as "untrusted." To emphasize their status, such files will show a shortcut icon and the real file name, rather than any custom icon and display name for the desktop. Pyne has expressed some interest in this idea to LWN, and briefly speculated about how files might be listed as trusted, but, for now KDE is not following this suggestion.
However, much as in KDE, clicking an untrusted file in GNOME will open a dialog that warns the user about the file's status, and gives the choice of running it anyway, marking it as trusted, or canceling its execution.
In both GNOME and KDE, these changes should appear very shortly. Larsson
asked for a string break approval
for next month's release of GNOME 2.26 so that his changes, particularly
the new dialog, can be included. The request was granted, and Larsson tells
LWN, "all the required Gnome changes have now landed in glib and
nautilus.
"
Similarly, Pyne hopes to see his changes backported to KDE 4.2 in a point
release, as well as appearing in KDE 4.3. Whether the backports occur, he
explains to LWN, depends "on if it's deemed a big enough security
risk.
"
The speed with which these changes are being implemented suggests that both KDE and GNOME are treating the security problem as moderately serious. However, Pyne is careful to warn about the limits of the fixes, telling LWN:
In other words, the fixes should minimize the chances of a malware infection of the type describes by foobar, but, as many commenters have pointed out, nothing can completely counter user ignorance, rashness, or plain stupidity. The most that desktop developers can do, short of restricting desktop files to a degree that most users would find unacceptable, is to make users aware of the consequences of their possible actions.
Brief items
OpenSSH 5.2 released
OpenSSH 5.2 has been released with a focus on bug fixes. In particular, it addresses the plaintext recovery attack described in CPNI-957037 (which LWN covered last November). "This release also adds countermeasures to mitigate CPNI-957037-style attacks against the SSH protocol's use of CBC-mode ciphers. Upon detection of an invalid packet length or Message Authentication Code, ssh/sshd will continue reading up to the maximum supported packet length rather than immediately terminating the connection. This eliminates most of the known differences in behaviour that leaked information about the plaintext of injected data which formed the basis of this attack. We believe that these attacks are rendered infeasible by these changes." Click below for the full release announcement.
The Cryptography Olympics : the hash algorithm contest (The H)
"The H" is the new name for heise online and it takes a look at the currently running competition for a next-generation cryptographic hash algorithm. "The impetus for the cryptography competition was provided by the cracking of existing security standards by various researchers. Such attacks serve to probe protection mechanisms and aid their development. Because the world needs reliable protection, the National Institute of Standards and Technology (NIST), part of the U.S. Department of Commerce, issued the call for an international Cryptographic Olympics. The victorious algorithm must [fulfill] the full range of requirements imposed by data processing technology, ranging from sensors the size of a grain of sand, to future high speed data networks."
New vulnerabilities
epiphany: arbitrary code execution
| Package(s): | epiphany | CVE #(s): | CVE-2008-5985 | ||||||||||||||||
| Created: | February 23, 2009 | Updated: | March 9, 2009 | ||||||||||||||||
| Description: | From the Mandriva advisory: Python has a variable called sys.path that contains all paths where Python loads modules by using import scripting procedure. A wrong handling of that variable enables local attackers to execute arbitrary code via Python scripting in the current Epiphany working directory | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
git: arbitrary code execution
| Package(s): | git | CVE #(s): | CVE-2008-5916 | ||||||||
| Created: | February 19, 2009 | Updated: | March 9, 2009 | ||||||||
| Description: | git has an arbitrary code execution vulnerability. From the vulnerability database entry: gitweb/gitweb.perl in gitweb in Git 1.6.x before 1.6.0.6, 1.5.6.x before 1.5.6.6, 1.5.5.x before 1.5.5.6, 1.5.4.x before 1.5.4.7, and other versions after 1.4.3 allows local repository owners to execute arbitrary commands by modifying the diff.external configuration variable and executing a crafted gitweb query. | ||||||||||
| Alerts: |
| ||||||||||
kernel: various issues
| Package(s): | kernel | CVE #(s): | |||||
| Created: | February 20, 2009 | Updated: | February 25, 2009 | ||||
| Description: | From the Mandriva advisory: Support was added for Intel 82567LM-3/82567LF-3/82567LM-4 network adapters, a bug in sunrpc causing oops when restarting nfsd was fixed, a work around for a bug in Walkman devices was added, the sound drivers got some fixes, and a few more things were fixed. Check the package changelog for details. | ||||||
| Alerts: |
| ||||||
libpng: arbitrary code execution
| Package(s): | libpng | CVE #(s): | CVE-2009-0040 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | February 23, 2009 | Updated: | July 13, 2009 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the SecurityFocus advisory: The 'libpng' library is prone to multiple memory-corruption vulnerabilities because it fails to properly initialize data structures. Successful exploits may allow remote attackers to cause denial-of-service conditions or potentially execute arbitrary code on computers running the affected library. These issues affect versions prior to 'libpng' 1.0.43 and 1.2.35. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
perl-Crypt-OpenSSL-DSA: improper error check
| Package(s): | perl-Crypt-OpenSSL-DSA | CVE #(s): | CVE-2009-0129 | ||||||||
| Created: | February 19, 2009 | Updated: | February 25, 2009 | ||||||||
| Description: | The Perl Crypt-OpenSSL-DSA module misses an error. From the Fedora alert: The Crypto::OpenSSL::DSA module now croaks upon error rather than returning a -1 to ensure programmers are not caught by surprise which only checking for non-zero results. | ||||||||||
| Alerts: |
| ||||||||||
php: remote file inclusion vulerability
| Package(s): | php | CVE #(s): | CVE-2009-0577 | ||||||||
| Created: | February 19, 2009 | Updated: | February 25, 2009 | ||||||||
| Description: | php has a remote file inclusion vulerability. From the vulnerability database entry: PHP remote file inclusion vulnerability in function.inc.php in ACGVclick 0.2.0 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the path parameter. | ||||||||||
| Alerts: |
| ||||||||||
php: arbitrary file overwrite
| Package(s): | php | CVE #(s): | CVE-2008-5625 | ||||||||||||||||
| Created: | February 23, 2009 | Updated: | February 23, 2010 | ||||||||||||||||
| Description: | From the CVE entry: PHP 5 before 5.2.7 does not enforce the error_log safe_mode restrictions when safe_mode is enabled through a php_admin_flag setting in httpd.conf, which allows context-dependent attackers to write to arbitrary files by placing a "php_value error_log" entry in a .htaccess file. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
pycrypto: arbitrary code execution
| Package(s): | pycrypto | CVE #(s): | CVE-2009-0544 | ||||||||||||||||||||||||||||||||
| Created: | February 23, 2009 | Updated: | May 13, 2009 | ||||||||||||||||||||||||||||||||
| Description: | From the Mandriva advisory: A vulnerability have been discovered and corrected in PyCrypto ARC2 module 2.0.1, which allows remote attackers to cause a denial of service and possibly execute arbitrary code via a large ARC2 key length. | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
trickle: local code execution
| Package(s): | trickle | CVE #(s): | CVE-2009-0415 | ||||||||
| Created: | February 25, 2009 | Updated: | February 25, 2009 | ||||||||
| Description: | The trickle bandwidth shaper can be fooled into loading arbitrary local code. | ||||||||||
| Alerts: |
| ||||||||||
vim: arbitrary code execution
| Package(s): | vim | CVE #(s): | CVE-2009-0316 | ||||||||
| Created: | February 23, 2009 | Updated: | February 25, 2009 | ||||||||
| Description: | From the Mandriva advisory: Python has a variable called sys.path that contains all paths where Python loads modules by using import scripting procedure. A wrong handling of that variable enables local attackers to execute arbitrary code via Python scripting in the current Vim working directory | ||||||||||
| Alerts: |
| ||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>