Internet Security Systems - AlertCon(TM)

ShmooCon 2011 presentation: USB autorun attacks against Linux

Posted by Jon Larimer on February 07, 2011 at 12:10 PM EST.

I had a great time presenting at ShmooCon 2011 last weekend. My talk was well received, I got a lot of interesting questions, and some people were even inspired to look for more vulnerabilities.

My slides are available here. The presentation starts off with a definition of autorun vulnerabilities and some examples from Windows, then jumps straight into the Linux side of things. There's information on the USB and file system drivers and some of the lower level user mode subsystems like udev and D-Bus. Then I go into the higher level UI components of GNOME – specifically talking about how thumbnailers work. Thumbnailers are the components and processes that generate previews of files that GNOME and the Nautilus file browser use as file icons. I also talk about some of the exploit mitigations that are enabled by default in Ubuntu Desktop Linux 10.10.

The last few slides are about a vulnerability I found in evince-thumbnailer, part of the GNOME evince document viewer, which is used to render icons for document files. The vulnerability is CVE-2010-2640 which was fixed early in January 2011. I included some information on how it's possible to bypass the exploitation mitigations that are in place: defeating ASLR with brute forcing and bypassing AppArmor by doing things that aren't denied by evince-thumbnailer's AppArmor profile.

The talk concluded with a demo – I inserted a USB flash drive into my Ubuntu Desktop PC (actually a VM) and the locked screensaver disappeared, dropping me to the user's desktop. While the demo was kind of weak (I disabled ASLR and AppArmor to ensure the demo would work quickly), it did illustrate that it is possible to perform autorun-like attacks against Linux to execute arbitrary code and gain access to machines that you otherwise could not.

A video of the full presentation can be found on the ShmooCon schedule page or over at YouTube.

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.