Forgot your password?
typodupeerror
Open Source Security Software Linux IT News

USB Autorun Attacks Against Linux 274

Posted by CmdrTaco
from the don't-put-strangers-in-there dept.
Orome1 writes "Many people think that Linux is immune to the type of Autorun attacks that have plagued Windows systems with malware over the years. However, there have been many advances in the usability of Linux as a desktop OS — including the addition of features that can allow Autorun attacks. This Shmoocon presentation by Jon Larimer from IBM X-Force starts off with a definition of autorun vulnerabilities and some examples from Windows, then jumps straight into the Linux side of things. Larimer explains how attackers can abuse these features to gain access to a live system by using a USB flash drive. He also shows how USB as an exploitation platform can allow for easy bypass of protection mechanisms like ASLR and how these attacks can provide a level of access that other physical attack methods do not." I've attached the video if you are curious. Skip the first 2 minutes if you don't care where the lost and found is.

This discussion has been archived. No new comments can be posted.

USB Autorun Attacks Against Linux

Comments Filter:
  • by clang_jangle (975789) on Monday February 07, 2011 @02:03PM (#35128246) Journal
    I always knew that when they made *nix idiot-proof all hell would break loose security-wise. Android has proven that really thoroughly. It's too bad, really. I had high hopes for it once. Maybe they'll get it together yet though.
    • by Vanderhoth (1582661) on Monday February 07, 2011 @02:13PM (#35128354)
      I agree with you. Although, based on what I saw in the clips I was viewing the attacks seem to be more related to fancy sloppy interfaces such as auto loading thumbnails of pictures stored on a USB drive. Not so much because *nix is idiot proof, but because there is more of a focus on making a nice looking interface instead of a secure ok looking interface.

      I could be wrong.
      • by asvravi (1236558) on Monday February 07, 2011 @02:51PM (#35128850)

        User-friendly
        Secure
        Functional

        Pick any two...

      • I hate to throw in a well-used aphorism here, but nothing is foolproof because fools are so ingenious. It's the imflamatory nature of the post that attracts so many hits to this.... it turns out that you can hurt almost anything thru blatant misconfiguration. The scope of the attack is comparatively tiny. And you might get all of an attack plane of a half-million users on a good day, provided they use removable storage, and they'll accept something from unvetted sources.

        Oh, wait....

    • by jd (1658)

      Can't speak for others, but I understand what you mean. And, yes, the easier something is, the harder it is to maintain security. Sandboxing all autorun code might help but that would degrade the ease-of-use.

    • by Sal Zeta (929250)

      Fast. Or Secure. Or Useful for the common layman.

      Pick Two.

      • by hedwards (940851)

        You mean, Fast, secure, convenient or useful for the common layman.

        Pick Two.

        The problem with autorun is that it's convenient without having any security involved. By its nature it isn't secure, and I'm not sure why it would be more secure on Linux than Windows, other than it being limited to the user's privileges and needing to be written to handle Linux. And MS has in recent releases done a lot to make it easier to run the OS without always being admin.

        • The problem with autorun is that it's convenient without having any security involved.

          What is it convenient for, other than as a malware vector? (Which it seems to be really good at, judging from my virus detection reports).

    • by elrous0 (869638) *

      The harsh reality is that it's very difficult to make an OS that's both safe and popular. Make it too safe, and it's too complicated and annoying for the common user. And the only way to make it popular with the masses is to remove some of the safety features and usability roadblocks. It's a tightrope that MS and Apple have to walk every day. MS walks it by fighting each security issue that comes up individually. Apple walks it by increasingly turning towards locked-down systems.

      • Exactly (Score:2, Insightful)

        MS *tried* to fight it (in part) by effectively adding a GUI sudo prompt into Windows Vista. A million people -- including Linux users posting on Slashdot -- immediately flew into fits of nerd rage about how annoying it was to have a GUI sudo prompt. (I never saw an issue with it myself, actually. Seemed no more irritating than going sudo on Linux or OSX's own authentication prompt. Unlike many, I actually really quite liked Vista, although I use OSX most of the time.) MS listened to their users and allowed

        • Re:Exactly (Score:5, Informative)

          by Nimey (114278) on Monday February 07, 2011 @03:31PM (#35129264) Homepage Journal

          Did you ever use the original Vista? Ever use Ubuntu or OSX from the same time period? Vista's prompt was a lot more annoying, because for some operations it would go off several times, while for the other two it'd ask you ONCE and then get the hell out of the way. Ubuntu would even remember your sudo credentials for a few minutes so you could do other tasks as root. Really a superior design.

          They made it less annoying with SP2 and again with Win7, yes, but the original setup was shit.

        • Re:Exactly (Score:4, Insightful)

          by multisync (218450) on Monday February 07, 2011 @05:44PM (#35130620) Journal

          MS *tried* to fight it (in part) by effectively adding a GUI sudo prompt into Windows Vista. A million people -- including Linux users posting on Slashdot -- immediately flew into fits of nerd rage about how annoying it was to have a GUI sudo prompt.

          If you are referring to UAC, it is hardly a "GUI sudo prompt." sudo requires you to prove that you are an authentic user by providing your password each time you open a shell to perform an administrative task (and every fifteen minutes after), and you also have to be a member of the sudo group (which only the first account created at install time is by default).

          All UAC does is basically confirm with whomever is currently sitting at the computer (authorized or not) that they initiated some arbitrary action. This is also useful, in that it prevents some web site from installing a piece of malicious software without the user's knowledge, but it is far from a "GUI sudo prompt."

          This is the reason it was met with derision by Slashdotters (and I don't recall many "fits of nerd rage," although a few might have snorted Code Red through their noses when they realized how impotent - and easily disabled - this new Microsoft "security feature" was).

    • by owlstead (636356)

      Yeah, I own an Android phone, and you won't believe what problems I had to put up with security wise! It's rather unusable!

    • Re: (Score:3, Funny)

      by Hatta (162192)

      UNIX was always idiot proof. It's hard for an idiot to damage much when there's nothing to click on.

    • by Khashishi (775369)

      At least you can choose a distribution that doesn't have all sorts of security issues.

  • by JustNiz (692889) on Monday February 07, 2011 @02:17PM (#35128416)

    Autorun as a concept just sucks.
    Copying whatever Windows does, warts and all, into Linux, just sucks.
    When is this insanity going to end?

    • Re: (Score:3, Insightful)

      by pclminion (145572)

      Yeah, having a computer automatically react to a piece of media... What a stupid idea. Next thing you know they'll be using computers to compute things, and then we've just gone straight to hell.

      • by hedwards (940851) on Monday February 07, 2011 @02:31PM (#35128612)

        It really depends how you do it. It's one thing to go the UAC route and have the computer notify the user that something has been inserted and request authorization to do something, and quite another to make that decision for the user. Certain actions really shouldn't be allowed to be completed completely on their own, autorun is definitely a candidate for that.

      • by mlts (1038732) *

        Not just a piece of media. A piece of untrusted media. The computer needs to consider all media as suspect and require the user to take action. It shouldn't do anything else.

        The media should be mounted, and mounted noexec, nosuid, no-nothing. That's it. No autorun, no autoplay, no autoboot, no -nothing-. The user can decide what to do with the media once it is mounted. If the user wants to run stuff from the media, they can remount it with the permissions ready.

        Of course, there is always the issue of

      • How obtuse. It's not the computer "automatically reacting" that is the problem. It's the nature of the reaction. A good/sensible reaction might be to mount the media (with the noexec option even) and open the folder in the default file manager. A bad/idiotic reaction is to blindly trust whoever created the media and automatically run anything on it that says it should be run, without first prompting the user. The presentation talks about a lot more than simple autorun, but since that's what you're talking a
      • by sjames (1099)

        Automatic reaction is one thing. Automatic trust is quite another. Would you sit blindfolded on a street corner with an offer to drink anything given to you by anyone? Why would you want a computer to do that?

        • by pclminion (145572)

          Why would you want a computer to do that?

          I wasn't aware that a computer did that. My Windows machines don't. My Linux machines don't.

          If some random Linux distro is automatically running programs from inserted media, it sounds to me like somebody had a major brain fart. "Autorun is the problem" is not my first assumption...

          • by sjames (1099)

            What do you think AUTO-RUN means then?

            Windows has toned it down a bit by now asking first before running an executable (at one time it would just run it without asking and MS swore that was just fine)

    • by 0123456 (636235)

      When is this insanity going to end?

      When developers stop listening to new users who say 'But I can do this in Windows, why can't I do it in Linux?'

      • But I can blame Microsoft for my computer getting viruses in Windows, why can't I do it in Linux?
    • by $RANDOMLUSER (804576) on Monday February 07, 2011 @02:36PM (#35128660)
      Exactly.

      87.3% of all the biggest forehead-whapping Windows security bugs have come from Microsoft's (really Bill Gates) love of whizzo features that look really cool in a developers conference keynote but don't survive the first three minutes of critical thought or exposure to the real world.

      I'm specifically referring to things like where IE or Windows Explorer execute code of unknown provenance to provide "previews". Windows Explorer once had a bug which could execute arbitrary code via JPEG preview. Of course, the Outlook preview exploits are LEGION, but we can also include VB macros included in Word and Excel "data" (hahaha) files. Only a sick love of flashy features, consequences be damned can account for this.
      • by Jaqenn (996058)
        Can we agree that when not comprimising the integrety of your system, thumbnail sized previews of a large collection of image files is a desirable feature?

        Because I like it a lot, and if you claim that it's useless for everyone, everywhere then I think that calls into question anything else you might claim.
    • by OzPeter (195038)

      Autorun as a concept just sucks. Copying whatever Windows does, warts and all, into Linux, just sucks. When is this insanity going to end?

      I insert a DVD into my player - and it just plays.

      I put film into my (now older camera) and it it loaded it up for me ready to use when I shut the back

      I'm sure there are a zillion other examples of systems that just start doing things in readiness of what the would like. So why do you think the average consumer is *not* going to expect things happen automatically?

      • by 0123456 (636235)

        I insert a DVD into my player - and it just plays.

        A DVD player has one intended use and only one intended use: playing DVDs.

        I put film into my (now older camera) and it it loaded it up for me ready to use when I shut the back

        A camera has one intended use and only one intended use: taking photos.

        So why do you think the average consumer is *not* going to expect things happen automatically?

        Computers are used for many things other than playing DVDs. Why should the operating system assume that just because I put a DVD in the drive, I want to play it?

      • by Imagix (695350)

        I insert a DVD into my player - and it just plays.

        What else is it going to do, but play the DVD?

        I put film into my (now older camera) and it it loaded it up for me ready to use when I shut the back

        Again, what else are you going to do with it? Those are only two examples of nearly single-purpose items doing that single purpose. Easy to figure out what that's going to do.

    • by Jonner (189691) on Monday February 07, 2011 @03:40PM (#35129334)

      The presenter in TFV says that because autorun always prompts the user, it's not a big security risk. He spends much more time talking about exploiting bugs in various software layers, including kernel, root-running userspace, and normal user processes.

      I'm not sure that I agree that always asking permission to autorun something is safe enough, but it is far less onerous than how Windows used to work.

    • by bloodhawk (813939)
      Technically speaking and security wise autorun as a feature that sucks balls. In user land though it is an obvious thing, "when I plug this thingie in why doesn't it just work?". Sadly there is always a tradeoff between security and usability, either we need to stomp on the bad guys harder (unlikely) or we need to make security easier for the end user that really don't want to know how everything works, they just want to plug it in and have it work.
    • If you RTFA'd (it involves watching a long-ass video so I don't really blame you) you'd see that this doesn't actually exploit Autorun at all (although I agree it's a terrible idea). The exploit shown is a hyper-complicated hack that exploits a thumbnailer process. It is really just crazy-complicated, the guy had to disable AppArmor and ASLR (memory load location randomization) to get it to work at all. That said any of the various thumbnailer applications for various formats are potential targets.

  • Any system is vulnerable when it automatically opens or executes email attachments, automatically executes arbitrary commands delivered on a removable volume, and hides file name extensions to fool users into executing things that looked like something harmless.

    Any software vendor who thinks about adding such features should receive a savage thrashing. If they actually enable such features by default, they should be shot with prejudice.

  • by Compaqt (1758360) on Monday February 07, 2011 @02:22PM (#35128486) Homepage

    Anybody want to post a quick-fix to avoid turn off AutoRun in Ubuntu?

    • On option the researcher is explains how to turn it off the option to browse media when a removable storage device is inserted. Nautilus > Edit > Preferences > Media tab

      Un-check the box for "Browse media when inserted".

      It won't be long before the code is examined and corrected.

      Keep in mind his speech is about Ubuntu 10.10 and specifically gnome running as the desktop manager.

      • Yes, but he also shows how the vulnerabilities stem from libraries which the desktop uses, and how, potentially, there are vulnerabilities all the way down, right to the kernel itself. No simple fix - short of turning off all automatic execution of processes against any unknown source (which is what I have done for quite some time - I do have thumbnail generation on local files, but after watching that, I think I'll give that the boot too :)).
  • Auto-run is convenient and all but systems should NOT automatically execute content from devices unless the user has specifically told them it's okay.

    A recommendation for out-of-the-box "autorun" experience:

    Query the type of the media, but do so without running any code of any type on the media.
    Authenticate the data used to determine the type of the media AND any "auto run" code typically associated with that type of media OR decide you can't authenticate it.

    Present a box to the user for "trusted" content:

    T

    • by adamofgreyskull (640712) on Monday February 07, 2011 @04:36PM (#35129866)
      Seriously, watch the video. Autorun isn't the only problem.

      Query the type of the media, but do so without running any code of any type on the media.

      Until nefarious person inserts a USB device that, for example, exploits a vulnerability in the code that queries the media. e.g. "Hey Mr. USB drive, tell me your VendorId plz!" "exploitstring" "Oh nooooo!".

      As for the rest, it won't ever work. If anything prevents a user from quickly accessing the movie/game/pictures they think are on the DVD/CD/USB device they will either take the quickest route (enabling auto-run/auto-display of any untrusted media) or a completely random route, any of which could cause code to be executed, except the "Do Nothing" option. Not to mention the fact that autorun isn't the only problem. (Seriously, watch the video).

      The problem is that an exploit in any of the myriad layers involved in dealing with inserted media makes the system vulnerable. Before your prompt is even displayed the media would have been touched by device discovery code, file system drivers etc. and now...your new authentication code. And then, if the user selects "open as a folder", a seemingly benign action, a bug in the way the file manager handles image/PDF previews (seriously, watch the video) could result in code execution!

      While a nice idea in theory, it does little to prevent a truly determined attacker, especially if they have cooperation from all but an expert user.

  • by Beelzebud (1361137) on Monday February 07, 2011 @02:26PM (#35128526)
    Linux servers, that run on command line don't have these issues. I know this is shocking to some people, but 99.99% of the world doesn't really give a shit about what you have on your home pc's hard drive. Security is good, but paranoia isn't. Anyone that actually cares about safeguarding their data won't be running a server with a GUI on it anyway. Even the Apache Foundation had to learn this the hard way.
    • by hedwards (940851)

      I don't think that this problem is limited to servers, I don't see any reason why this wouldn't work against a person's personal computer. Which is the real problem, folks that are administrating a server shouldn't be regularly putting thumbdrives and such in and shouldn't be allowing random other people to do that either. All this really demonstrates is that a computer where people can access the console is not secure. That's been known for how many decades now?

    • by andrewd18 (989408)

      99.99% of the world doesn't really give a shit about what you have on your home pc's hard drive

      Correct. Instead they care about installing a keylogger to your hard drive and then accessing your credit card information.

    • And what of the Linux servers that are connected to over SSH using username/password authentication from those filthy little desktops used by mere mortals tasked with administering them?
  • It appears to me that Linux may have started thinking about focusing all it's efforts on being a more stable, secure OS, but to gain acceptance in a more mass market, they need to do things that, while they reduce security, increase their general user base. Sure, it's Linux, so you can strip it down to near nothing and have a rock-solid, dependable, secure system designed for a specific hardware setup, but if they want to stay alive, they may need to realize that they need less secure measures that allow th
    • by Rich0 (548339)

      Sure, it's Linux, so you can strip it down to near nothing and have a rock-solid, dependable, secure system designed for a specific hardware setup, but if they want to stay alive, they may need to realize that they need less secure measures that allow the typical end-user to use their OS behind the scenes without any extra effort on their part.

      Uh, define "stay alive" for me? It is an operating system. It isn't alive, so it can't stay alive. It will exist in perpetuity, or until the last person deletes their copy of the source code.

      Most of the people who maintain linux don't really need these features, and they will likely continue to maintain it indefinitely without them - unless something better comes along (and then why should we want linux maintained anyway?). Sure, it might have microscopic market share on the desktop, but I don't get pai

  • Autorun ist stupid (Score:5, Interesting)

    by gweihir (88907) on Monday February 07, 2011 @02:31PM (#35128592)

    Doesn't depend on platform. Autorun is always a huge security risk. It was invented for lazy users that do not want to know how to use their computer properly. At this time (and for the foreseeable future) this kind of laziness comes at a price and that is vulnerability to rather simple to execute attacks.

    The real benefit of Linux here is that, unlike Windows, you can get distributions that would not dream of implementing something as stupid as autorun. On others, you can reliably turn it off reliably without a cryptic adventure through the mess called the "registry". But implementing insecure features will of course make Linux insecure. Nobody sane debates that.

    • by gad_zuki! (70830)

      > On others, you can reliably turn it off reliably without a cryptic adventure through the mess called the "registry"

      Or easily via GP.

  • I think people think he's referring to autorun when I believe what he's talking about is more the "hot-plugging" ability of usb. I.e. I plug in a USB device and some linux kernel device code gets run. These are standard hardware vulnerabilities, it's just that most hardware can't be plugged into a computer as easily as usb.

  • Linux still has the antiquated "user, group, everyone" security model from the 1970s. By now, we know that outside data can't be given all the privileges of the user. But Linux's legacy security model is so deeply embedded in the UNIX/Linux world that it's almost impossible to get beyond that.

    Yes, there's SELinux. But there isn't a whole distribution with a full range of applications which can run under a mandatory security model.

    • by jedidiah (1196)

      A more complicated security model is not going to prevent an environment that can trash the user's files from trashing the user's files.

      That capability is somewhat hard to avoid as you can't really do work for the user otherwise.

    • by 0123456 (636235)

      But Linux's legacy security model is so deeply embedded in the UNIX/Linux world that it's almost impossible to get beyond that.

      That 'legacy security model' is there because anything more complex becomes insanely difficult to administer. Do you really think that a user who demands 'autopwn' for convenience is going to be setting up ACLs so that autopwn programs can't trash their data?

      And any useful autopwn program is likely to require at least user permissions for whatever the user plans to do with it..

    • Linux still has the antiquated "user, group, everyone" security model from the 1970s.

      Yes, there's SELinux. But there isn't a whole distribution with a full range of applications which can run under a mandatory security model.

      Actually, the Unix model is so ingrained in all Unix platforms, that getting users who expect broken Unix off it (on Linux) is difficult, and they want the insecurity and convenience of Mac OS X.

      And, for the demo, the speaker actually had disabled AppArmor, because with it enabled, his exploit didn't work. He said he would have been able to get around AppArmor (due to one or two controls that we not enforced on the thumbnailer) with sufficient time.

  • by behindthewall (231520) on Monday February 07, 2011 @03:14PM (#35129090)

    Maybe OT, but here's MS's information for controlling this "feature" in Windows.

    There've been various sets of instructions and registry hacks floating around, but this appears to be from the horse's mouth, relatively recently updated, and addresses some of the shortcomings of previous fixes.

    Article ID: 967715 - Last Review: September 9, 2010 - Revision: 6.2
    How to disable the Autorun functionality in Windows

    http://support.microsoft.com/kb/967715 [microsoft.com]

    (I'm posting this due to the confusion all the various instructions / search results can create, and because this article addresses Autoruns and so I expect a number of Windows users will be having a look out of curiosity.)

  • It doesn't even recognise my thumb drive, so I don't have to worry about security
  • by doperative (1958782) on Monday February 07, 2011 @03:52PM (#35129444)

    Anyone care to post a demo of this Linux autorun vulnerability, one that will compromise my system by inserting a USB device, and with no user confirmation required, and doesn't prompt for the root password ..

  • Is anybody else annoyed by the "There is a CD with a software update in the drive" or some such when you leave the installation CD in?
    Can you please turn that off Canonical? This just begs for an exploit.

  • I actually watched this presentation live, and it is definitely worth checking out. Although this is a good presentation, it's not exactly the hack of the century. The guy still hasn't actually found a way around AppArmor yet so this doesn't work with machines with it enabled. Furthermore, the exploit requires local access to the machine AND have a user account already logged in.

    I'm sure 99% of you already know how to do this, but if anyone is interested in protecting themselves from this type of attack reg

  • I feel like they're follow Windows' tail lights over a cliff.
    This sort of mentality is ruining Linux distributions.
    If I wanted a dumbed-down buggy system, I'd use Windows.

  • Autorun plagues windows? Do people still move files from computer to computer via disc? By default this feature is either turned off or there's a popup asking if you want to run whatever it is that's trying to run. The last time I got a virus from autorun was probably on windows 98, maybe even 95.
  • by adamofgreyskull (640712) on Monday February 07, 2011 @05:03PM (#35130164)
    Almost every comment here is concentrating on "Autorun" i.e. automatic execution of scripts/executables on media and ignoring the main focus of the talk, which is about exploiting bugs in the way the file-manager handles previews of image, PDF, DVI files etc. situated on the media. More generally he talks about the possibilities of exploiting vulnerabilities in every layer involved when automatically handling inserted media, from device discovery, device drivers, file-system drivers, up to and including the file-manager.

    Unless we're all conflating "autorun" with "automount & show the media in a file-manager" now?
  • by smash (1351) on Monday February 07, 2011 @09:01PM (#35132740) Homepage Journal

    ... it was a bad idea when microsoft did it (infuriating, even if it wasn't a security problem, even back in 1995), and now the noob idiots pushing current desktop environment development (which seems to have peaked and gone downhill in about 2004) seem determined to replicate every bad idea and fuckup of windows until linux is just as unworkable.

    People run linux because of retarded shit like that on Windows. Don't replicate the problem.

Is a person who blows up banks an econoclast?

Working...