ShmooCon 2011 presentation: USB autorun attacks against Linux
Posted by Jon Larimer on February 07, 2011 at 12:10 PM EST.
I had a great time presenting at ShmooCon 2011 last weekend. My talk was well received, I got a lot of interesting questions, and some people were even inspired to look for more vulnerabilities.
My slides are available here. The presentation starts off with a definition of autorun vulnerabilities and some examples from Windows, then jumps straight into the Linux side of things. There's information on the USB and file system drivers and some of the lower level user mode subsystems like udev and D-Bus. Then I go into the higher level UI components of GNOME – specifically talking about how thumbnailers work. Thumbnailers are the components and processes that generate previews of files that GNOME and the Nautilus file browser use as file icons. I also talk about some of the exploit mitigations that are enabled by default in Ubuntu Desktop Linux 10.10.
The last few slides are about a vulnerability I found in evince-thumbnailer, part of the GNOME evince document viewer, which is used to render icons for document files. The vulnerability is CVE-2010-2640 which was fixed early in January 2011. I included some information on how it's possible to bypass the exploitation mitigations that are in place: defeating ASLR with brute forcing and bypassing AppArmor by doing things that aren't denied by evince-thumbnailer's AppArmor profile.
The talk concluded with a demo – I inserted a USB flash drive into my Ubuntu Desktop PC (actually a VM) and the locked screensaver disappeared, dropping me to the user's desktop. While the demo was kind of weak (I disabled ASLR and AppArmor to ensure the demo would work quickly), it did illustrate that it is possible to perform autorun-like attacks against Linux to execute arbitrary code and gain access to machines that you otherwise could not.