USB Autorun Attacks Against Linux

Orome1 writes "Many people think that Linux is immune to the type of Autorun attacks that have plagued Windows systems with malware over the years. However, there have been many advances in the usability of Linux as a desktop OS — including the addition of features that can allow Autorun attacks. This Shmoocon presentation by Jon Larimer from IBM X-Force starts off with a definition of autorun vulnerabilities and some examples from Windows, then jumps straight into the Linux side of things. Larimer explains how attackers can abuse these features to gain access to a live system by using a USB flash drive. He also shows how USB as an exploitation platform can allow for easy bypass of protection mechanisms like ASLR and how these attacks can provide a level of access that other physical attack methods do not." I've attached the video if you are curious. Skip the first 2 minutes if you don't care where the lost and found is.

The price of easy and automatic

[clang_jangle]

I always knew that when they made *nix idiot-proof all hell would break loose security-wise. Android has proven that really thoroughly. It's too bad, really. I had high hopes for it once. Maybe they'll get it together yet though.

Re:The price of easy and automatic

[Vanderhoth]

I agree with you. Although, based on what I saw in the clips I was viewing the attacks seem to be more related to fancy sloppy interfaces such as auto loading thumbnails of pictures stored on a USB drive. Not so much because *nix is idiot proof, but because there is more of a focus on making a nice looking interface instead of a secure ok looking interface.

I could be wrong.

Re:The price of easy and automatic

[asvravi]

User-friendly
Secure
Functional

Pick any two...

Re:

[postbigbang]

I hate to throw in a well-used aphorism here, but nothing is foolproof because fools are so ingenious. It's the imflamatory nature of the post that attracts so many hits to this.... it turns out that you can hurt almost anything thru blatant misconfiguration. The scope of the attack is comparatively tiny. And you might get all of an attack plane of a half-million users on a good day, provided they use removable storage, and they'll accept something from unvetted sources.

Oh, wait....

Re:The price of easy and automatic

[Stellian]

There is no autorun, mount, and execute set up upon device identification for my system.

Disabling auto-mount is pointless, you will eventually mount that USB device - why else would you plug it in ? 95% of the Slashdot population will plug and mount a stick received in the mail with the caption "You need to see this".
Before you even have the option of mounting, the attacker has an enormous attack surface, by suppling it's own USB device ID: he can exploit the drivers for any of the myriad mouses, keyboards, cameras etc. that Linux supports by default, and gain kernel access. You will simply see his custom hardware device as a defective USB stick and forget about it.
If the USB device actually turns out to be a flash drive, it can be formated using any file system supported by Linux: ext, FAT, NTFS etc. Each of the drivers have exotic and seldom used features that can hide bugs. Sure, you can do allot by limiting idiotic features in your GUI tools, but a lot of the security is out of your hands.

Re:

[icebike]

To be fair, this is more of a UDEV, and WM/DE problem in mainstream distro's, rather than specific Linux kernel issue itself, but I won't let the headline, article/video presentation detract from that fact.

Not even a problem Mainstream Distro problem. Its exclusive to Gnome's method of thumbnail creation on a plugged in device. He only demonstrated it on Ubuntu with Gnome, and specifically with Nautilus file manager, but its probably the fault of GVFS [wikipedia.org], Gnome's virtual file system.

He specifically mentions that this exploit does not work with KBuntu.

So once again Linux gets painted with a user space exploit.

Re:

[Yvanhoe]

Not even a problem Mainstream Distro problem. Its exclusive to Gnome's method of thumbnail creation on a plugged in device. He only demonstrated it on Ubuntu with Gnome, and specifically with Nautilus file manager

...which is, if I am up to date, one of the most popular default install of the linux world as of today. This problem IS serious. It is a Gnome/Ubuntu problem, not specifically a linux one, but downplaying its seriousness is not wise.

Re:

[icebike]

You're right of course, I didn't mean to suggest it be ignored. Until fixed, people should know their usb devices, and disable the thumbnail feature in Nautilus.

He stressed throughout the entire presentation just how hard it was to pull this off, and he made use of exploits in a font management system that have since been patched. (The exploit of crashing the thumbnail generation was not sufficient to get him anywhere, he needed yet another exploit beyond that. to obtain shell access.) There are other ex

Re:

[jd]

Can't speak for others, but I understand what you mean. And, yes, the easier something is, the harder it is to maintain security. Sandboxing all autorun code might help but that would degrade the ease-of-use.

Re:

[Sal Zeta]

Fast. Or Secure. Or Useful for the common layman.

Pick Two.

Re:

[hedwards]

You mean, Fast, secure, convenient or useful for the common layman.

Pick Two.

The problem with autorun is that it's convenient without having any security involved. By its nature it isn't secure, and I'm not sure why it would be more secure on Linux than Windows, other than it being limited to the user's privileges and needing to be written to handle Linux. And MS has in recent releases done a lot to make it easier to run the OS without always being admin.

Re:

[camperdave]

The problem with autorun is that it's convenient without having any security involved.

What is it convenient for, other than as a malware vector? (Which it seems to be really good at, judging from my virus detection reports).

Re:

[elrous0]

The harsh reality is that it's very difficult to make an OS that's both safe and popular. Make it too safe, and it's too complicated and annoying for the common user. And the only way to make it popular with the masses is to remove some of the safety features and usability roadblocks. It's a tightrope that MS and Apple have to walk every day. MS walks it by fighting each security issue that comes up individually. Apple walks it by increasingly turning towards locked-down systems.

Exactly

[boristhespider]

MS *tried* to fight it (in part) by effectively adding a GUI sudo prompt into Windows Vista. A million people -- including Linux users posting on Slashdot -- immediately flew into fits of nerd rage about how annoying it was to have a GUI sudo prompt. (I never saw an issue with it myself, actually. Seemed no more irritating than going sudo on Linux or OSX's own authentication prompt. Unlike many, I actually really quite liked Vista, although I use OSX most of the time.) MS listened to their users and allowed

Re:Exactly

[Nimey]

Did you ever use the original Vista? Ever use Ubuntu or OSX from the same time period? Vista's prompt was a lot more annoying, because for some operations it would go off several times, while for the other two it'd ask you ONCE and then get the hell out of the way. Ubuntu would even remember your sudo credentials for a few minutes so you could do other tasks as root. Really a superior design.

They made it less annoying with SP2 and again with Win7, yes, but the original setup was shit.

Re:

[IchBinEinPenguin]

Did you ever use the original Vista? Ever use Ubuntu or OSX from the same time period?

You had me a "Vista"...

Re:Exactly

[multisync]

MS *tried* to fight it (in part) by effectively adding a GUI sudo prompt into Windows Vista. A million people -- including Linux users posting on Slashdot -- immediately flew into fits of nerd rage about how annoying it was to have a GUI sudo prompt.

If you are referring to UAC, it is hardly a "GUI sudo prompt." sudo requires you to prove that you are an authentic user by providing your password each time you open a shell to perform an administrative task (and every fifteen minutes after), and you also have to be a member of the sudo group (which only the first account created at install time is by default).

All UAC does is basically confirm with whomever is currently sitting at the computer (authorized or not) that they initiated some arbitrary action. This is also useful, in that it prevents some web site from installing a piece of malicious software without the user's knowledge, but it is far from a "GUI sudo prompt."

This is the reason it was met with derision by Slashdotters (and I don't recall many "fits of nerd rage," although a few might have snorted Code Red through their noses when they realized how impotent - and easily disabled - this new Microsoft "security feature" was).

Re:Exactly

[trickyD1ck]

All UAC does is basically confirm with whomever is currently sitting at the computer (authorized or not) that they initiated some arbitrary action.

Unless you are a limited-rights user. Then you have to enter admin credentials.

Re:

[owlstead]

Yeah, I own an Android phone, and you won't believe what problems I had to put up with security wise! It's rather unusable!

Re:

[Hatta]

UNIX was always idiot proof. It's hard for an idiot to damage much when there's nothing to click on.

Re:

[Khashishi]

At least you can choose a distribution that doesn't have all sorts of security issues.

Re:The price of easy and automatic

[HermMunster]

I think negative mods would only be given for not addressing what the researcher was talking about. Android isn't using an autorun feature. In fact, he specifically states that his speech addresses only Ubuntu 10.10 and gnome (and not the other desktop managers).

Re:

[clang_jangle]

I think negative mods would only be given for not addressing what the researcher was talking about. Android isn't using an autorun feature.

You misunderstood, I never said it did. Android was cited as another example of the pitfalls of "easy and automatic".

Re:

[$RANDOMLUSER]

Just curious here: do you run "emerge --update world" from a root crontab entry?

Re:

[clang_jangle]

Just curious here: do you run "emerge --update world" from a root crontab entry?

Yes of course, everyday right after I run "sudo rm -rf /*".

Re:

[$RANDOMLUSER]

I've actually seen people in forums say they do this - the point was "Who do you trust"? Frankly, I find many of the more drool-proof new features in both Linux and KDE4 to be less than useless.

When you only make computers for idiots, only idiots will have computers.

Re:

[ffreeloader]

I think this is an overblown situation. Nautilus has settings in Preferences that run the full gamut of choices.

1. You can have the system do nothing.
2. You can browse the media without allowing any software to execute.
3. You can auto run anything you insert
4. You can have the system ask you want you want to do.
5. You can choose what application to run upon insertion depending on the content: music, video, software, etc....

I don't remember what the defaults were as it's been a long time since I originall

Re:

[Belial6]

The choice I want is to be able to authorize that specific USB device to autorun from now on. I don't want all USB devices to be able to execute files, but I do want to be able to have specific one do it.

Re:

[gstoddart]

1. You can have the system do nothing.

Really, the only thing that ever should be there is this.

As soon as you enable any automatic action, you open up a vector for this kind of attack.

I think Microsoft did the world a huge disservice when they did this (although, in fairness, Apple could have provided us with this "innovation"), and I distinctly remember watching what happened when you put a music CD into a computer and watched it install and launch it's own annoying software -- this eventually led to the S

Re:

[ffreeloader]

I agree with you. In Nuatilus you can set it so that any software on removable media cannot be executed, and run something like Rhythmbox upon inserting a music cd. Now, I agree that may be a security hole, but it's also a pretty good option in that no software on the disk can run. It does a lot to stop malware from being executed/installed from the removable media.

Re:

[icebraining]

Having the luser oriented Ubuntu didn't stop the development of expert oriented distros. You share what makes sense, you keep to each what doesn't.

More user share means more hardware support, more investment, etc, which some distros can use without succumbing to the fancy and useless GUIs.

Re:

[dpilot]

From cron I run "emerge --sync' and "emerge -ptuvDN world". I'll agree, you'd have to be nuts to actually update from cron. At the very least etc-update requires personal care to function with the updates, but not hose your configuration tweaks. At worst, every now and then there's a fiasco like libexpat. Plus there are certain packages that are nearly always problematic, like major XOrg or MythTV revisions.

Re:

[$RANDOMLUSER]

Agreed that sync and "update fetchonly" are harmless. The question is how much automation do you allow before you have to use neurons to prevent The Bad Thing from happening.

Re:

[dpilot]

Really Gentoo is probably off-topic for any discussion of LUSER-oriented Linux, anyway. Though I've been running Gentoo for quite a few years now, I advise others against it. The people who should be running Gentoo are the ones who know enough to look beyond my advise and go into it with their eyes open.

Far less likely to be the autorun type, though at this very moment there's quite a discussion going on about getting automount to work properly in a post-HAL era.

Re:

[jedidiah]

Solaris did automount in the 90s. That didn't mean that it did the sort of stupid things that causes trouble with Microsoft products.

The things to avoid are well understood. Anyone that ignores the past should be flogged repeatedly.

autorun != automount

Re:The price of easy and automatic

[morcego]

Shoot him.

Stop copying Windows please!

[JustNiz]

Autorun as a concept just sucks.
Copying whatever Windows does, warts and all, into Linux, just sucks.
When is this insanity going to end?

Re:

[pclminion]

Yeah, having a computer automatically react to a piece of media... What a stupid idea. Next thing you know they'll be using computers to compute things, and then we've just gone straight to hell.

Re:Stop copying Windows please!

[hedwards]

It really depends how you do it. It's one thing to go the UAC route and have the computer notify the user that something has been inserted and request authorization to do something, and quite another to make that decision for the user. Certain actions really shouldn't be allowed to be completed completely on their own, autorun is definitely a candidate for that.

Re:

[mlts]

Not just a piece of media. A piece of untrusted media. The computer needs to consider all media as suspect and require the user to take action. It shouldn't do anything else.

The media should be mounted, and mounted noexec, nosuid, no-nothing. That's it. No autorun, no autoplay, no autoboot, no -nothing-. The user can decide what to do with the media once it is mounted. If the user wants to run stuff from the media, they can remount it with the permissions ready.

Of course, there is always the issue of

Re:

[adamofgreyskull]

How obtuse. It's not the computer "automatically reacting" that is the problem. It's the nature of the reaction. A good/sensible reaction might be to mount the media (with the noexec option even) and open the folder in the default file manager. A bad/idiotic reaction is to blindly trust whoever created the media and automatically run anything on it that says it should be run, without first prompting the user. The presentation talks about a lot more than simple autorun, but since that's what you're talking a

Re:

[sjames]

Automatic reaction is one thing. Automatic trust is quite another. Would you sit blindfolded on a street corner with an offer to drink anything given to you by anyone? Why would you want a computer to do that?

Re:

[pclminion]

Why would you want a computer to do that?

I wasn't aware that a computer did that. My Windows machines don't. My Linux machines don't.

If some random Linux distro is automatically running programs from inserted media, it sounds to me like somebody had a major brain fart. "Autorun is the problem" is not my first assumption...

Re:

[sjames]

What do you think AUTO-RUN means then?

Windows has toned it down a bit by now asking first before running an executable (at one time it would just run it without asking and MS swore that was just fine)

Re:

[meerling]

Why would anyone do that, my cat likes being plugged into the router...

Re:

[0123456]

When is this insanity going to end?

When developers stop listening to new users who say 'But I can do this in Windows, why can't I do it in Linux?'

Re:

[SudoGhost]

But I can blame Microsoft for my computer getting viruses in Windows, why can't I do it in Linux?

Re:Stop copying Windows please!

[$RANDOMLUSER]

Exactly.

87.3% of all the biggest forehead-whapping Windows security bugs have come from Microsoft's (really Bill Gates) love of whizzo features that look really cool in a developers conference keynote but don't survive the first three minutes of critical thought or exposure to the real world.

I'm specifically referring to things like where IE or Windows Explorer execute code of unknown provenance to provide "previews". Windows Explorer once had a bug which could execute arbitrary code via JPEG preview. Of course, the Outlook preview exploits are LEGION, but we can also include VB macros included in Word and Excel "data" (hahaha) files. Only a sick love of flashy features, consequences be damned can account for this.

Re:

[Jaqenn]

Can we agree that when not comprimising the integrety of your system, thumbnail sized previews of a large collection of image files is a desirable feature?

Because I like it a lot, and if you claim that it's useless for everyone, everywhere then I think that calls into question anything else you might claim.

Re:

[OzPeter]

Autorun as a concept just sucks. Copying whatever Windows does, warts and all, into Linux, just sucks. When is this insanity going to end?

I insert a DVD into my player - and it just plays.

I put film into my (now older camera) and it it loaded it up for me ready to use when I shut the back

I'm sure there are a zillion other examples of systems that just start doing things in readiness of what the would like. So why do you think the average consumer is *not* going to expect things happen automatically?

Re:

[0123456]

I insert a DVD into my player - and it just plays.

A DVD player has one intended use and only one intended use: playing DVDs.

I put film into my (now older camera) and it it loaded it up for me ready to use when I shut the back

A camera has one intended use and only one intended use: taking photos.

So why do you think the average consumer is *not* going to expect things happen automatically?

Computers are used for many things other than playing DVDs. Why should the operating system assume that just because I put a DVD in the drive, I want to play it?

Re:

[0123456]

Are you in the habit of inserting media you don't intend to actually access?

Yes. The last time I remember this happening, I put a DVD in the drive because I was going to play it after I finished reading my email and the stupid operating system decided to start up the DVD player, getting in the way of what I was going at the time.

And I'm definitely, absolutely, certainly, 100% in the habit of inserting media where I don't want to open up a browser window which runs random buggy codecs in order to display thumbnails that I 100% don't give a damn about.

Re:

[Imagix]

I insert a DVD into my player - and it just plays.

What else is it going to do, but play the DVD?

I put film into my (now older camera) and it it loaded it up for me ready to use when I shut the back

Again, what else are you going to do with it? Those are only two examples of nearly single-purpose items doing that single purpose. Easy to figure out what that's going to do.

Re:

[flight666]

But the whole point of this discussion: What if there is a bug in the library that renders that *data*? All of a sudden, your data is no longer very data-y, and much more executable-y than you might have intended.

For reference, take a look at the (lengthy) list of bugs in any of the image processing libraries.

Re:

[sourcerror]

You seem to fear buffer overflow. Then write it in Java. /ducks

Re:Stop copying Windows please!

[Jonner]

The presenter in TFV says that because autorun always prompts the user, it's not a big security risk. He spends much more time talking about exploiting bugs in various software layers, including kernel, root-running userspace, and normal user processes.

I'm not sure that I agree that always asking permission to autorun something is safe enough, but it is far less onerous than how Windows used to work.

Re:

[bloodhawk]

Technically speaking and security wise autorun as a feature that sucks balls. In user land though it is an obvious thing, "when I plug this thingie in why doesn't it just work?". Sadly there is always a tradeoff between security and usability, either we need to stomp on the bad guys harder (unlikely) or we need to make security easier for the end user that really don't want to know how everything works, they just want to plug it in and have it work.

Re:

[GameboyRMH]

If you RTFA'd (it involves watching a long-ass video so I don't really blame you) you'd see that this doesn't actually exploit Autorun at all (although I agree it's a terrible idea). The exploit shown is a hyper-complicated hack that exploits a thumbnailer process. It is really just crazy-complicated, the guy had to disable AppArmor and ASLR (memory load location randomization) to get it to work at all. That said any of the various thumbnailer applications for various formats are potential targets.

Re:

[msuarezalvarez]

Was that rendering of updated mini windows GNOME or compiz (which you configured to do that...)?

Re:

[JustNiz]

Why? Several reasons: The biggie being that you can't always necessarily trust the media you just inserted. Without autorun at least you have the option to look at the disk before it blindly runs whatever is on there.

Another reason is that just because I insert some media drive does not mean I always want to do the same thing to it.

A particularly noxious example is the way Windows media player repeatedly demands you start a media library on your PC, and that its practically impossible to stop it automatical

They never learn

[udoschuermann]

Any system is vulnerable when it automatically opens or executes email attachments, automatically executes arbitrary commands delivered on a removable volume, and hides file name extensions to fool users into executing things that looked like something harmless.

Any software vendor who thinks about adding such features should receive a savage thrashing. If they actually enable such features by default, they should be shot with prejudice.

Thanks, Miguel

[Compaqt]

Anybody want to post a quick-fix to avoid turn off AutoRun in Ubuntu?

Re:

[HermMunster]

On option the researcher is explains how to turn it off the option to browse media when a removable storage device is inserted. Nautilus > Edit > Preferences > Media tab

Un-check the box for "Browse media when inserted".

It won't be long before the code is examined and corrected.

Keep in mind his speech is about Ubuntu 10.10 and specifically gnome running as the desktop manager.

Re:

[lilo_booter]

Yes, but he also shows how the vulnerabilities stem from libraries which the desktop uses, and how, potentially, there are vulnerabilities all the way down, right to the kernel itself. No simple fix - short of turning off all automatic execution of processes against any unknown source (which is what I have done for quite some time - I do have thumbnail generation on local files, but after watching that, I think I'll give that the boot too :)).

Re:

[Rockoon]

Win7 most definitely does some of the things mentioned in the article out of the box, such as loading resources from executables and producing thumbnails for images on USB drives.

Its likely that you can dig out of any modern OS sandbox (Linux or otherwise) when giving them malformed input.. look at how much effort Apple has put into protecting iOS, and contrast that with how many ways that its already been rooted... and thats a completely locked down example of failure. Now imagine how badly Windows, Linu

Re:

[ub3r n3u7r4l1st]

When you decompile it that's open source.

OSes should be immune from this out of the box

[davidwr]

Auto-run is convenient and all but systems should NOT automatically execute content from devices unless the user has specifically told them it's okay.

A recommendation for out-of-the-box "autorun" experience:

Query the type of the media, but do so without running any code of any type on the media.
Authenticate the data used to determine the type of the media AND any "auto run" code typically associated with that type of media OR decide you can't authenticate it.

Present a box to the user for "trusted" content:

T

Re:OSes should be immune from this out of the box

[adamofgreyskull]

Seriously, watch the video. Autorun isn't the only problem.

Query the type of the media, but do so without running any code of any type on the media.

Until nefarious person inserts a USB device that, for example, exploits a vulnerability in the code that queries the media. e.g. "Hey Mr. USB drive, tell me your VendorId plz!" "exploitstring" "Oh nooooo!".

As for the rest, it won't ever work. If anything prevents a user from quickly accessing the movie/game/pictures they think are on the DVD/CD/USB device they will either take the quickest route (enabling auto-run/auto-display of any untrusted media) or a completely random route, any of which could cause code to be executed, except the "Do Nothing" option. Not to mention the fact that autorun isn't the only problem. (Seriously, watch the video).

The problem is that an exploit in any of the myriad layers involved in dealing with inserted media makes the system vulnerable. Before your prompt is even displayed the media would have been touched by device discovery code, file system drivers etc. and now...your new authentication code. And then, if the user selects "open as a folder", a seemingly benign action, a bug in the way the file manager handles image/PDF previews (seriously, watch the video) could result in code execution!

While a nice idea in theory, it does little to prevent a truly determined attacker, especially if they have cooperation from all but an expert user.

Re:

[Anne Thwacks]

You will be out of your box after having to deal with this a few times.

It's bad but not the end of the world.

[Beelzebud]

Linux servers, that run on command line don't have these issues. I know this is shocking to some people, but 99.99% of the world doesn't really give a shit about what you have on your home pc's hard drive. Security is good, but paranoia isn't. Anyone that actually cares about safeguarding their data won't be running a server with a GUI on it anyway. Even the Apache Foundation had to learn this the hard way.

Re:

[hedwards]

I don't think that this problem is limited to servers, I don't see any reason why this wouldn't work against a person's personal computer. Which is the real problem, folks that are administrating a server shouldn't be regularly putting thumbdrives and such in and shouldn't be allowing random other people to do that either. All this really demonstrates is that a computer where people can access the console is not secure. That's been known for how many decades now?

Re:

[andrewd18]

99.99% of the world doesn't really give a shit about what you have on your home pc's hard drive

Correct. Instead they care about installing a keylogger to your hard drive and then accessing your credit card information.

Re:

[adamofgreyskull]

And what of the Linux servers that are connected to over SSH using username/password authentication from those filthy little desktops used by mere mortals tasked with administering them?

Linux's Appeal to a Mass Market

[Major_Small]

It appears to me that Linux may have started thinking about focusing all it's efforts on being a more stable, secure OS, but to gain acceptance in a more mass market, they need to do things that, while they reduce security, increase their general user base. Sure, it's Linux, so you can strip it down to near nothing and have a rock-solid, dependable, secure system designed for a specific hardware setup, but if they want to stay alive, they may need to realize that they need less secure measures that allow th

Re:

[Rich0]

Sure, it's Linux, so you can strip it down to near nothing and have a rock-solid, dependable, secure system designed for a specific hardware setup, but if they want to stay alive, they may need to realize that they need less secure measures that allow the typical end-user to use their OS behind the scenes without any extra effort on their part.

Uh, define "stay alive" for me? It is an operating system. It isn't alive, so it can't stay alive. It will exist in perpetuity, or until the last person deletes their copy of the source code.

Most of the people who maintain linux don't really need these features, and they will likely continue to maintain it indefinitely without them - unless something better comes along (and then why should we want linux maintained anyway?). Sure, it might have microscopic market share on the desktop, but I don't get pai

Autorun ist stupid

[gweihir]

Doesn't depend on platform. Autorun is always a huge security risk. It was invented for lazy users that do not want to know how to use their computer properly. At this time (and for the foreseeable future) this kind of laziness comes at a price and that is vulnerability to rather simple to execute attacks.

The real benefit of Linux here is that, unlike Windows, you can get distributions that would not dream of implementing something as stupid as autorun. On others, you can reliably turn it off reliably without a cryptic adventure through the mess called the "registry". But implementing insecure features will of course make Linux insecure. Nobody sane debates that.

Re:

[gad_zuki!]

> On others, you can reliably turn it off reliably without a cryptic adventure through the mess called the "registry"

Or easily via GP.

Re:

[gweihir]

Wups, need to spell-check headlines as well....

Re:

[dkleinsc]

I was actually giving a serious response to a serious point, but your subject line inspired me to make the response in a silly way.

Re:

[gweihir]

I understand this very well. We spend half a decade or more to tech our kids to read and write. If a fraction of that would be applied to computer usage, the problem would go away. There is no excuse for incompetence with regard to widely used cultural tools. If you do not have the basic skills to use that tool, stay away from it.

Autorun is not something that can be made secure, ever. So it should not be implemented anywhere and people should learn how to do without it.

Re:

[HiThere]

Actually, autorun probably could be made safe. This would involve insuring that there were no stray pointers, buffer overruns, etc., so the best way to do this is probably a virtual machine that can't write outside of a specified directory. That way the worst that could happen would be that the directory would be corrupt.

To make it even tighter, run it in a copy of a directory, and remove the copy when the process ends.

Mind you, I don't think most current computers are fast enough to make this approach a

more like hotplug

[tthomas48]

I think people think he's referring to autorun when I believe what he's talking about is more the "hot-plugging" ability of usb. I.e. I plug in a USB device and some linux kernel device code gets run. These are standard hardware vulnerabilities, it's just that most hardware can't be plugged into a computer as easily as usb.

Flawed Linux security model

[Animats]

Linux still has the antiquated "user, group, everyone" security model from the 1970s. By now, we know that outside data can't be given all the privileges of the user. But Linux's legacy security model is so deeply embedded in the UNIX/Linux world that it's almost impossible to get beyond that.

Yes, there's SELinux. But there isn't a whole distribution with a full range of applications which can run under a mandatory security model.

Re:

[jedidiah]

A more complicated security model is not going to prevent an environment that can trash the user's files from trashing the user's files.

That capability is somewhat hard to avoid as you can't really do work for the user otherwise.

Re:

[0123456]

But Linux's legacy security model is so deeply embedded in the UNIX/Linux world that it's almost impossible to get beyond that.

That 'legacy security model' is there because anything more complex becomes insanely difficult to administer. Do you really think that a user who demands 'autopwn' for convenience is going to be setting up ACLs so that autopwn programs can't trash their data?

And any useful autopwn program is likely to require at least user permissions for whatever the user plans to do with it..

Exploit was done after disabling AppArmor

[buchanmilne]

Linux still has the antiquated "user, group, everyone" security model from the 1970s.

Yes, there's SELinux. But there isn't a whole distribution with a full range of applications which can run under a mandatory security model.

Actually, the Unix model is so ingrained in all Unix platforms, that getting users who expect broken Unix off it (on Linux) is difficult, and they want the insecurity and convenience of Mac OS X.

And, for the demo, the speaker actually had disabled AppArmor, because with it enabled, his exploit didn't work. He said he would have been able to get around AppArmor (due to one or two controls that we not enforced on the thumbnailer) with sufficient time.

OT: MS instructions for controlling in Windows

[behindthewall]

Maybe OT, but here's MS's information for controlling this "feature" in Windows.

There've been various sets of instructions and registry hacks floating around, but this appears to be from the horse's mouth, relatively recently updated, and addresses some of the shortcomings of previous fixes.

Article ID: 967715 - Last Review: September 9, 2010 - Revision: 6.2
How to disable the Autorun functionality in Windows

http://support.microsoft.com/kb/967715 [microsoft.com]

(I'm posting this due to the confusion all the various instructions / search results can create, and because this article addresses Autoruns and so I expect a number of Windows users will be having a look out of curiosity.)

FreeBSD is much better.

[Blackout for Hungary]

It doesn't even recognise my thumb drive, so I don't have to worry about security

Is there a demo online?

[doperative]

Anyone care to post a demo of this Linux autorun vulnerability, one that will compromise my system by inserting a USB device, and with no user confirmation required, and doesn't prompt for the root password ..

Ubuntu

[rrohbeck]

Is anybody else annoyed by the "There is a CD with a software update in the drive" or some such when you leave the installation CD in?
Can you please turn that off Canonical? This just begs for an exploit.

Easy Defense

[FalleStar]

I actually watched this presentation live, and it is definitely worth checking out. Although this is a good presentation, it's not exactly the hack of the century. The guy still hasn't actually found a way around AppArmor yet so this doesn't work with machines with it enabled. Furthermore, the exploit requires local access to the machine AND have a user account already logged in.

I'm sure 99% of you already know how to do this, but if anyone is interested in protecting themselves from this type of attack reg

Blindly copying "features" from poorly designed sy

[Larry_Dillon]

I feel like they're follow Windows' tail lights over a cliff.
This sort of mentality is ruining Linux distributions.
If I wanted a dumbed-down buggy system, I'd use Windows.

What?

[Charliemopps]

Autorun plagues windows? Do people still move files from computer to computer via disc? By default this feature is either turned off or there's a popup asking if you want to run whatever it is that's trying to run. The last time I got a virus from autorun was probably on windows 98, maybe even 95.

Looks like WTFV is harder than RTFA

[adamofgreyskull]

Almost every comment here is concentrating on "Autorun" i.e. automatic execution of scripts/executables on media and ignoring the main focus of the talk, which is about exploiting bugs in the way the file-manager handles previews of image, PDF, DVI files etc. situated on the media. More generally he talks about the possibilities of exploiting vulnerabilities in every layer involved when automatically handling inserted media, from device discovery, device drivers, file-system drivers, up to and including the file-manager.

Unless we're all conflating "autorun" with "automount & show the media in a file-manager" now?

ffs people

[smash]

... it was a bad idea when microsoft did it (infuriating, even if it wasn't a security problem, even back in 1995), and now the noob idiots pushing current desktop environment development (which seems to have peaked and gone downhill in about 2004) seem determined to replicate every bad idea and fuckup of windows until linux is just as unworkable.

People run linux because of retarded shit like that on Windows. Don't replicate the problem.

Re:

[HermMunster]

Has there really ever been anyone responsible for Linux making claims of "the year of Linux"? Or has it just been some random users that once made a reference?

Re:

[DrgnDancer]

It was quite popular about 8-10 years ago for various media outlets to declare the "year of the Linux Desktop". I can't be arsed to look up specific examples, but they definitely existed. The irony being that Linux has improved dramatically as a desktop OS since most of those claims were widely circulated, yet no one expects it anymore. As far as I can tell, three things have ended the hype:

1) Probably most important: People have realized that what most desktop users want is something Linux will probably

Re:

[0123456]

You can't claim that Linux > Windows and then suggest it remove features Windows has had for years.

Linux has traditionally been better than Windows precisely because it didn't have features like 'autopwn' that Windows has had for years.

Re:

[jedidiah]

> But as you make Linux more user friendly, feature rich, easier to use, it becomes easier to attack.

Of course you can point us to the inevitable viruses, worms and trojans that now afflict MacOS?

If not then your entire rant is just thoughtless jibber jabber.

You get system vulnerabilities from bad engineering practices, not a consumer focused mindset.

Sure I can have it both ways. Just don't do obviously stupid stuff. Don't do things that were proven wrongful in the 80s before any of the current malware i

Re:

[jedidiah]

A smart distro would disable auto-run entirely and make you go through hoops to install it.