Slashdot Mirror

← Back to Stories (view on slashdot.org)

USB Autorun Attacks Against Linux

Posted by CmdrTaco on from the don't-put-strangers-in-there dept.

Orome1 writes "Many people think that Linux is immune to the type of Autorun attacks that have plagued Windows systems with malware over the years. However, there have been many advances in the usability of Linux as a desktop OS — including the addition of features that can allow Autorun attacks. This Shmoocon presentation by Jon Larimer from IBM X-Force starts off with a definition of autorun vulnerabilities and some examples from Windows, then jumps straight into the Linux side of things. Larimer explains how attackers can abuse these features to gain access to a live system by using a USB flash drive. He also shows how USB as an exploitation platform can allow for easy bypass of protection mechanisms like ASLR and how these attacks can provide a level of access that other physical attack methods do not." I've attached the video if you are curious. Skip the first 2 minutes if you don't care where the lost and found is.

18 of 274 comments (clear)

  1. The price of easy and automatic by clang_jangle · · Score: 5, Interesting

    I always knew that when they made *nix idiot-proof all hell would break loose security-wise. Android has proven that really thoroughly. It's too bad, really. I had high hopes for it once. Maybe they'll get it together yet though.

    --
    Caveat Utilitor
    1. Re:The price of easy and automatic by HermMunster · · Score: 3, Informative

      I think negative mods would only be given for not addressing what the researcher was talking about. Android isn't using an autorun feature. In fact, he specifically states that his speech addresses only Ubuntu 10.10 and gnome (and not the other desktop managers).

      --
      You can lead a man with reason but you can't make him think.
    2. Re:The price of easy and automatic by Vanderhoth · · Score: 5, Informative

      I agree with you. Although, based on what I saw in the clips I was viewing the attacks seem to be more related to fancy sloppy interfaces such as auto loading thumbnails of pictures stored on a USB drive. Not so much because *nix is idiot proof, but because there is more of a focus on making a nice looking interface instead of a secure ok looking interface.

      I could be wrong.

    3. Re:The price of easy and automatic by morcego · · Score: 3, Insightful

      Shoot him.

      --
      morcego
    4. Re:The price of easy and automatic by asvravi · · Score: 4, Informative

      User-friendly
      Secure
      Functional

      Pick any two...

    5. Re:The price of easy and automatic by Stellian · · Score: 4, Interesting

      There is no autorun, mount, and execute set up upon device identification for my system.

      Disabling auto-mount is pointless, you will eventually mount that USB device - why else would you plug it in ? 95% of the Slashdot population will plug and mount a stick received in the mail with the caption "You need to see this".
      Before you even have the option of mounting, the attacker has an enormous attack surface, by suppling it's own USB device ID: he can exploit the drivers for any of the myriad mouses, keyboards, cameras etc. that Linux supports by default, and gain kernel access. You will simply see his custom hardware device as a defective USB stick and forget about it.
      If the USB device actually turns out to be a flash drive, it can be formated using any file system supported by Linux: ext, FAT, NTFS etc. Each of the drivers have exotic and seldom used features that can hide bugs. Sure, you can do allot by limiting idiotic features in your GUI tools, but a lot of the security is out of your hands.

  2. Stop copying Windows please! by JustNiz · · Score: 5, Insightful

    Autorun as a concept just sucks.
    Copying whatever Windows does, warts and all, into Linux, just sucks.
    When is this insanity going to end?

    1. Re:Stop copying Windows please! by hedwards · · Score: 5, Insightful

      It really depends how you do it. It's one thing to go the UAC route and have the computer notify the user that something has been inserted and request authorization to do something, and quite another to make that decision for the user. Certain actions really shouldn't be allowed to be completed completely on their own, autorun is definitely a candidate for that.

    2. Re:Stop copying Windows please! by $RANDOMLUSER · · Score: 4, Insightful

      Exactly.

      87.3% of all the biggest forehead-whapping Windows security bugs have come from Microsoft's (really Bill Gates) love of whizzo features that look really cool in a developers conference keynote but don't survive the first three minutes of critical thought or exposure to the real world.

      I'm specifically referring to things like where IE or Windows Explorer execute code of unknown provenance to provide "previews". Windows Explorer once had a bug which could execute arbitrary code via JPEG preview. Of course, the Outlook preview exploits are LEGION, but we can also include VB macros included in Word and Excel "data" (hahaha) files. Only a sick love of flashy features, consequences be damned can account for this.

      --
      No folly is more costly than the folly of intolerant idealism. - Winston Churchill
    3. Re:Stop copying Windows please! by Jonner · · Score: 3, Insightful

      The presenter in TFV says that because autorun always prompts the user, it's not a big security risk. He spends much more time talking about exploiting bugs in various software layers, including kernel, root-running userspace, and normal user processes.

      I'm not sure that I agree that always asking permission to autorun something is safe enough, but it is far less onerous than how Windows used to work.

  3. Autorun ist stupid by gweihir · · Score: 4, Interesting

    Doesn't depend on platform. Autorun is always a huge security risk. It was invented for lazy users that do not want to know how to use their computer properly. At this time (and for the foreseeable future) this kind of laziness comes at a price and that is vulnerability to rather simple to execute attacks.

    The real benefit of Linux here is that, unlike Windows, you can get distributions that would not dream of implementing something as stupid as autorun. On others, you can reliably turn it off reliably without a cryptic adventure through the mess called the "registry". But implementing insecure features will of course make Linux insecure. Nobody sane debates that.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  4. OT: MS instructions for controlling in Windows by behindthewall · · Score: 4, Informative

    Maybe OT, but here's MS's information for controlling this "feature" in Windows.

    There've been various sets of instructions and registry hacks floating around, but this appears to be from the horse's mouth, relatively recently updated, and addresses some of the shortcomings of previous fixes.

    Article ID: 967715 - Last Review: September 9, 2010 - Revision: 6.2
    How to disable the Autorun functionality in Windows

    http://support.microsoft.com/kb/967715

    (I'm posting this due to the confusion all the various instructions / search results can create, and because this article addresses Autoruns and so I expect a number of Windows users will be having a look out of curiosity.)

  5. Re:Exactly by Nimey · · Score: 4, Informative

    Did you ever use the original Vista? Ever use Ubuntu or OSX from the same time period? Vista's prompt was a lot more annoying, because for some operations it would go off several times, while for the other two it'd ask you ONCE and then get the hell out of the way. Ubuntu would even remember your sudo credentials for a few minutes so you could do other tasks as root. Really a superior design.

    They made it less annoying with SP2 and again with Win7, yes, but the original setup was shit.

    --
    Hail Eris, full of mischief...

    E pluribus sanguinem
  6. Is there a demo online? by doperative · · Score: 4, Interesting

    Anyone care to post a demo of this Linux autorun vulnerability, one that will compromise my system by inserting a USB device, and with no user confirmation required, and doesn't prompt for the root password ..

  7. Re:OSes should be immune from this out of the box by adamofgreyskull · · Score: 3, Informative
    Seriously, watch the video. Autorun isn't the only problem.

    Query the type of the media, but do so without running any code of any type on the media.

    Until nefarious person inserts a USB device that, for example, exploits a vulnerability in the code that queries the media. e.g. "Hey Mr. USB drive, tell me your VendorId plz!" "exploitstring" "Oh nooooo!".

    As for the rest, it won't ever work. If anything prevents a user from quickly accessing the movie/game/pictures they think are on the DVD/CD/USB device they will either take the quickest route (enabling auto-run/auto-display of any untrusted media) or a completely random route, any of which could cause code to be executed, except the "Do Nothing" option. Not to mention the fact that autorun isn't the only problem. (Seriously, watch the video).

    The problem is that an exploit in any of the myriad layers involved in dealing with inserted media makes the system vulnerable. Before your prompt is even displayed the media would have been touched by device discovery code, file system drivers etc. and now...your new authentication code. And then, if the user selects "open as a folder", a seemingly benign action, a bug in the way the file manager handles image/PDF previews (seriously, watch the video) could result in code execution!

    While a nice idea in theory, it does little to prevent a truly determined attacker, especially if they have cooperation from all but an expert user.

  8. Looks like WTFV is harder than RTFA by adamofgreyskull · · Score: 3, Insightful

    Almost every comment here is concentrating on "Autorun" i.e. automatic execution of scripts/executables on media and ignoring the main focus of the talk, which is about exploiting bugs in the way the file-manager handles previews of image, PDF, DVI files etc. situated on the media. More generally he talks about the possibilities of exploiting vulnerabilities in every layer involved when automatically handling inserted media, from device discovery, device drivers, file-system drivers, up to and including the file-manager.

    Unless we're all conflating "autorun" with "automount & show the media in a file-manager" now?

  9. Re:Exactly by multisync · · Score: 3, Insightful

    MS *tried* to fight it (in part) by effectively adding a GUI sudo prompt into Windows Vista. A million people -- including Linux users posting on Slashdot -- immediately flew into fits of nerd rage about how annoying it was to have a GUI sudo prompt.

    If you are referring to UAC, it is hardly a "GUI sudo prompt." sudo requires you to prove that you are an authentic user by providing your password each time you open a shell to perform an administrative task (and every fifteen minutes after), and you also have to be a member of the sudo group (which only the first account created at install time is by default).

    All UAC does is basically confirm with whomever is currently sitting at the computer (authorized or not) that they initiated some arbitrary action. This is also useful, in that it prevents some web site from installing a piece of malicious software without the user's knowledge, but it is far from a "GUI sudo prompt."

    This is the reason it was met with derision by Slashdotters (and I don't recall many "fits of nerd rage," although a few might have snorted Code Red through their noses when they realized how impotent - and easily disabled - this new Microsoft "security feature" was).

    --
    I don't care why you're posting AC
  10. Re:Exactly by trickyD1ck · · Score: 4, Informative

    All UAC does is basically confirm with whomever is currently sitting at the computer (authorized or not) that they initiated some arbitrary action.

    Unless you are a limited-rights user. Then you have to enter admin credentials.