Popular Linux distros such as Ubuntu and Fedora — including the newly-released Fedora 25 — are vulnerable to zero-day exploits, shattering the myth that the open source software is ultra-secure. Vulnerabilities can be exploited that allows an attacker to run any code he wants on a victim’s computer — with potentially devastating consequences.
Security researcher Chris Evans has published details of exploits that can be used to compromise systems running Linux. All it takes is a malicious audio file to hijack a computer, or even just having Google Chrome installed. One of the exploits takes advantage of a flaw in the Game Music Emu library, an audio library used by the gstreamer framework to emulate music from games consoles such as the SNES.
Writing on his website, Evans says: “I present here a full, working, reliable, 0day exploit for current Linux distributions (Ubuntu 16.04 LTS and Fedora 25). It’s a full drive-by download in the context of Fedora. It abuses cascading subtle side effects of an emulation misstep that at first appears extremely difficult to exploit but ends up presenting beautiful and 100 percent reliable exploitation possibilities”.
I like to prove that vulnerabilities are not just theoretical — that they are actually exploitable to cause real problems. Unfortunately, there’s still the occasional vulnerability disclosure that is met with skepticism about exploitability. I’m helping to stamp that out.
A specially-crafted audio file in the Super Nintendo Entertainment System’s .spc can be used to execute whatever code an attacker wants. By renaming it as a .flac or .mp3 file, users can be tricked into executing malicious code. Evans has published videos showing an example attack in Fedora 25 and Chrome which shows how a malicious audio file can — in this innocuous demonstration — open up and control the calculator:
A similar demo shows an attack working in Ubuntu:
Evans says that the problem stems from a lack of sandboxing (“The general lack of sandboxing here contributes to the severity. I think we inhabit a world where media parsing sandboxes should be mandatory these days”), and points out that while he has demonstrated the exploit working in Ubuntu and Fedora, it probably works in other distros too.
Check out Chris Evan’s website for a very detailed breakdown of how the exploits work. He has also published a patch.