Slashdot Mirror
USB Autorun Attacks Against Linux
Orome1 writes "Many people think that Linux is immune to the type of Autorun attacks that have plagued Windows systems with malware over the years. However, there have been many advances in the usability of Linux as a desktop OS — including the addition of features that can allow Autorun attacks. This Shmoocon presentation by Jon Larimer from IBM X-Force starts off with a definition of autorun vulnerabilities and some examples from Windows, then jumps straight into the Linux side of things. Larimer explains how attackers can abuse these features to gain access to a live system by using a USB flash drive. He also shows how USB as an exploitation platform can allow for easy bypass of protection mechanisms like ASLR and how these attacks can provide a level of access that other physical attack methods do not." I've attached the video if you are curious. Skip the first 2 minutes if you don't care where the lost and found is.
I always knew that when they made *nix idiot-proof all hell would break loose security-wise. Android has proven that really thoroughly. It's too bad, really. I had high hopes for it once. Maybe they'll get it together yet though.
Caveat Utilitor
Autorun as a concept just sucks.
Copying whatever Windows does, warts and all, into Linux, just sucks.
When is this insanity going to end?
Anybody want to post a quick-fix to avoid turn off AutoRun in Ubuntu?
I'm not a lawyer, but I play one on the Internet. Blog
Auto-run is convenient and all but systems should NOT automatically execute content from devices unless the user has specifically told them it's okay.
A recommendation for out-of-the-box "autorun" experience:
Query the type of the media, but do so without running any code of any type on the media.
Authenticate the data used to determine the type of the media AND any "auto run" code typically associated with that type of media OR decide you can't authenticate it.
Present a box to the user for "trusted" content:
This disk claims that it contains [a program | music | video | files | whatever ]. This claim is sign by [company] and its chain-of-authentication includes [highest-level signer], a company trusted by [operating system vendor | you]. To see more details click [here].
What do you want to do? [list of choices, including "do nothing," "open as a folder," "run the disk" (aka autorun), "play music," "play video," etc.]
[ X ] Do the same for other media of this type signed by this signer.
[ _ ] Do the same for other media of this type signed by any trusted signer.
[ _ ] Do the same for other media of this type even if it is not signed.
Present a box to the user for signed content that cannot be authenticated:
WARNING: This disk claims that it contains [a program | music | video | files | whatever ]. This claim is sign by [company] but this signature cannot be authenticated. To see more details click [here].
What do you want to do? [list of choices, including "do nothing," "open as a folder," "run the disk" (aka autorun), "play music," "play video," etc.]
[ _ ] Trust this signer in the future.
[ _ ] Do the same for other media of this type signed by this signer.
[ _ ] Do the same for other media of this type signed by any trusted signer.
[ _ ] Do the same for other media of this type even if it is not signed.
Present a box to the user for unsigned content, which would typically be "unlabeled" content that the computer has to figure out for itself:
This disk appears to contain [a program | music | video | files | whatever ].
What do you want to do? [list of choices, including "do nothing," "open as a folder," "run the disk" (aka autorun), "play music," "play video," etc.]
[ _ ] Do the same for other media of this type [bold]NOT recommended[/bold]
Almost all media would be "unsigned" until a standardized method of signing is developed. Signing would typically only authenticate the type of media the disk claimed to as well as the executable code of any autoexec.exe-type program that runs if the user "runs the disk" or any media-type-specific on-disk code that runs if the user "plays the media," not the entire disk.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Linux servers, that run on command line don't have these issues. I know this is shocking to some people, but 99.99% of the world doesn't really give a shit about what you have on your home pc's hard drive. Security is good, but paranoia isn't. Anyone that actually cares about safeguarding their data won't be running a server with a GUI on it anyway. Even the Apache Foundation had to learn this the hard way.
Doesn't depend on platform. Autorun is always a huge security risk. It was invented for lazy users that do not want to know how to use their computer properly. At this time (and for the foreseeable future) this kind of laziness comes at a price and that is vulnerability to rather simple to execute attacks.
The real benefit of Linux here is that, unlike Windows, you can get distributions that would not dream of implementing something as stupid as autorun. On others, you can reliably turn it off reliably without a cryptic adventure through the mess called the "registry". But implementing insecure features will of course make Linux insecure. Nobody sane debates that.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
> But as you make Linux more user friendly, feature rich, easier to use, it becomes easier to attack.
Of course you can point us to the inevitable viruses, worms and trojans that now afflict MacOS?
If not then your entire rant is just thoughtless jibber jabber.
You get system vulnerabilities from bad engineering practices, not a consumer focused mindset.
Sure I can have it both ways. Just don't do obviously stupid stuff. Don't do things that were proven wrongful in the 80s before any of the current malware innovations were developed.
A Pirate and a Puritan look the same on a balance sheet.
A more complicated security model is not going to prevent an environment that can trash the user's files from trashing the user's files.
That capability is somewhat hard to avoid as you can't really do work for the user otherwise.
A Pirate and a Puritan look the same on a balance sheet.
Maybe OT, but here's MS's information for controlling this "feature" in Windows.
There've been various sets of instructions and registry hacks floating around, but this appears to be from the horse's mouth, relatively recently updated, and addresses some of the shortcomings of previous fixes.
Article ID: 967715 - Last Review: September 9, 2010 - Revision: 6.2
How to disable the Autorun functionality in Windows
http://support.microsoft.com/kb/967715
(I'm posting this due to the confusion all the various instructions / search results can create, and because this article addresses Autoruns and so I expect a number of Windows users will be having a look out of curiosity.)
It doesn't even recognise my thumb drive, so I don't have to worry about security
Did you ever use the original Vista? Ever use Ubuntu or OSX from the same time period? Vista's prompt was a lot more annoying, because for some operations it would go off several times, while for the other two it'd ask you ONCE and then get the hell out of the way. Ubuntu would even remember your sudo credentials for a few minutes so you could do other tasks as root. Really a superior design.
They made it less annoying with SP2 and again with Win7, yes, but the original setup was shit.
Hail Eris, full of mischief...
E pluribus sanguinem
It was quite popular about 8-10 years ago for various media outlets to declare the "year of the Linux Desktop". I can't be arsed to look up specific examples, but they definitely existed. The irony being that Linux has improved dramatically as a desktop OS since most of those claims were widely circulated, yet no one expects it anymore. As far as I can tell, three things have ended the hype:
1) Probably most important: People have realized that what most desktop users want is something Linux will probably never give them. Hand holding and a person to call when things break. Windows' monopoly created a huge pool of reasonably skilled amateur technicians; as well as an ecosystem of professionals ranging from the guy with fliers on the apartment bulletin board, to Best Buy's Geek Squad, to highly skilled consultants and everything in between. Apple answered that with their Genius Bar and highly rated customer service. Linux has answers to it as well, but people don't like searching web sites and such. Red Hat and a few others actually have excellent customer service and tech support, but buying from them (in small volumes, they're way cheaper than MS for high volume sales) makes Linux as expensive as Windows.
2) A credible alternative to Windows on the Desktop emerged in OSX. Sure the hardware is kinda premium, but Apple released an easy to use Unix based OS on fairly affordable hardware. They also tied this with the launch of their retail stores and Genius Bars which provided the kind of hand holding and quick fix solutions that people are used to on Windows.
3) Software and hardware vendors never saw value in cooperating. Next to to the lack of hand holding, this is probably the biggest issue. No thanks to the vendors, the hardware situation is much better than it used to be, but software remains a major hurdle. There are analogs and replacements for a lot of stuff, but they're rarely quite as good, always require a learning curve (on top of learning the new OS), and often times have file conversion issues. Apple got around this because they've always been Microsoft's "see, we're not a really a monopoly" hitching post so a lot of vendors (including MS themselves) have always maintained a MacOS version. Apple's recent success just means that they're making money on it.
So now the Linux vendors concentrate on the server space (which has always been their strength), while producing steadily more polished Desktop OSes that don't get nearly the hype they used to. Meanwhile increasing numbers of tablets, smartphones, and PDAs may make the whole thing irrelevant in ten years. Not that desktop or laptop computers are going anywhere, but portable platforms will probably overtake them in usefulness for non-technical people at some point in the next decade.
I don't need a million points of light, just two points of multi-mode fiber and a 10 Gig-E router.
Anyone care to post a demo of this Linux autorun vulnerability, one that will compromise my system by inserting a USB device, and with no user confirmation required, and doesn't prompt for the root password ..
I actually watched this presentation live, and it is definitely worth checking out. Although this is a good presentation, it's not exactly the hack of the century. The guy still hasn't actually found a way around AppArmor yet so this doesn't work with machines with it enabled. Furthermore, the exploit requires local access to the machine AND have a user account already logged in.
I'm sure 99% of you already know how to do this, but if anyone is interested in protecting themselves from this type of attack regardless simply:
1. Open a Nautilus window.
2. Edit -> Preferences. Go to the Media tab.
3. Uncheck the box that is labeled "Browse media when inserted".
Almost every comment here is concentrating on "Autorun" i.e. automatic execution of scripts/executables on media and ignoring the main focus of the talk, which is about exploiting bugs in the way the file-manager handles previews of image, PDF, DVI files etc. situated on the media. More generally he talks about the possibilities of exploiting vulnerabilities in every layer involved when automatically handling inserted media, from device discovery, device drivers, file-system drivers, up to and including the file-manager.
Unless we're all conflating "autorun" with "automount & show the media in a file-manager" now?
Linux still has the antiquated "user, group, everyone" security model from the 1970s.
Yes, there's SELinux. But there isn't a whole distribution with a full range of applications which can run under a mandatory security model.
Actually, the Unix model is so ingrained in all Unix platforms, that getting users who expect broken Unix off it (on Linux) is difficult, and they want the insecurity and convenience of Mac OS X.
And, for the demo, the speaker actually had disabled AppArmor, because with it enabled, his exploit didn't work. He said he would have been able to get around AppArmor (due to one or two controls that we not enforced on the thumbnailer) with sufficient time.
If you are referring to UAC, it is hardly a "GUI sudo prompt." sudo requires you to prove that you are an authentic user by providing your password each time you open a shell to perform an administrative task (and every fifteen minutes after), and you also have to be a member of the sudo group (which only the first account created at install time is by default).
All UAC does is basically confirm with whomever is currently sitting at the computer (authorized or not) that they initiated some arbitrary action. This is also useful, in that it prevents some web site from installing a piece of malicious software without the user's knowledge, but it is far from a "GUI sudo prompt."
This is the reason it was met with derision by Slashdotters (and I don't recall many "fits of nerd rage," although a few might have snorted Code Red through their noses when they realized how impotent - and easily disabled - this new Microsoft "security feature" was).
I don't care why you're posting AC
All UAC does is basically confirm with whomever is currently sitting at the computer (authorized or not) that they initiated some arbitrary action.
Unless you are a limited-rights user. Then you have to enter admin credentials.
People run linux because of retarded shit like that on Windows. Don't replicate the problem.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.