USB Autorun Attacks Against Linux

Orome1 writes "Many people think that Linux is immune to the type of Autorun attacks that have plagued Windows systems with malware over the years. However, there have been many advances in the usability of Linux as a desktop OS — including the addition of features that can allow Autorun attacks. This Shmoocon presentation by Jon Larimer from IBM X-Force starts off with a definition of autorun vulnerabilities and some examples from Windows, then jumps straight into the Linux side of things. Larimer explains how attackers can abuse these features to gain access to a live system by using a USB flash drive. He also shows how USB as an exploitation platform can allow for easy bypass of protection mechanisms like ASLR and how these attacks can provide a level of access that other physical attack methods do not." I've attached the video if you are curious. Skip the first 2 minutes if you don't care where the lost and found is.

Re:The price of easy and automatic

[HermMunster]

I think negative mods would only be given for not addressing what the researcher was talking about. Android isn't using an autorun feature. In fact, he specifically states that his speech addresses only Ubuntu 10.10 and gnome (and not the other desktop managers).

Re:The price of easy and automatic

[Vanderhoth]

I agree with you. Although, based on what I saw in the clips I was viewing the attacks seem to be more related to fancy sloppy interfaces such as auto loading thumbnails of pictures stored on a USB drive. Not so much because *nix is idiot proof, but because there is more of a focus on making a nice looking interface instead of a secure ok looking interface.

I could be wrong.

Re:The price of easy and automatic

[asvravi]

User-friendly
Secure
Functional

Pick any two...

OT: MS instructions for controlling in Windows

[behindthewall]

Maybe OT, but here's MS's information for controlling this "feature" in Windows.

There've been various sets of instructions and registry hacks floating around, but this appears to be from the horse's mouth, relatively recently updated, and addresses some of the shortcomings of previous fixes.

Article ID: 967715 - Last Review: September 9, 2010 - Revision: 6.2
How to disable the Autorun functionality in Windows

http://support.microsoft.com/kb/967715 [microsoft.com]

(I'm posting this due to the confusion all the various instructions / search results can create, and because this article addresses Autoruns and so I expect a number of Windows users will be having a look out of curiosity.)

Re:Exactly

[Nimey]

Did you ever use the original Vista? Ever use Ubuntu or OSX from the same time period? Vista's prompt was a lot more annoying, because for some operations it would go off several times, while for the other two it'd ask you ONCE and then get the hell out of the way. Ubuntu would even remember your sudo credentials for a few minutes so you could do other tasks as root. Really a superior design.

They made it less annoying with SP2 and again with Win7, yes, but the original setup was shit.

Re:OSes should be immune from this out of the box

[adamofgreyskull]

Seriously, watch the video. Autorun isn't the only problem.

Query the type of the media, but do so without running any code of any type on the media.

Until nefarious person inserts a USB device that, for example, exploits a vulnerability in the code that queries the media. e.g. "Hey Mr. USB drive, tell me your VendorId plz!" "exploitstring" "Oh nooooo!".

As for the rest, it won't ever work. If anything prevents a user from quickly accessing the movie/game/pictures they think are on the DVD/CD/USB device they will either take the quickest route (enabling auto-run/auto-display of any untrusted media) or a completely random route, any of which could cause code to be executed, except the "Do Nothing" option. Not to mention the fact that autorun isn't the only problem. (Seriously, watch the video).

The problem is that an exploit in any of the myriad layers involved in dealing with inserted media makes the system vulnerable. Before your prompt is even displayed the media would have been touched by device discovery code, file system drivers etc. and now...your new authentication code. And then, if the user selects "open as a folder", a seemingly benign action, a bug in the way the file manager handles image/PDF previews (seriously, watch the video) could result in code execution!

While a nice idea in theory, it does little to prevent a truly determined attacker, especially if they have cooperation from all but an expert user.

Re:The price of easy and automatic

[icebike]

To be fair, this is more of a UDEV, and WM/DE problem in mainstream distro's, rather than specific Linux kernel issue itself, but I won't let the headline, article/video presentation detract from that fact.

Not even a problem Mainstream Distro problem. Its exclusive to Gnome's method of thumbnail creation on a plugged in device. He only demonstrated it on Ubuntu with Gnome, and specifically with Nautilus file manager, but its probably the fault of GVFS [wikipedia.org], Gnome's virtual file system.

He specifically mentions that this exploit does not work with KBuntu.

So once again Linux gets painted with a user space exploit.

Re:Exactly

[trickyD1ck]

All UAC does is basically confirm with whomever is currently sitting at the computer (authorized or not) that they initiated some arbitrary action.

Unless you are a limited-rights user. Then you have to enter admin credentials.