Recently released exploit code makes people running fully patched versions of Fedora and other Linux distributions vulnerable to drive-by attacks that can install keyloggers, backdoors, and other types of malware, a security researcher says.
One of the exploits—which targets a memory corruption vulnerability in the GStreamer framework that by default ships with many mainstream Linux distributions—is also noteworthy for its elegance. To wit: it uses a rarely seen approach to defeat address space layout randomization and data execution prevention, which are two of the security protections built in to Linux to make software exploits harder to carry out. ASLR randomizes the locations in computer memory where software loads specific chunks of code. As a result, code that exploits existing flaws often results in a simple computer crash rather than a catastrophic system compromise. Meanwhile, DEP, which is often referred to as NX or No-Execute, blocks the execution of code that such exploits load into memory. (Ars Technology Editor Peter Bright has much more about ASLR and DEP here.)
“This was a fairly ridiculous exploit,” he wrote in a blog post published Monday. “But it was worth doing because it’s proof that scriptless exploits are possible, even within the context of decent 64-bit ASLR. It was possible to commandeer memory reads, writes and even additions within the decoder loop to slowly but surely advance the exploit and gain control.”
Dan Rosenberg, a senior researcher at Azimuth Security who specializes in Linux exploit prevention, agreed. In an e-mail, he wrote:
This exploit is impressive because it manages to bypass modern protections such as ASLR and NX without being able to programmatically interact with the target software.
Evans went on to release an exploit in the form of this FLAC media file that works on the default version of Fedora version 24 running the most up-to-date version of GStreamer. He said it would have been easier to write the exploit for Ubuntu because it “has problems with missing defenses such as ASLR, RELRO, etc., even in the latest 16.04 LTS release.” Still, the exploit he published would have to be rewritten for it to work against anything other than Fedora 24. While the attack exploits a vulnerability in the GStreamer decoder for the FLIC file format, Evans said it targets binary code contained in the Rhythmbox media player. The Totem media player could be targeted in a similar way.
The exploit is mostly of academic or research interest rather than having immediate practical significance because it has to be extensively rewritten to work on different Linux distributions. Combined with the relatively small number of people who play media files on any distribution of Linux, that means it’s highly unlikely that anyone will actively exploit the vulnerability. Still, with a little work, the attack Evans published for Fedora could be fashioned into a “full serious drive-by download exploit” when combined with a separate exploit he released last week for Google’s Chrome browser running on that Linux distribution. With more tweaking still, the exploits will work on non-Fedora distributions as well, at least until patches are released. On Tuesday, shortly before this post went live, maintainers of Ubuntu issued fixes, and more distributions are likely to follow in the coming hours or days.
And that means that the research is important for the long-term security of Linux. Asked why he devoted so much time to the project, Evans wrote:
“From a technical perspective, I’d say this is a continuation in proving that there are usually subtle ways to exploit almost any vulnerability. From a broader perspective, I think there are serious concerns about the state of security on the Linux desktop. Is there much proactive work going on to improve it, or are the Linux vendors mainly reactive?”