Slashdot Mirror
Zero-Days Hitting Fedora and Ubuntu Open Desktops To a World of Hurt (arstechnica.com)
An anonymous reader writes: It's the year of the Linux desktop getting pwned. Chris Evans (not the red white and blue one) has released a number of linux zero day exploits, the most recent of which employs specially crafted audio files to compromise linux desktop machines. Ars Technica reports: "'I like to prove that vulnerabilities are not just theoretical -- that they are actually exploitable to cause real problems,' Evans told Ars when explaining why he developed -- and released -- an exploit for fully patched systems. 'Unfortunately, there's still the occasional vulnerability disclosure that is met with skepticism about exploitability. I'm helping to stamp that out.' Like Evans' previous Linux zero-day, the proof-of-concept attacks released Tuesday exploit a memory-corruption vulnerability closely tied to GStreamer, a media framework that by default ships with many mainstream Linux distributions. This time, the exploit takes aim at a flaw in a software library alternately known as Game Music Emu and libgme, which is used to emulate music from game consoles. The two audio files are encoded in the SPC music format used in the Super Nintendo Entertainment System console from the 1990s. Both take aim at a heap overflow bug contained in code that emulates the console's Sony SPC700 processor. By changing the .spc extension to .flac and .mp3, GSteamer and Game Music Emu automatically open them."
since the advent of Pulseaudio this has been very much hit and miss.
None of my Linux systems have the sound drivers loaded. Do you really need servers to play some carefully crafted (c)RAP?
I think not.
GStreamer can run SPC file only if the GStreamer Bad Plugins (and libgme) are installed: they're called "bad" for a reason, e.g. they lack a good code review.
Still... that shows why security has to be half education and half technology. The last one, which was especially bad because a drive-by, combined Chrome ("I download by default to ~/Downloads"), stupid Desktop behavior ("I index everything I see -- oh, shiny! a media file: I'll throw that over to gstreamer") and gstreamer... see TFA.
The users expecting the system to "do everything automatically" is no different than Windows of yore running AUTORUN.INF whenever you inserted a removable medium. If there is no pushback on that front there won't be a secure system, ever [1]
[1] secure for the user, that is. If your definition of "secure" is "secure for some collusion of hardware vendor, software vendor, media companies, advertising cartels, search engines and state agencies, then perhaps.
Well, if you were in WIN10 you'd already be home! Or, just wait for Linux to patch his fuckup, that somehow is your fault!
Windows is inferior to Linux for 2 reasons:
1) I believe this exploit doesn't give root access. On a Windows machine everyone logs in as administrator by default so any exploit permits the entire operating system to be taken over.
2) You can fix this problem yourself. If Windows has a defect you have to hope Microsoft decides to fix it.
When the story about problems with a Win10 update was posted, some insufferable twat of a Linux user posted a comment titled "What a shitshow...grabs popcorn".
And he got modded up for it.
I wonder what he'd have to say to Chris Evans.
I've calculated my velocity with such exquisite precision that I have no idea where I am.
Nice to have things
Things that come to mind:
So, have you got any solutions? ideas? proposals? Something working? Please share.
It's has not been a question of which is safer anymore, MacOS notwithstanding, but of which you trust. It's either an OS that can be exploited by the vendor, or a 3-letter agency, by design, or trusting that someone will audit your open source software and look for exploits, unless you have the time and expertise to do it yourself. Moreover, Linux users have never felt safe by the lower market share, but by how hard it is to have anything running on a Linux system. It's has never been about not having 14,000 viruses to infect your computer, but about having to make it executable it to have it run. Now, if I felt threatened by this new exploit, I could make my computer super safe by uninstalling the piece of software it affects. These days, the main reason for people to switch to Linux, and not to switch back to Windows, is concerns about privacy and productivity. You said that, had the exploit been found on Windows, there would be an update; now remember that Windows updates shut down the system, while Linux ones are performed while the system is running and the user is working: a reboot is not usually necessary, and when it is, it doesn't take longer than usual to turn on the computer.
Linux is for people who don't mind RTFM.
Nice try, but that's not security, that's just putting it in a box designed for things other than security.
All you are going to get out of that messing about is a feeling a smugness and immunity from script kiddies who are not even trying hard.
You could try doing something actually designed for security, such as simply running the web browser as a user other than the one that owns all the files you want to keep - so a unique user for the web browser. Jails and containers/zones help too because they are designed for security unlike virtual machines on PCs.
The idea that Linux might or does have security vulnerabilities is not anything remotely new. I sometimes file five bug reports a day on patches for things like this dealing with Debian, Rosa, Mageia, Fedora, and Suse. I just file the bugs, its up to the Distro Maintainers to read what I post and act on them. Sometimes they mark it as invalid, a Duplicate, already fixed, or Works for me.
Other times I get a patched, or upgraded package in 24-48 hours.
If you see a CVE of something, post it to your relevant bugzilla, and not just one, always provide the CVE and a URL to where you got the CVE From if at all possible. Don't stick your head in the sand and say its not your problem. Keep in mind the world we live in today.
Sigh, you didn't get the joke.
A reboot on linux IS necessary for most updates to be effective. Linux uses a reference counting system for the files and this allows it to update the files while other programs are using them. However, any program still running is also using the original (insecure) version of the file. If you have a flaw in gtk for instance you would have to restart the GUI to actually fix it.
I have had to deal with servers before that where broken into that had a patch applied but program was still running and so the originally insecure version was still being used.
Linux does not force you to reboot after an update to things like libc, qt, gtk etc but the system essentially does need one. Sure you could shut down to the cli and then restart all the parts so that the newer libc is used for instance but at some point rebooting is just easier.
Computer modeling for biotech drug manufacturing is HARD!
According to Debian security this was already patched a few days ago, and unfortunately I have them updated. However, there's something that puzzles me... a Fedora and Ubuntu `versions' of the exploit...? Why?
No, you just need to restart the display manager.
Is that really so? I've always heard that many or most of Linux users never reboot their systems and I felt like a noob for doing so.
Linux is for people who don't mind RTFM.
The main difference is that if your computer is up and running in 45 s, it will be up and running in 45 s unless there is something wrong. It will not take more the start on a weekly basis just because of updates.
Linux is for people who don't mind RTFM.
Never reboot is a load of crap imo, kernel patches aside, you ought to reboot every now and then just to make sure whole thing is still booting properly after patching, or yet another systemd "improvement". So that you don't get stuck right after power outage when you really need the thing running. Linux *can* run for a long time without ever rebooting - true. But "can" is not "should".
It's a SNES vulnerability?
It sounds like these are known issues that just aren't fixed yet on some distributions. That's not a zero day.
yes you can just restart the proccess which may be a lot of things ie rebooting is easier.
the only thing that really needs a reboot is the kernel
https://scarybeastsecurity.blogspot.pt/2016/11/0day-exploit-advancing-exploitation.html
"A powerful heap corruption vulnerability exists in the gstreamer decoder for the FLIC file format. Presented here is an 0day exploit for this vulnerability.
This decoder is generally present in the default install of modern Linux desktops, including Ubuntu 16.04 and Fedora 24. Gstreamer classifies its decoders as “good”, “bad” or “ugly”. Despite being quite buggy, and not being a format at all necessary on a modern desktop, the FLIC decoder is classified as “good”, almost guaranteeing its presence in default Linux installs."
confirmation here:
https://bugzilla.redhat.com/show_bug.cgi?id=1397441
gstreamer-plugins-good: Heap buffer overflow in FLIC decoder
Sheesh, I thought you guys (the parent post and the ones who upvoted) were geeks and into factual information! Oh right, this is slashdot...
Finally! Something that runs on Linux!
'Zero day'. 'world of hurt'.
Look everyone I found a bug! Look at me! All your machines can be mine if you just install this normally not installed software, then visit this here website!
Just file the bug and let them fix it, till then just stfu.
It seems (one of) the underlying libraries got patched 2 days ago.
https://bitbucket.org/mpyne/game-music-emu/wiki/Home
download a keylogger
then send root password next time user uses it,
then uses that to install root kit
and process hider
profit
That can't be! Linux is perfect. Linux has 100% secure. Surely, it must be the graphics driver. Or perhaps they didn't compile their kernels properly. What, you mean they don't compile their own kernels?!
You're retarded.
Dude!
Differently abled!
In the free world the media isn't government run; the government is media run.
So let me get this straight. Someone figures out how to exploit a game emulator that has nothing to do with the Linux Desktop (gaming on an emulator is not primary functionality of Linux on the DESKTOP - read that again - DESKTOP). And now we are reporting this as a distribution failure and calling the entire Linux ecosystem as bad. Meanwhile, the plugins in question are clearly labeled as "bad" as in "use at your own risk". So what is Linux on the Desktop supposed to do? Protect you from yourself? Be "just like windows"? I would suggest that we call a spade a spade and report this as a Game Emu failure. This library exists in multiple distributions but has nothing to do with the distro itself. And if you want to protect yourself - stop downloading and clicking on damn random files - "file " is far more effective than checking the extension. Someone causes a vulnerability on a file name extension in 2016 means that we haven't trained people enough that file name extensions are not linked to file format. Let's do less hype and more work. Just my two cents. (P.S. Is this even news-worthy?)
Mark my words, this is the last time I'm logging into Slashdot. It's become just anti-FOSS clickbait with Microsoft ads littered throughout.
Why do I say this? Because every time some very minor Linux vulnerability crops up -- usually ones that have not actually affected anybody (the exceptions being Heartbleed and Shellshock) -- there's some ultra-clickbaity article about how the entire Linux world is getting pwned simultaneously. Thankfully some comments showing why this is total nonsense are upvoted, but also upvoted are anti-FOSS shill posters going on some laughable and preposterous rant about how Windows has such a better security record. Examples of this behavior include the recent GRUB vulnerability, Dirty Cow, and the systemd DOS attack.
To the staff of Slashdot: your audience is primarily FOSS supporters and nerds. You are alienating them. Start vetting your articles instead of posting any random crap that gets submitted, or your days are done.
As has already been addressed multiple times above, the package involved is installed by default in the listed distros and more.
Just file the bug and let them fix it, till then just stfu.
How about you RTFM and understand what you're talking about, till then hush little child. Consider that the sensational title is intended to get attention on an actual threat, and past the willful ignorance of persons such as yourself.
How did these distributions get to the state where they include 80s CPU emulator by default? For users with decent Internet connection, base install should be something like ChromeOS, with only video/audio codecs widely used at present. Then have an easy way to install extra stuff as needed. It's not only for security, stability, memory/storage use and performance is also affected by having a boatload of crap installed by default. And don't forget the amount/frequency of high priority updates.
On a server, you can get away with it for a much longer time. On a desktop, you're running so many varied programs that memory leaks are inevitable and a reboot is really nice. Once a month or once every 2 months is probably enough, but twice a year is the absolute minimum.
the only thing that really needs a reboot is the kernel
Or any libraries linked into very-long-running services, such as the copy of libc used by your desktop environment or inter-process communication daemon (such as D-Bus or IBus). Restarting those would bring so much down that it'd be as much of an interruption to desktop use as a reboot.
This is why anti-malware protection must be added to systemd.
I glossed very quickly over the article so maybe I missed it. What is the actual *impact* of this? Privilege escalation? Crash the OS?
Just because an exploit is found doesn't necessarily mean it's a significant concern unless you can do something nasty with it.
Are you a wizard?
Should be fixed, but requires user action to work. Not a big deal.
> , the package involved is installed by default in the listed distros and more
I don't even think the gstreamer-plugins-bad package is packaged by fedora. RPM Fusion has it.
I just did a 'find /usr -iname libgme*' and removed them from the system until this is fixed.
Sorry, but I totally agree with the original post. The title is "Ubuntu 0day world of hurt". The reality is "Ubuntu12.04, no privilege escalation". That is not a serious issue, and even the author acknowledges it, so please hush big boy.
The main users of ubuntu 12.04 are mostly servers (so not likely to be affected) and the EOL is near anyway.
the trigger here is overly "helpful" Desktop Environment and web browsers.
If Chrome and Firefox didn't try to auto(!)-play every file sitting in a audio or video tag, and use Gstreamer to do so no less, this would be a non-issue.
Similarly, why are the DEs feeding every new file through Gstreamer so that they can index the content for their search "feature" (more like a waste of CPU time).
Damn it, this is all Autorun grade idiocy. Are we so hell bent on "year of the desktop" that we are repeating every mistake Micrsoft was doing back in the Win9x era?!
Sorry, but I totally agree with the original post. The title is "Ubuntu 0day world of hurt". The reality is "Ubuntu12.04, no privilege escalation". That is not a serious issue, and even the author acknowledges it, so please hush big boy.
The Author said: "I like to prove that vulnerabilities are not just theoretical—that they are actually exploitable to cause real problems,"
Care to share what you're basing your perspective off of? Mr Evan's actual detail *is* a long read and I fully admit I grazed it and may have missed something.
The main users of ubuntu 12.04 are mostly servers (so not likely to be affected) and the EOL is near anyway.
I'm going to presume you meant Ubuntu 16.04, and note that you're nitpicking on one of the two distributions highlighted. Regardless of the user spread between server and desktop (that was also noted in the article), are you implying that there's not enough Ubuntu 16.04 users to matter? That because it's near EOL, a zero-day exploit doesn't matter? There's exploits happening everyday that don't require privilege escalation, yet they frequently cost companies large amounts of money and time. Your definition of "serious" leaves much to be desired.
Is that really so? I've always heard that many or most of Linux users never reboot their systems and I felt like a noob for doing so.
Outside of a basically a kernel or glibc update, you don't need to reboot your system to make anything "take effect" unless you're using Linux on the Desktop, and why in God's name would you do something like that? You should, however, pay attention to security updates and make friends with 'lsof' for the most critical libraries. There's a yum plugin that can help identify things that might need to be bounced following an update, but it's not automatic by default because that's really something that an admin should be deciding on re their site's policy.
It's a good idea to reboot every once in a while just to make sure you still *can*, but that's more an operational engineering decision (better to trace back 2 months' worth of changes than 2 years) than a software decision. Recently, there have been enough kernel security updates in even the stable distros that simply applying those will take care of your safety reboot.
Hire a Linux system administrator, systems engineer,
Get used to the idea of sandboxed applications. Windows 10 will look like the bright kind on the block then.
Why would you draw public attention to an exploit? You report it to the software authors and give them time. Anything else is completely irresponsible.
Sure, maybe go all sensational when the software authors refuse to listen to you for several months, and machines are falling left and right, however this doesn't look to be the case. They are never given a chance before public announcement. And at least on my Fedora 23, game-music-emu is NOT installed by default.
On a server you can get away with it for longer but if you had a libc update then that means restarting pretty much everything anyways. I ran into a system with an openssl update and something had not been restarted that was a long running process and they where exploited through it.
If a library is updated you CAN restart everything that uses that library one by one. However, if you miss even one program that can become a security problem you are not aware of. That is why it is generally better to just have a maintenance window where you patch, reboot and test.
Computer modeling for biotech drug manufacturing is HARD!
Even something like an openssl update can impact more than you would remember and missing just one long running program can leave you screwed. You could try to keep track of each library and dependency and you better not make a single mistake.
It is just much easier and safer to reboot and check. Sure you can't do that in all situations but for most machines rebooting is quite fast before all services are up and running again. Why take a risk you don't need to take?
Computer modeling for biotech drug manufacturing is HARD!
Restarting them yourself is likely to be more disruptive than a reboot. When you do a reboot the system is running pre-written scripts however fast it can execute them. If you run commands yourself to do all of this then it will happen at the speed you can type stuff in. The reboot process is likely to be FAR faster and won't miss anything.
Computer modeling for biotech drug manufacturing is HARD!
(...) unless you're using Linux on the Desktop, and why in God's name would you do something like that?
MacOS sucks in security and Windows 10 is a resources hog.
Linux is for people who don't mind RTFM.
(...) unless you're using Linux on the Desktop, and why in God's name would you do something like that?
Better answer now: I don't use any especial application and own a game console.
Linux is for people who don't mind RTFM.
Everyone knows that open sores is invincible! Especially anything touched by the lord and savior, Loonix Toreballs! This is all lies!
Remember Windows Metafile? That was a picture format that consisted of executable code (poor man's pdf or ps for Windows 3.0) and ended up being abused.
Here, a whole frigging computer is emulated and the SPC file is just raw machine code for its CPU, so that you can e.g. listen to Street Fighter II music in your winamp clone. Depending on your player perhaps, you even get a track of infinite/unknown length and the music loops indefinitely.
I find it funny and it reminds me more about the entirely banal stories of "malware escapes Java/Flash/VM/jail/container/sandbox".
DESKTOP
Seriously, I've never really run an emulator on something other than a desktop. Historically there were no other options, then you could only either use a desktop or a hacked console, then there were commercial emulated games (from Nintendo on the Wii) and then mobile toys. Have fun buying stands, dongles, bluetooth controllers for your Android 4.0 phone with cracked screen. Play a 4:3 game on a tiny wide screen, with higher input latency. Great, I know that plugging a controller into a desktop's USB plug is too easy and not expensive enough, I shall not do it again and I hope this will please you.
The issue is that it is listed as a DESKTOP failure while it is truly a Game Emulator failure. It's not where you run it - it's who you gonna call. The Desktop folks can't do anything about it. Neither can the distro. It's gotta be the Game Emulator folks. Bludgeoning the top level only works in the commercial space. Here the distributions have already labelled it as a bad plug-in as a warning. There is nothing more that can be done.
Zero day means, that they are used to exploit people in the wild, not that there exists an proof of concept.