Slashdot Mirror

← Back to Stories (view on slashdot.org)

USB Autorun Attacks Against Linux

Posted by CmdrTaco on from the don't-put-strangers-in-there dept.

Orome1 writes "Many people think that Linux is immune to the type of Autorun attacks that have plagued Windows systems with malware over the years. However, there have been many advances in the usability of Linux as a desktop OS — including the addition of features that can allow Autorun attacks. This Shmoocon presentation by Jon Larimer from IBM X-Force starts off with a definition of autorun vulnerabilities and some examples from Windows, then jumps straight into the Linux side of things. Larimer explains how attackers can abuse these features to gain access to a live system by using a USB flash drive. He also shows how USB as an exploitation platform can allow for easy bypass of protection mechanisms like ASLR and how these attacks can provide a level of access that other physical attack methods do not." I've attached the video if you are curious. Skip the first 2 minutes if you don't care where the lost and found is.

12 of 274 comments (clear)

  1. The price of easy and automatic by clang_jangle · · Score: 5, Interesting

    I always knew that when they made *nix idiot-proof all hell would break loose security-wise. Android has proven that really thoroughly. It's too bad, really. I had high hopes for it once. Maybe they'll get it together yet though.

    --
    Caveat Utilitor
    1. Re:The price of easy and automatic by Vanderhoth · · Score: 5, Informative

      I agree with you. Although, based on what I saw in the clips I was viewing the attacks seem to be more related to fancy sloppy interfaces such as auto loading thumbnails of pictures stored on a USB drive. Not so much because *nix is idiot proof, but because there is more of a focus on making a nice looking interface instead of a secure ok looking interface.

      I could be wrong.

    2. Re:The price of easy and automatic by asvravi · · Score: 4, Informative

      User-friendly
      Secure
      Functional

      Pick any two...

    3. Re:The price of easy and automatic by Stellian · · Score: 4, Interesting

      There is no autorun, mount, and execute set up upon device identification for my system.

      Disabling auto-mount is pointless, you will eventually mount that USB device - why else would you plug it in ? 95% of the Slashdot population will plug and mount a stick received in the mail with the caption "You need to see this".
      Before you even have the option of mounting, the attacker has an enormous attack surface, by suppling it's own USB device ID: he can exploit the drivers for any of the myriad mouses, keyboards, cameras etc. that Linux supports by default, and gain kernel access. You will simply see his custom hardware device as a defective USB stick and forget about it.
      If the USB device actually turns out to be a flash drive, it can be formated using any file system supported by Linux: ext, FAT, NTFS etc. Each of the drivers have exotic and seldom used features that can hide bugs. Sure, you can do allot by limiting idiotic features in your GUI tools, but a lot of the security is out of your hands.

  2. Stop copying Windows please! by JustNiz · · Score: 5, Insightful

    Autorun as a concept just sucks.
    Copying whatever Windows does, warts and all, into Linux, just sucks.
    When is this insanity going to end?

    1. Re:Stop copying Windows please! by hedwards · · Score: 5, Insightful

      It really depends how you do it. It's one thing to go the UAC route and have the computer notify the user that something has been inserted and request authorization to do something, and quite another to make that decision for the user. Certain actions really shouldn't be allowed to be completed completely on their own, autorun is definitely a candidate for that.

    2. Re:Stop copying Windows please! by $RANDOMLUSER · · Score: 4, Insightful

      Exactly.

      87.3% of all the biggest forehead-whapping Windows security bugs have come from Microsoft's (really Bill Gates) love of whizzo features that look really cool in a developers conference keynote but don't survive the first three minutes of critical thought or exposure to the real world.

      I'm specifically referring to things like where IE or Windows Explorer execute code of unknown provenance to provide "previews". Windows Explorer once had a bug which could execute arbitrary code via JPEG preview. Of course, the Outlook preview exploits are LEGION, but we can also include VB macros included in Word and Excel "data" (hahaha) files. Only a sick love of flashy features, consequences be damned can account for this.

      --
      No folly is more costly than the folly of intolerant idealism. - Winston Churchill
  3. Autorun ist stupid by gweihir · · Score: 4, Interesting

    Doesn't depend on platform. Autorun is always a huge security risk. It was invented for lazy users that do not want to know how to use their computer properly. At this time (and for the foreseeable future) this kind of laziness comes at a price and that is vulnerability to rather simple to execute attacks.

    The real benefit of Linux here is that, unlike Windows, you can get distributions that would not dream of implementing something as stupid as autorun. On others, you can reliably turn it off reliably without a cryptic adventure through the mess called the "registry". But implementing insecure features will of course make Linux insecure. Nobody sane debates that.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  4. OT: MS instructions for controlling in Windows by behindthewall · · Score: 4, Informative

    Maybe OT, but here's MS's information for controlling this "feature" in Windows.

    There've been various sets of instructions and registry hacks floating around, but this appears to be from the horse's mouth, relatively recently updated, and addresses some of the shortcomings of previous fixes.

    Article ID: 967715 - Last Review: September 9, 2010 - Revision: 6.2
    How to disable the Autorun functionality in Windows

    http://support.microsoft.com/kb/967715

    (I'm posting this due to the confusion all the various instructions / search results can create, and because this article addresses Autoruns and so I expect a number of Windows users will be having a look out of curiosity.)

  5. Re:Exactly by Nimey · · Score: 4, Informative

    Did you ever use the original Vista? Ever use Ubuntu or OSX from the same time period? Vista's prompt was a lot more annoying, because for some operations it would go off several times, while for the other two it'd ask you ONCE and then get the hell out of the way. Ubuntu would even remember your sudo credentials for a few minutes so you could do other tasks as root. Really a superior design.

    They made it less annoying with SP2 and again with Win7, yes, but the original setup was shit.

    --
    Hail Eris, full of mischief...

    E pluribus sanguinem
  6. Is there a demo online? by doperative · · Score: 4, Interesting

    Anyone care to post a demo of this Linux autorun vulnerability, one that will compromise my system by inserting a USB device, and with no user confirmation required, and doesn't prompt for the root password ..

  7. Re:Exactly by trickyD1ck · · Score: 4, Informative

    All UAC does is basically confirm with whomever is currently sitting at the computer (authorized or not) that they initiated some arbitrary action.

    Unless you are a limited-rights user. Then you have to enter admin credentials.