LWN: Comments on "Linux autorun vulnerabilities?"

Linux autorun vulnerabilities?

kees — Fri, 11 Feb 2011 22:37:48 +0000

The ASLR predictability is actually a weakness in the NX-emulation patch carried by Fedora and Ubuntu. If this was done on a PAE system (even 32bit), it would have been pretty unfeasible. That said, it's still good research. I wrote up a little more about it here:

http://www.outflux.net/blog/archives/2011/02/11/shaping-t...

Ubuntu/KDE

rfunk — Fri, 11 Feb 2011 00:33:28 +0000

I normally install Kubuntu, then add the ubuntu-desktop metapackage -- as well as kde-full. I like to have everything available to me; I just don't want it all running at once. :-)

I get the KDE tray popup too; I just wish that were all I got.

Ubuntu/KDE

ccurtis — Thu, 10 Feb 2011 23:40:58 +0000

How do you manage that? Did you start with GNOME and then install KDE later?

I've always run Kubuntu and in 10.10 I get a KDE tray popup that says I have two options for the device. I can click the button in the far right to mount it, or anywhere on the device label to display a dropdown of my two options.

My two options are [a] Download Photos with Gwenview (a KDE app) or [b] Open with File Manager, which opens Dolphin.

Linux autorun vulnerabilities?

hingo — Thu, 10 Feb 2011 22:50:15 +0000

Is it just me, or is the natural reaction when reading this article that, no, I do not want to click on the link to this guys presentation, *in PDF* :-)

Linux autorun vulnerabilities?

rfunk — Thu, 10 Feb 2011 19:00:52 +0000

Yeah, I realize it's a slight tangent. I guess I consider automount a prerequisite for autorun, and I don't want either one to happen.

But thanks to your explanation about what Nautilus is doing, I was able to find the right gconf keys to flip in gconf-editor:
/apps/nautilus/preferences/media_automount
/apps/nautilus/preferences/media_automount_open
/apps/nautilus/preferences/media_autorun_never

Now I just wish I could keep Nautilus from even being triggered at all when media is inserted, unless I'm actually running GNOME.

Linux autorun vulnerabilities?

tetromino — Thu, 10 Feb 2011 18:46:21 +0000

I think you have your terminology mixed up. Autorun means "automatically run an executable with a particular name located in the root directory of a piece of media when that media is mounted". Ubuntu does not do autorun by default. Instead, it pops up a dialog box that asks you what you want to do with a piece of newly mounted media, and if an autorun executable is present, then running that executable will be one of the possible choices.

The big problem is not with autorun, but with (a) the "auto open in Nautilus" that Ubuntu uses as the default action for newly mounted USB mass storage devices, and (b) the fact that when Nautilus opens a folder, it will automatically generate thumbnails for all the files in it, no matter whether the folder is /home/rfunk or /media/evil_exploit_filled_USB_flash_drive.

Linux autorun vulnerabilities?

cesarb — Thu, 10 Feb 2011 15:28:41 +0000

Good catch. Even though I have one on my pocket, I completely forgot that it can be used as the "special hardware" I was thinking of.

Linux autorun vulnerabilities?

rfunk — Thu, 10 Feb 2011 15:24:31 +0000

I'm unhappy that Ubuntu is now apparently auto-mounting new devices by default, let alone autorunning what's on there. I started noticing this after my 10.10 upgrade.

It's especially annoying since I'm running KDE and I get an obviously GNOME-based dialog box asking me what I want to do with the content found on the device. The most annoying part is also the part that makes it most obvious that it comes from GNOME, is that the only apps I'm offered to open the content are GNOME apps, ignoring my KDE (and other) apps.

Linux autorun vulnerabilities?

gidoca — Thu, 10 Feb 2011 14:07:12 +0000

Special hardware? What prevents you from doing this as a malware for smartphones?

Linux autorun vulnerabilities?

cesarb — Thu, 10 Feb 2011 12:43:40 +0000

Well, an USB device can emulate a keyboard/mouse too. I am sure a creative hacker would be able to use this to do something like opening a terminal and typing a command.

But this requires special hardware. What we are talking about is things that can be used for worm-like behavior, that is, things that can be written to a generic USB mass storage device.

It gets worse

cesarb — Thu, 10 Feb 2011 12:31:57 +0000

I was (negatively) surprised when a coworker, running an Ubuntu VM under VirtualBox, clicked on the menu option to install the VirtualBox Guest Additions (which inserts a virtual CD-ROM with the drivers), and the Ubuntu desktop asked if he wanted to run the installer from the CD!

Yes, it prompted before running, but it is well known that most people will just click "Yes" without even reading the text in a dialog box.

The specification seems to be this one: http://standards.freedesktop.org/autostart-spec/autostart...

Linux autorun vulnerabilities?

tzafrir — Thu, 10 Feb 2011 09:47:54 +0000

Right. It's practically the same code that is accessible to a remote attacker through a web browser.

Linux autorun vulnerabilities?

dlang — Thu, 10 Feb 2011 09:18:38 +0000

no, the USB bus does not support DMA (direct memory access), the driver uses it to transfer data from the memory to the server-side hardware, but the devices plugged in cannot initiate or control DMA.

Linux autorun vulnerabilities?

Fowl — Thu, 10 Feb 2011 07:13:06 +0000

Couldn't an arbitrary USB device just DMA something malicious behind the kernel's back?

Thumbnbail-ers / Indexers / Property Extractors are one of the first bits of code (behind web browsers) that should be sandboxed IMHO.

Linux autorun vulnerabilities?

tetromino — Thu, 10 Feb 2011 07:12:20 +0000

The easy way to close the biggest part of the threat surface is to simply not run thumbnailers on removable media by default. And to lessen the inconvenience of such a change, perhaps add some sort of a whitelist to trust specific media and/or readers. Unfortunately, GNOME 2.32 lacks the necessary fine-grained settings for thumbnailing control; you can turn off the Nautilus thumbnailers for network mounts, but there is no way to turn off thumbnailing of random USB flash drives while still showing thumbnails for files on the local hard drive.

Linux autorun vulnerabilities?

walters — Thu, 10 Feb 2011 02:05:37 +0000

Well, it would probably make sense to delay processing of mount events while the machine is locked, at least in the single-head case.

And the thumbnailers should definitely be sandboxed; it'd probably be fairly trivial to use seccomp() or the SELinux sandbox for it.