Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
BLACK FRIDAY DEAL: Trust the World's Fastest VPN with Your Internet Security & Freedom--A Lifetime Subscription of PureVPN at $48 with coupon code "BFRIDAY20" ×
Security Chrome Desktops (Apple) Open Source Software Windows Linux Technology

Zero-Days Hitting Fedora and Ubuntu Open Desktops To a World of Hurt (arstechnica.com) 164

An anonymous reader writes: It's the year of the Linux desktop getting pwned. Chris Evans (not the red white and blue one) has released a number of linux zero day exploits, the most recent of which employs specially crafted audio files to compromise linux desktop machines. Ars Technica reports: "'I like to prove that vulnerabilities are not just theoretical -- that they are actually exploitable to cause real problems,' Evans told Ars when explaining why he developed -- and released -- an exploit for fully patched systems. 'Unfortunately, there's still the occasional vulnerability disclosure that is met with skepticism about exploitability. I'm helping to stamp that out.' Like Evans' previous Linux zero-day, the proof-of-concept attacks released Tuesday exploit a memory-corruption vulnerability closely tied to GStreamer, a media framework that by default ships with many mainstream Linux distributions. This time, the exploit takes aim at a flaw in a software library alternately known as Game Music Emu and libgme, which is used to emulate music from game consoles. The two audio files are encoded in the SPC music format used in the Super Nintendo Entertainment System console from the 1990s. Both take aim at a heap overflow bug contained in code that emulates the console's Sony SPC700 processor. By changing the .spc extension to .flac and .mp3, GSteamer and Game Music Emu automatically open them."
This discussion has been archived. No new comments can be posted.

Zero-Days Hitting Fedora and Ubuntu Open Desktops To a World of Hurt

Comments Filter:
  • by ilguido ( 1704434 ) on Friday December 16, 2016 @05:28AM (#53496101)
    GStreamer can run SPC file only if the GStreamer Bad Plugins (and libgme) are installed: they're called "bad" for a reason, e.g. they lack a good code review.
    • There isn't really an excuse for GStreamer still running in-process. Putting the encoded packets and the decoded memory buffers in shared memory and running the decode in another process doesn't add human-detectable latency on a modern system and means that you can strip the gstreamer process of privilege entirely, so a compromise can't hurt anything. The only issue is with GPU-assisted decoding of video, because any process that has access to the GPU has a massive attack surface of buggy GPU drivers and
    • And how many people have this either installed or can be made to install this?

      ~5 years ago, when I cared about making sure I installed all the media codecs, I installed the GStreamer Bad plugins. Only reason I don't install it now is because things work fine without it?

      What would happen if someone downloaded and tried to play one of these files now (thinking they were downloading a Taylor Swift .mp3 off of Pirate Bay)? Would the OS offer to download GStreamer Bad plugin? If it did, how many users would e

    • WRONG! (Score:4, Informative)

      by Anonymous Coward on Friday December 16, 2016 @08:54AM (#53496687)

      https://scarybeastsecurity.blogspot.pt/2016/11/0day-exploit-advancing-exploitation.html

      "A powerful heap corruption vulnerability exists in the gstreamer decoder for the FLIC file format. Presented here is an 0day exploit for this vulnerability.
      This decoder is generally present in the default install of modern Linux desktops, including Ubuntu 16.04 and Fedora 24. Gstreamer classifies its decoders as “good”, “bad” or “ugly”. Despite being quite buggy, and not being a format at all necessary on a modern desktop, the FLIC decoder is classified as “good”, almost guaranteeing its presence in default Linux installs."

      confirmation here:
      https://bugzilla.redhat.com/show_bug.cgi?id=1397441
      gstreamer-plugins-good: Heap buffer overflow in FLIC decoder

      Sheesh, I thought you guys (the parent post and the ones who upvoted) were geeks and into factual information! Oh right, this is slashdot...

  • by Anonymous Coward on Friday December 16, 2016 @05:41AM (#53496135)

    Still... that shows why security has to be half education and half technology. The last one, which was especially bad because a drive-by, combined Chrome ("I download by default to ~/Downloads"), stupid Desktop behavior ("I index everything I see -- oh, shiny! a media file: I'll throw that over to gstreamer") and gstreamer... see TFA.

    The users expecting the system to "do everything automatically" is no different than Windows of yore running AUTORUN.INF whenever you inserted a removable medium. If there is no pushback on that front there won't be a secure system, ever [1]

    [1] secure for the user, that is. If your definition of "secure" is "secure for some collusion of hardware vendor, software vendor, media companies, advertising cartels, search engines and state agencies, then perhaps.

    • by Anonymous Coward

      We're talking about a buffer overflow attack that could have been easily prevented by using a sane implementation language or some static security checking tool. That's a technical issue, not based on user behavior.

      • Remember Windows Metafile? That was a picture format that consisted of executable code (poor man's pdf or ps for Windows 3.0) and ended up being abused.
        Here, a whole frigging computer is emulated and the SPC file is just raw machine code for its CPU, so that you can e.g. listen to Street Fighter II music in your winamp clone. Depending on your player perhaps, you even get a track of infinite/unknown length and the music loops indefinitely.
        I find it funny and it reminds me more about the entirely banal stori

    • stupid Desktop behavior ("I index everything I see -- oh, shiny! a media file: I'll throw that over to gstreamer")

      The real issue here is that the indexer plugins don't run in an unprivileged sandbox. An indexer should have the rights to read the file that it's indexing, to write the metadata back via IPC to the parent process, and nothing else. It's insane that anyone would create a system that runs on untrusted data without any kind of privilege separation.

    • You cannot get more security by trading in your freedom. You can only be enslaved. Security is your own business. Asking someone else to do it is like giving the keys to your house and the passwords to your accounts to a third party and trusting they will do "the right thing". And since when is a game emulator library failure a distribution failure?
  • I've been thinking about this issue for quite some time already, and I'm gonna ask it again, how do you virtualize your web browser (actually it's the only way to be fully protected against local root (kernel/system daemons) vulnerabilities, keyloggers, data theft, etc.)? Here are my minimum requirements:
    • Kernel syscalls protection and user account protection - i.e. web browser must be fully virtualized
    • Decent performance and 2D acceleration
    • Ability to use a shared folder (for downloads and stuff)
    • Ability to
    • by AlphaBro ( 2809233 ) on Friday December 16, 2016 @06:30AM (#53496225)

      actually it's the only way to be fully protected against local root (kernel/system daemons) vulnerabilities, keyloggers, data theft, etc.

      I'm not entirely sure about the scope of what you're claiming here, but know that virtual machine escapes aren't uncommon. I'm not saying that virtualizing the browser is a bad idea (defense in depth and all that), but it won't get you perfect security. Also, in some cases, it's possible to attack the host OS without leaving the VM. Then there's the sensitive information within the VM (user credentials, session cookies, etc.), which doesn't require an escape.

      • but know that virtual machine escapes aren't uncommon

        For my entire life I've heard of maybe 10 cases of exploits which actually allowed to escape VM while at the same time each popular web browser (IE, Firefox, Chrome, Opera, Safari) has already had at least 300 remotely exploitable vulnerabilities (close to 1500 vulnerabilities overall).

        Which means that when you're running your web browser in a VM you decrease your chances of being p0wned by at least two orders of magnitude. Also, since most attacks nowa

        • but know that virtual machine escapes aren't uncommon

          For my entire life I've heard of maybe 10 cases of exploits which actually allowed to escape VM while at the same time each popular web browser (IE, Firefox, Chrome, Opera, Safari) has already had at least 300 remotely exploitable vulnerabilities (close to 1500 vulnerabilities overall).

          Which means that when you're running your web browser in a VM you decrease your chances of being p0wned by at least two orders of magnitude. Also, since most attacks nowadays are carried out automatically, those attacks will stop at your VM because the exploit kit will not try to break out of VM since 99.999% of users out there don't bother virtualizing their browser and also there are ways to conceal your VM.

          Heres an idea.

          What if you could craft the audio signal so that it exploits the audio output software/drivers in the host when played from a guest VM?

          Ie you have the guest VM hooked up to output its audio through the host, not uncommon in desktop virtualisation. And its the specially crafted audio signal which carries the exploit not the specially crafted file.

          • And its the specially crafted audio signal which carries the exploit

            Kind of hard to have a buffer overflow in the audio signal when the entire bit space is available for audio. So then what's left? A pulsed signal, that when it hits the DAC creates RF interference that then induces current somewhere else on a chip?

            I know, you can read keystrokes from 2 rooms away by pointing an antenna at a keyboard, but I can't even imagine how you do an exploit with an audio waveform.

        • Why would a keylogger need to break out of the VM to be useful? It can just log the keys on that side and be perfectly happy with what it gets.

    • Nice try, but that's not security, that's just putting it in a box designed for things other than security.
      All you are going to get out of that messing about is a feeling a smugness and immunity from script kiddies who are not even trying hard.
      You could try doing something actually designed for security, such as simply running the web browser as a user other than the one that owns all the files you want to keep - so a unique user for the web browser. Jails and containers/zones help too because they are des
    • by Anonymous Coward

      Check out 'firejail' on Linux.
      I use it to route specific programs through different network interfaces, and often use it for youtube in firefox with no issues.

      From the manual;
      Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces, seccomp-bpf and Linux capabilities. It allows a process and all its descendants to have their own private view of the globally shared

    • by Anonymous Coward

      It sound like you really want qubes os, where everything is sandboxed off into security zones you define.

  • by Zombie Ryushu ( 803103 ) on Friday December 16, 2016 @06:55AM (#53496279)

    The idea that Linux might or does have security vulnerabilities is not anything remotely new. I sometimes file five bug reports a day on patches for things like this dealing with Debian, Rosa, Mageia, Fedora, and Suse. I just file the bugs, its up to the Distro Maintainers to read what I post and act on them. Sometimes they mark it as invalid, a Duplicate, already fixed, or Works for me.

    Other times I get a patched, or upgraded package in 24-48 hours.

    If you see a CVE of something, post it to your relevant bugzilla, and not just one, always provide the CVE and a URL to where you got the CVE From if at all possible. Don't stick your head in the sand and say its not your problem. Keep in mind the world we live in today.

  • by Xylantiel ( 177496 ) on Friday December 16, 2016 @08:06AM (#53496499)
    It sounds like these are known issues that just aren't fixed yet on some distributions. That's not a zero day.
  • 'Zero day'. 'world of hurt'.

    Look everyone I found a bug! Look at me! All your machines can be mine if you just install this normally not installed software, then visit this here website!

    Just file the bug and let them fix it, till then just stfu.

    • ...if you just install this normally not installed software...

      As has already been addressed multiple times above, the package involved is installed by default in the listed distros and more.

      Just file the bug and let them fix it, till then just stfu.

      How about you RTFM and understand what you're talking about, till then hush little child. Consider that the sensational title is intended to get attention on an actual threat, and past the willful ignorance of persons such as yourself.

      • Sorry, but I totally agree with the original post. The title is "Ubuntu 0day world of hurt". The reality is "Ubuntu12.04, no privilege escalation". That is not a serious issue, and even the author acknowledges it, so please hush big boy.

        The main users of ubuntu 12.04 are mostly servers (so not likely to be affected) and the EOL is near anyway.

        • Sorry, but I totally agree with the original post. The title is "Ubuntu 0day world of hurt". The reality is "Ubuntu12.04, no privilege escalation". That is not a serious issue, and even the author acknowledges it, so please hush big boy.

          The Author said: "I like to prove that vulnerabilities are not just theoretical—that they are actually exploitable to cause real problems,"
          Care to share what you're basing your perspective off of? Mr Evan's actual detail *is* a long read and I fully admit I grazed it and may have missed something.

          The main users of ubuntu 12.04 are mostly servers (so not likely to be affected) and the EOL is near anyway.

          I'm going to presume you meant Ubuntu 16.04, and note that you're nitpicking on one of the two distributions highlighted. Regardless of the user spread between server and desktop (that was also noted in the

      • Why would you draw public attention to an exploit? You report it to the software authors and give them time. Anything else is completely irresponsible.

        Sure, maybe go all sensational when the software authors refuse to listen to you for several months, and machines are falling left and right, however this doesn't look to be the case. They are never given a chance before public announcement. And at least on my Fedora 23, game-music-emu is NOT installed by default.

  • So let me get this straight. Someone figures out how to exploit a game emulator that has nothing to do with the Linux Desktop (gaming on an emulator is not primary functionality of Linux on the DESKTOP - read that again - DESKTOP). And now we are reporting this as a distribution failure and calling the entire Linux ecosystem as bad. Meanwhile, the plugins in question are clearly labeled as "bad" as in "use at your own risk". So what is Linux on the Desktop supposed to do? Protect you from yourself? Be "just
  • Mark my words, this is the last time I'm logging into Slashdot. It's become just anti-FOSS clickbait with Microsoft ads littered throughout.

    Why do I say this? Because every time some very minor Linux vulnerability crops up -- usually ones that have not actually affected anybody (the exceptions being Heartbleed and Shellshock) -- there's some ultra-clickbaity article about how the entire Linux world is getting pwned simultaneously. Thankfully some comments showing why this is total nonsense are upvoted, b
    • Now if I could just get upvoted for pointing out how pointless this whole story was..... *sigh*. I agree with you.
  • by iamacat ( 583406 ) on Friday December 16, 2016 @10:46AM (#53497367)

    How did these distributions get to the state where they include 80s CPU emulator by default? For users with decent Internet connection, base install should be something like ChromeOS, with only video/audio codecs widely used at present. Then have an easy way to install extra stuff as needed. It's not only for security, stability, memory/storage use and performance is also affected by having a boatload of crap installed by default. And don't forget the amount/frequency of high priority updates.

  • I glossed very quickly over the article so maybe I missed it. What is the actual *impact* of this? Privilege escalation? Crash the OS?

    Just because an exploit is found doesn't necessarily mean it's a significant concern unless you can do something nasty with it.

  • Zero day means, that they are used to exploit people in the wild, not that there exists an proof of concept.

Parallel lines never meet, unless you bend one or both of them.

Working...