User: Password:
Subscribe / Log in / New account


Linux autorun vulnerabilities?

By Jake Edge
February 9, 2011

The Windows "AutoRun" feature, which automatically (or semi-automatically after a user prompt) runs programs from removable storage devices, has been a regular source of security problems. It has been present since Windows 95, but Microsoft finally recognized the problem and largely disabled the "feature" in Windows 7—and issued an update on February 8 that disables it for XP and Vista. Various attacks (ab)used AutoRun on USB storage devices to propagate, including Conficker and Stuxnet. Could Linux suffer from a similar flaw? The answer, from a SchmooCon 2011 presentation, is, perhaps unsurprisingly, "yes".

At SchmooCon, Jon Larimer demonstrated a way to circumvent the screensaver lock on an Ubuntu 10.10 system just by inserting a USB storage device. Because the system will automatically mount the USB drive and the Nautilus file browser will try to thumbnail any documents it finds there, he was able to shut down the screensaver and access the system. While his demo disabled both address-space layout randomization (ASLR) and AppArmor, that was only done to make the demo run quickly. On 32-bit systems, ASLR can be brute-forced to find needed library addresses, given some time. AppArmor is more difficult to bypass, but he has some plausible ideas on doing that as well.

Larimer's exploit took advantage of a hole in the evince-thumbnailer, which was fixed back in January (CVE-2010-2640). A crafted DVI file could be constructed and used to execute arbitrary code when processed by evince. In his presentation [PDF], he shows in some detail how to use this vulnerability to execute a program stored on the USB device.

Killing the screensaver is just one of the things that could be done from that shell script, of course. Larimer points to possibilities like putting a .desktop file into ~/.config/autostart, which will then be executed every time the user logs in. The same kind of thing could be done using .bash_profile or similar files. Either of those could make for a Conficker-like attack against Linux systems. In addition, because the user is logged in, any encrypted home directory or partition will be decrypted and available for copying the user's private data.

While Larimer's demonstration is interesting, even though the specifics of his attack may be of little practical use, there is much to be considered in the rest of his presentation. As he points out, automatically mounting USB storage devices and accessing their contents invokes an enormous amount of code, from the USB drivers and filesystem code, to the desktop daemons and applications that display the contents of those devices. Each of those components could have—many have had—security vulnerabilities.

That should give anyone pause about automatically mounting those kinds of devices. One could certainly imagine crafted devices or filesystems that exploit holes in the kernel code, which would be a route that would likely avoid AppArmor (or SELinux) entirely. While Linux may not automatically run code from USB storage devices, it does enough processing of the, quite possibly malicious, data on them that the effect may be largely the same.

Larimer offers some recommendations to avoid this kind of problem, starting with the obvious: turn off auto-mounting of removable storage. He also recommends disabling the automatic thumbnailing of files on removable media. In addition, using grsecurity/PaX makes brute-forcing ASLR harder on 32-bit systems because it uses more bits of entropy to randomize the library locations. Of course, a 64-bit system allows a much wider range of potential library addresses, so that makes breaking ASLR harder still.

One clear theme of his talk is that "automatically" doing things can be quite dangerous. It may be easier and more convenient, but it can also lead to potentially serious holes. Convenience and security are often at odds.

Comments (16 posted)

Brief items

Security quotes of the week

The world of open source is full of cases where openness of information and process allow properly-functioning open-by-rule communities to address security issues fast. This is the real meaning of the idea that open source is good for security; no magic, just symbiosis.
-- Simon Phipps

Okay, so he's an idiot. And a bastard. But the real piece of news here is how easy it is for a UK immigration officer to put someone on the no-fly list with absolutely no evidence that that person belongs there. And how little auditing is done on that list. Once someone is on, they're on for good.

That's simply no way to run a free country.

-- Bruce Schneier

Comments (2 posted)

PostgreSQL 9.0.3, 8.4.7, 8.3.14 and 8.2.20 released

The PostgreSQL project has issued a new set of releases to fix a security problem. "This update includes a security fix which prevents a buffer overrun in the contrib module intarray's input function for the query_int type. This bug is a security risk since the function's return address could be overwritten by malicious code." Sites which are not using the "intarray" contrib module are not vulnerable.

Full Story (comments: none)

Mozilla has published version 2.0 of its CA Certificate Policy

An updated version of the Mozilla CA Certificate Policy has been released. The policy governs how Mozilla will add Certification Authorities' (CAs) root certificates into Mozilla products, the responsibilities of the CAs so that their certificates remain in the Mozilla root stores, and how the policy will be enforced. The changes made from version 1.2 of the policy can be tracked in Mozilla bug #609945.

Comments (none posted)

New vulnerabilities

asterisk: arbitrary code execution

Package(s):asterisk CVE #(s):CVE-2011-0495
Created:February 4, 2011 Updated:February 21, 2011
Description: From the CVE entry:

Stack-based buffer overflow in the ast_uri_encode function in main/utils.c in Asterisk Open Source before,,,,,, 1.8.2.; and Business Edition before C.3.6.2; when running in pedantic mode allows remote authenticated users to execute arbitrary code via crafted caller ID data in vectors involving the (1) SIP channel driver, (2) URIENCODE dialplan function, or (3) AGI dialplan function.

Debian DSA-2171-1 asterisk 2011-02-21
Fedora FEDORA-2011-0794 asterisk 2011-01-26
Fedora FEDORA-2011-0774 asterisk 2011-01-26

Comments (none posted)

bugzilla: multiple vulnerabilities

Package(s):bugzilla CVE #(s):CVE-2010-4568 CVE-2010-2761 CVE-2010-4411 CVE-2010-4572 CVE-2010-4569 CVE-2010-4570 CVE-2010-4567 CVE-2011-0048 CVE-2011-0046
Created:February 3, 2011 Updated:October 10, 2011

From the bugzilla advisory:

CVE-2010-4568: It was possible for a user to gain unauthorized access to any Bugzilla account in a very short amount of time (short enough that the attack is highly effective). This is a critical vulnerability that should be patched immediately by all Bugzilla installations.

CVE-2010-2761, CVE-2010-4411, CVE-2010-4572: By inserting particular strings into certain URLs, it was possible to inject both headers and content to any browser.

CVE-2010-4569: Bugzilla 3.7.x and 4.0rc1 have a new client-side autocomplete mechanism for all fields where a username is entered. This mechanism was vulnerable to a cross-site scripting attack.

CVE-2010-4570: Bugzilla 3.7.x and 4.0rc1 have a new mechanism on the bug entry page for automatically detecting if the bug you are filing is a duplicate of another existing bug. This mechanism was vulnerable to a cross-site scripting attack.

CVE-2010-4567, CVE-2011-0048: Bugzilla has a "URL" field that can contain several types of URL, including "javascript:" and "data:" URLs. However, it does not make "javascript:" and "data:" URLs into clickable links, to protect against cross-site scripting attacks or other attacks. It was possible to bypass this protection by adding spaces into the URL in places that Bugzilla did not expect them. Also, "javascript:" and "data:" links were *always* shown as clickable to logged-out users.

CVE-2011-0046: Various pages were vulnerable to Cross-Site Request Forgery attacks. Most of these issues are not as serious as previous CSRF vulnerabilities. Some of these issues were only addressed on more recent branches of Bugzilla and not fixed in earlier branches, in order to avoid changing behavior that external applications may depend on. The links below in "References" describe which issues were fixed on which branches.

Gentoo 201110-03 bugzilla 2011-10-10
Debian DSA-2322-1 bugzilla 2011-10-10
Ubuntu USN-1129-1 perl 2011-05-03
SUSE SUSE-SR:2011:005 hplip, perl, subversion, t1lib, bind, tomcat5, tomcat6, avahi, gimp, aaa_base, build, libtiff, krb5, nbd, clamav, aaa_base, flash-player, pango, openssl, subversion, postgresql, logwatch, libxml2, quagga, fuse, util-linux 2011-04-01
SUSE SUSE-SR:2011:003 gnutls, tomcat6, perl-CGI-Simple, pcsc-lite, obs-server, dhcp, java-1_6_0-openjdk, opera 2011-02-08
Fedora FEDORA-2011-0741 bugzilla 2011-01-25
Fedora FEDORA-2011-0755 bugzilla 2011-01-25

Comments (none posted)

dhcp: denial of service

Package(s):dhcp CVE #(s):CVE-2011-0413
Created:February 4, 2011 Updated:April 19, 2011
Description: From the CVE entry:

The DHCPv6 server in ISC DHCP 4.0.x and 4.1.x before 4.1.2-P1, 4.0-ESV and 4.1-ESV before 4.1-ESV-R1, and 4.2.x before 4.2.1b1 allows remote attackers to cause a denial of service (assertion failure and daemon crash) by sending a message over IPv6 for a declined and abandoned address.

Fedora FEDORA-2011-0848 dhcp 2011-01-28
Debian DSA-2184-1 isc-dhcp 2011-03-05
Red Hat RHSA-2011:0256-01 dhcp 2011-02-15
Pardus 2011-36 dhcp 2011-02-14
SUSE SUSE-SR:2011:003 gnutls, tomcat6, perl-CGI-Simple, pcsc-lite, obs-server, dhcp, java-1_6_0-openjdk, opera 2011-02-08
Mandriva MDVSA-2011:022 dhcp 2011-02-07
openSUSE openSUSE-SU-2011:0098-1 dhcp 2011-02-04

Comments (none posted)

exim: symlink attack

Package(s):exim CVE #(s):CVE-2011-0017
Created:February 8, 2011 Updated:February 22, 2011
Description: From the CVE entry:

The open_log function in log.c in Exim 4.72 and earlier does not check the return value from (1) setuid or (2) setgid system calls, which allows local users to append log data to arbitrary files via a symlink attack.

Gentoo 201401-32 exim 2014-01-27
SUSE SUSE-SR:2011:004 exim, krb5, git, dbus-1 2011-02-22
Ubuntu USN-1060-1 exim4 2011-02-10
openSUSE openSUSE-SU-2011:0105-1 exim 2011-02-08

Comments (none posted)

kernel: denial of service

Package(s):kernel CVE #(s):
Created:February 8, 2011 Updated:February 9, 2011
Description: From rPath RPL-3199:

When Intel VT is enabled in the BIOS of some systems which use intel_iommu, a kernel oops, and possibly a system crash, may occur. Adding intel_iommu=off to the boot parameter list works around the issue.

rPath rPSA-2011-0010-1 kernel 2011-02-07

Comments (none posted)

krb5: denial of service

Package(s):krb5 CVE #(s):CVE-2010-4022 CVE-2011-0281 CVE-2011-0282
Created:February 9, 2011 Updated:April 15, 2011
Description: The krb5 server suffers from three independent vulnerabilities allowing a remote attacker to crash or hang the "key distribution center" process.
Gentoo 201201-13 mit-krb5 2012-01-23
CentOS CESA-2011:0199 krb5 2011-04-14
Pardus 2011-48 mit-kerberos 2011-02-28
SUSE SUSE-SR:2011:004 exim, krb5, git, dbus-1 2011-02-22
Fedora FEDORA-2011-1210 krb5 2011-02-09
Fedora FEDORA-2011-1225 krb5 2011-02-09
Ubuntu USN-1062-1 krb5 2011-02-15
openSUSE openSUSE-SU-2011:0111-1 krb5 2011-02-14
Red Hat RHSA-2011:0199-01 krb5 2011-02-08
Mandriva MDVSA-2011:025 krb5 2011-01-09
Mandriva MDVSA-2011:024 krb5 2011-01-09
Red Hat RHSA-2011:0200-01 krb5 2011-02-08

Comments (none posted)

opera: multiple vulnerabilities

Package(s):Opera CVE #(s):CVE-2011-0681 CVE-2011-0682 CVE-2011-0683 CVE-2011-0684 CVE-2011-0685 CVE-2011-0686 CVE-2011-0687
Created:February 7, 2011 Updated:February 9, 2011
Description: From the CVE entries:

Opera before 11.01 does not properly restrict the use of opera: URLs, which makes it easier for remote attackers to conduct clickjacking attacks via a crafted web site. (CVE-2011-0683)

Opera before 11.01 does not properly handle redirections and unspecified other HTTP responses, which allows remote web servers to obtain sufficient access to local files to use these files as page resources, and consequently obtain potentially sensitive information from the contents of the files, via an unknown response manipulation. (CVE-2011-0684)

The Delete Private Data feature in Opera before 11.01 does not properly implement the "Clear all email account passwords" option, which might allow physically proximate attackers to access an e-mail account via an unattended workstation. (CVE-2011-0685)

Unspecified vulnerability in Opera before 11.01 allows remote attackers to cause a denial of service (application crash) via unknown content on a web page, as demonstrated by (CVE-2011-0686)

Opera before 11.01 does not properly implement Wireless Application Protocol (WAP) dropdown lists, which allows user-assisted remote attackers to cause a denial of service (application crash) via a crafted WAP document. (CVE-2011-0687)

The Cascading Style Sheets (CSS) Extensions for XML implementation in Opera before 11.01 recognizes links to javascript: URLs in the -o-link property, which makes it easier for remote attackers to bypass CSS filtering via a crafted URL. (CVE-2011-0681)

Opera before 11.01 does not properly handle large form inputs, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted HTML document. (CVE-2011-0682)

Gentoo 201206-03 opera 2012-06-15
SUSE SUSE-SR:2011:003 gnutls, tomcat6, perl-CGI-Simple, pcsc-lite, obs-server, dhcp, java-1_6_0-openjdk, opera 2011-02-08
openSUSE openSUSE-SU-2011:0103-1 Opera 2011-02-07

Comments (none posted)

postgresql: arbitrary code execution

Package(s):postgresql-8.3 CVE #(s):CVE-2010-4015
Created:February 4, 2011 Updated:April 15, 2011
Description: From the CVE entry:

Buffer overflow in the gettoken function in contrib/intarray/_int_bool.c in the intarray array module in PostgreSQL 9.0.x before 9.0.3, 8.4.x before 8.4.7, 8.3.x before 8.3.14, and 8.2.x before 8.2.20 allows remote authenticated users to cause a denial of service (crash) and possibly execute arbitrary code via integers with a large number of digits to unspecified functions.

Gentoo 201110-22 postgresql-base 2011-10-25
CentOS CESA-2011:0198 postgresql84 2011-04-14
CentOS CESA-2011:0197 postgresql 2011-04-14
SUSE SUSE-SR:2011:005 hplip, perl, subversion, t1lib, bind, tomcat5, tomcat6, avahi, gimp, aaa_base, build, libtiff, krb5, nbd, clamav, aaa_base, flash-player, pango, openssl, subversion, postgresql, logwatch, libxml2, quagga, fuse, util-linux 2011-04-01
openSUSE openSUSE-SU-2011:0254-1 postgresql 2011-03-31
Pardus 2011-37 postgresql-doc postgresql-lib postgresql-pl postgresql-server 2011-02-14
Fedora FEDORA-2011-0963 postgresql 2011-02-01
Fedora FEDORA-2011-0990 postgresql 2011-02-01
Mandriva MDVSA-2011:021 postgresql 2011-02-07
CentOS CESA-2011:0197 postgresql 2011-02-04
Ubuntu USN-1058-1 postgresql-8.1, postgresql-8.3, postgresql-8.4 2011-02-03
Red Hat RHSA-2011:0198-01 postgresql84 2011-02-03
Red Hat RHSA-2011:0197-01 postgresql 2011-02-03
Debian DSA-2157-1 postgresql-8.3 2011-02-03

Comments (none posted)

vlc: code execution

Package(s):vlc vlc-firefox CVE #(s):CVE-2011-0522
Created:February 3, 2011 Updated:February 9, 2011

From the VUPEN advisory:

Two vulnerabilities have been identified in VLC Media Player, which could be exploited by attackers to compromise a vulnerable system. These issues are caused by buffer overflow errors in the "StripTags()" function within the USF and Text subtitles decoders ["modules/codec/subtitles/subsdec.c" and "modules/codec/subtitles/subsusf.c"] when processing malformed data, which could be exploited by attackers to crash an affected application or execute arbitrary by convincing a user to open a malicious media file.

Gentoo 201411-01 vlc 2014-11-05
Pardus 2011-23 vlc vlc-firefox 2011-02-02

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>

Copyright © 2011, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds