Linux autorun vulnerabilities? [LWN.net]

By Jake Edge
February 9, 2011

The Windows "AutoRun" feature, which automatically (or semi-automatically after a user prompt) runs programs from removable storage devices, has been a regular source of security problems. It has been present since Windows 95, but Microsoft finally recognized the problem and largely disabled the "feature" in Windows 7—and issued an update on February 8 that disables it for XP and Vista. Various attacks (ab)used AutoRun on USB storage devices to propagate, including Conficker and Stuxnet. Could Linux suffer from a similar flaw? The answer, from a SchmooCon 2011 presentation, is, perhaps unsurprisingly, "yes".

At SchmooCon, Jon Larimer demonstrated a way to circumvent the screensaver lock on an Ubuntu 10.10 system just by inserting a USB storage device. Because the system will automatically mount the USB drive and the Nautilus file browser will try to thumbnail any documents it finds there, he was able to shut down the screensaver and access the system. While his demo disabled both address-space layout randomization (ASLR) and AppArmor, that was only done to make the demo run quickly. On 32-bit systems, ASLR can be brute-forced to find needed library addresses, given some time. AppArmor is more difficult to bypass, but he has some plausible ideas on doing that as well.

Larimer's exploit took advantage of a hole in the evince-thumbnailer, which was fixed back in January (CVE-2010-2640). A crafted DVI file could be constructed and used to execute arbitrary code when processed by evince. In his presentation [PDF], he shows in some detail how to use this vulnerability to execute a program stored on the USB device.

Killing the screensaver is just one of the things that could be done from that shell script, of course. Larimer points to possibilities like putting a .desktop file into ~/.config/autostart, which will then be executed every time the user logs in. The same kind of thing could be done using .bash_profile or similar files. Either of those could make for a Conficker-like attack against Linux systems. In addition, because the user is logged in, any encrypted home directory or partition will be decrypted and available for copying the user's private data.

While Larimer's demonstration is interesting, even though the specifics of his attack may be of little practical use, there is much to be considered in the rest of his presentation. As he points out, automatically mounting USB storage devices and accessing their contents invokes an enormous amount of code, from the USB drivers and filesystem code, to the desktop daemons and applications that display the contents of those devices. Each of those components could have—many have had—security vulnerabilities.

That should give anyone pause about automatically mounting those kinds of devices. One could certainly imagine crafted devices or filesystems that exploit holes in the kernel code, which would be a route that would likely avoid AppArmor (or SELinux) entirely. While Linux may not automatically run code from USB storage devices, it does enough processing of the, quite possibly malicious, data on them that the effect may be largely the same.

Larimer offers some recommendations to avoid this kind of problem, starting with the obvious: turn off auto-mounting of removable storage. He also recommends disabling the automatic thumbnailing of files on removable media. In addition, using grsecurity/PaX makes brute-forcing ASLR harder on 32-bit systems because it uses more bits of entropy to randomize the library locations. Of course, a 64-bit system allows a much wider range of potential library addresses, so that makes breaking ASLR harder still.

One clear theme of his talk is that "automatically" doing things can be quite dangerous. It may be easier and more convenient, but it can also lead to potentially serious holes. Convenience and security are often at odds.

Index entries for this article
Security	Desktop

to post comments

Linux autorun vulnerabilities?

Posted Feb 10, 2011 2:05 UTC (Thu) by walters (subscriber, #7396) [Link] (1 responses)

Well, it would probably make sense to delay processing of mount events while the machine is locked, at least in the single-head case.

And the thumbnailers should definitely be sandboxed; it'd probably be fairly trivial to use seccomp() or the SELinux sandbox for it.

Linux autorun vulnerabilities?

Posted Feb 10, 2011 9:47 UTC (Thu) by tzafrir (subscriber, #11501) [Link]

Right. It's practically the same code that is accessible to a remote attacker through a web browser.

Linux autorun vulnerabilities?

Posted Feb 10, 2011 7:12 UTC (Thu) by tetromino (guest, #33846) [Link]

The easy way to close the biggest part of the threat surface is to simply not run thumbnailers on removable media by default. And to lessen the inconvenience of such a change, perhaps add some sort of a whitelist to trust specific media and/or readers. Unfortunately, GNOME 2.32 lacks the necessary fine-grained settings for thumbnailing control; you can turn off the Nautilus thumbnailers for network mounts, but there is no way to turn off thumbnailing of random USB flash drives while still showing thumbnails for files on the local hard drive.

Linux autorun vulnerabilities?

Posted Feb 10, 2011 7:13 UTC (Thu) by Fowl (subscriber, #65667) [Link] (4 responses)

Couldn't an arbitrary USB device just DMA something malicious behind the kernel's back?

Thumbnbail-ers / Indexers / Property Extractors are one of the first bits of code (behind web browsers) that should be sandboxed IMHO.

Linux autorun vulnerabilities?

Posted Feb 10, 2011 9:18 UTC (Thu) by dlang (guest, #313) [Link] (3 responses)

no, the USB bus does not support DMA (direct memory access), the driver uses it to transfer data from the memory to the server-side hardware, but the devices plugged in cannot initiate or control DMA.

Linux autorun vulnerabilities?

Posted Feb 10, 2011 12:43 UTC (Thu) by cesarb (subscriber, #6266) [Link] (2 responses)

Well, an USB device can emulate a keyboard/mouse too. I am sure a creative hacker would be able to use this to do something like opening a terminal and typing a command.

But this requires special hardware. What we are talking about is things that can be used for worm-like behavior, that is, things that can be written to a generic USB mass storage device.

Linux autorun vulnerabilities?

Posted Feb 10, 2011 14:07 UTC (Thu) by gidoca (subscriber, #62438) [Link] (1 responses)

Special hardware? What prevents you from doing this as a malware for smartphones?

Linux autorun vulnerabilities?

Posted Feb 10, 2011 15:28 UTC (Thu) by cesarb (subscriber, #6266) [Link]

Good catch. Even though I have one on my pocket, I completely forgot that it can be used as the "special hardware" I was thinking of.

It gets worse

Posted Feb 10, 2011 12:31 UTC (Thu) by cesarb (subscriber, #6266) [Link]

I was (negatively) surprised when a coworker, running an Ubuntu VM under VirtualBox, clicked on the menu option to install the VirtualBox Guest Additions (which inserts a virtual CD-ROM with the drivers), and the Ubuntu desktop asked if he wanted to run the installer from the CD!

Yes, it prompted before running, but it is well known that most people will just click "Yes" without even reading the text in a dialog box.

The specification seems to be this one: http://standards.freedesktop.org/autostart-spec/autostart...

Linux autorun vulnerabilities?

Posted Feb 10, 2011 15:24 UTC (Thu) by rfunk (subscriber, #4054) [Link] (4 responses)

I'm unhappy that Ubuntu is now apparently auto-mounting new devices by default, let alone autorunning what's on there. I started noticing this after my 10.10 upgrade.

It's especially annoying since I'm running KDE and I get an obviously GNOME-based dialog box asking me what I want to do with the content found on the device. The most annoying part is also the part that makes it most obvious that it comes from GNOME, is that the only apps I'm offered to open the content are GNOME apps, ignoring my KDE (and other) apps.

Linux autorun vulnerabilities?

Posted Feb 10, 2011 18:46 UTC (Thu) by tetromino (guest, #33846) [Link] (1 responses)

I think you have your terminology mixed up. Autorun means "automatically run an executable with a particular name located in the root directory of a piece of media when that media is mounted". Ubuntu does not do autorun by default. Instead, it pops up a dialog box that asks you what you want to do with a piece of newly mounted media, and if an autorun executable is present, then running that executable will be one of the possible choices.

The big problem is not with autorun, but with (a) the "auto open in Nautilus" that Ubuntu uses as the default action for newly mounted USB mass storage devices, and (b) the fact that when Nautilus opens a folder, it will automatically generate thumbnails for all the files in it, no matter whether the folder is /home/rfunk or /media/evil_exploit_filled_USB_flash_drive.

Linux autorun vulnerabilities?

Posted Feb 10, 2011 19:00 UTC (Thu) by rfunk (subscriber, #4054) [Link]

Yeah, I realize it's a slight tangent. I guess I consider automount a prerequisite for autorun, and I don't want either one to happen.

But thanks to your explanation about what Nautilus is doing, I was able to find the right gconf keys to flip in gconf-editor:
/apps/nautilus/preferences/media_automount
/apps/nautilus/preferences/media_automount_open
/apps/nautilus/preferences/media_autorun_never

Now I just wish I could keep Nautilus from even being triggered at all when media is inserted, unless I'm actually running GNOME.

Ubuntu/KDE

Posted Feb 10, 2011 23:40 UTC (Thu) by ccurtis (guest, #49713) [Link] (1 responses)

How do you manage that? Did you start with GNOME and then install KDE later?

I've always run Kubuntu and in 10.10 I get a KDE tray popup that says I have two options for the device. I can click the button in the far right to mount it, or anywhere on the device label to display a dropdown of my two options.

My two options are [a] Download Photos with Gwenview (a KDE app) or [b] Open with File Manager, which opens Dolphin.

Ubuntu/KDE

Posted Feb 11, 2011 0:33 UTC (Fri) by rfunk (subscriber, #4054) [Link]

I normally install Kubuntu, then add the ubuntu-desktop metapackage -- as well as kde-full. I like to have everything available to me; I just don't want it all running at once. :-)

I get the KDE tray popup too; I just wish that were all I got.

Linux autorun vulnerabilities?

Posted Feb 10, 2011 22:50 UTC (Thu) by hingo (guest, #14792) [Link]

Is it just me, or is the natural reaction when reading this article that, no, I do not want to click on the link to this guys presentation, *in PDF* :-)

Linux autorun vulnerabilities?

Posted Feb 11, 2011 22:37 UTC (Fri) by kees (subscriber, #27264) [Link]

The ASLR predictability is actually a weakness in the NX-emulation patch carried by Fedora and Ubuntu. If this was done on a PAE system (even 32bit), it would have been pretty unfeasible. That said, it's still good research. I wrote up a little more about it here:

http://www.outflux.net/blog/archives/2011/02/11/shaping-t...