0-day alert: Your favorite Linux distro may not be as secure as you think By Mark Wilson

linux-text

Popular Linux distros such as Ubuntu and Fedora — including the newly-released Fedora 25 — are vulnerable to zero-day exploits, shattering the myth that the open source software is ultra-secure. Vulnerabilities can be exploited that allows an attacker to run any code he wants on a victim’s computer — with potentially devastating consequences.

Security researcher Chris Evans has published details of exploits that can be used to compromise systems running Linux. All it takes is a malicious audio file to hijack a computer, or even just having Google Chrome installed. One of the exploits takes advantage of a flaw in the Game Music Emu library, an audio library used by the gstreamer framework to emulate music from games consoles such as the SNES.

Writing on his website, Evans says: “I present here a full, working, reliable, 0day exploit for current Linux distributions (Ubuntu 16.04 LTS and Fedora 25). It’s a full drive-by download in the context of Fedora. It abuses cascading subtle side effects of an emulation misstep that at first appears extremely difficult to exploit but ends up presenting beautiful and 100 percent reliable exploitation possibilities”.

Evans provides very extensive details of the exploit, and speaking to Ars Technica he explains his reasons for going public with his findings:

I like to prove that vulnerabilities are not just theoretical — that they are actually exploitable to cause real problems. Unfortunately, there’s still the occasional vulnerability disclosure that is met with skepticism about exploitability. I’m helping to stamp that out.

A specially-crafted audio file in the Super Nintendo Entertainment System’s .spc can be used to execute whatever code an attacker wants. By renaming it as a .flac or .mp3 file, users can be tricked into executing malicious code. Evans has published videos showing an example attack in Fedora 25 and Chrome which shows how a malicious audio file can — in this innocuous demonstration — open up and control the calculator:

A similar demo shows an attack working in Ubuntu:

Evans says that the problem stems from a lack of sandboxing (“The general lack of sandboxing here contributes to the severity. I think we inhabit a world where media parsing sandboxes should be mandatory these days”), and points out that while he has demonstrated the exploit working in Ubuntu and Fedora, it probably works in other distros too.

Check out Chris Evan’s website for a very detailed breakdown of how the exploits work. He has also published a patch.

Advertisements
This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s