Re: USB autorun attacks against Linux
Nevermind, was already fixed a few days ago:
evince (2.32.0-0ubuntu1.1) maverick-security; urgency=low
* SECURITY UPDATE: arbitrary code execution via multiple dvi backend
overflows
- debian/patches/02_CVE-2010-264x.patch: add bounds checking in
backend/dvi/mdvi-lib/{afmparse,dviread,pk,tfmfile,vf}.c.
- CVE-2010-2640
- CVE-2010-2641
- CVE-2010-2642
- CVE-2010-2643
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 03 Jan 2011 11:38:25 -0500
Re: USB autorun attacks against Linux
Thanks for the update folks. This is what makes Lunix and Ubuntu great! :)
Re: USB autorun attacks against Linux
Quote:
Originally Posted by
psusi
Nevermind, was already fixed a few days ago:
Sweet!
Re: USB autorun attacks against Linux-Looks like Thumbnails may be an issue.
Here's a direct link to the presentation (PDF Slidehow)
http://blogs.iss.net/archive/papers/...inst_Linux.pdf
Note that some of the potential access points are not protected by PIE or AppArmor. Of course the premise here is getting a USB or other autorun device mounted after the target systems is booted.
As I see it "Browse media when inserted, " is OK, but having "Never prompt or srart media when inserted..." enabled is a good thing too.
Also, I disable thumbnailers by default anyway. Just like the conclusion says. :)
Re: USB autorun attacks against Linux-Looks like Thumbnails may be an issue.
Quote:
Originally Posted by
emarkay
Of course the premise here is getting a USB or other autorun device mounted after the target systems is booted.
Well, in a lot of cases you just have to get your corrupted file onto someone's USB stick so that when they plug it into the computer the thumbnailer will run and execute your exploit code. That's much easier than getting your own USB stick plugged into the computer as people often use them to transfer files, particularly to machines that aren't network or are on private networks.
Re: USB autorun attacks against Linux
Quote:
Originally Posted by
movieman
Any thumbnail generator should be run inside an apparmor sandbox that minimises opportunity for exploits of this kind;
.. and that is indeed the default setting in Ubuntu 9.10 and later:
http://www.ubuntu.com/usn/usn-1035-1
"In the default installation of Ubuntu 9.10 and later, attackers would be isolated by the Evince AppArmor profile. "
Re: USB autorun attacks against Linux
Quote:
Originally Posted by
raffen
.. and that is indeed the default setting in Ubuntu 9.10 and later:
http://www.ubuntu.com/usn/usn-1035-1
"In the default installation of Ubuntu 9.10 and later, attackers would be isolated by the Evince AppArmor profile. "
Not possible. AppArmor is set to complain, not enforce, by default. Which means it wouldn't be protecting. /me was wrong :oops:
Re: USB autorun attacks against Linux
Quote:
Originally Posted by
uRock
Not possible. AppArmor is set to complain, not enforce, by default. Which means it wouldn't be protecting.
It's definitely set to enforce.
Code:
$ sudo apparmor_status
apparmor module is loaded.
10 profiles are loaded.
10 profiles are in enforce mode.
/sbin/dhclient3
/usr/bin/evince
/usr/bin/evince-previewer
/usr/bin/evince-thumbnailer
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/lib/connman/scripts/dhclient-script
/usr/lib/cups/backend/cups-pdf
/usr/sbin/cupsd
/usr/sbin/ntpd
/usr/sbin/tcpdump
0 profiles are in complain mode.
2 processes have profiles defined.
2 processes are in enforce mode :
/sbin/dhclient3 (4424)
/usr/sbin/cupsd (1025)
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
Re: USB autorun attacks against Linux
Quote:
Originally Posted by
FuturePilot
It's definitely set to enforce.
I could've sworn I had to enable those on my first install. Learn something new every day.
Thanks,
uRock
Re: USB autorun attacks against Linux
Quote:
It was evince-thumbnailer that
was exploited, not Nautilus and certainly not Linux. This feature in
Nautilus exposes other systems to potential attacks, but Nautilus
itself was not shown as vulnerable in the demonstration. Nautilus
also has a configuration option which lets you choose if you want
this behavior or not, although I personally believe it shouldn't do
this at all when the screen is locked.
This is a vulnerability in Ubuntu (and probably other GNOME-based
distros), but it is completely erroneous to say that it's a
vulnerability in Linux, for two reasons: 1) The applications that
were exploited are in use on non-Linux systems (and will be equally
exposed), and 2) many Linux-systems doesn't use these applications at
all.
http://www.h-online.com/open/news/fo...14371201/read/