USB autorun attacks against Linux

tlu · Feb 8, 2011

http://blogs.iss.net/archive/Shmoocon2011.html

Very interesting. Some improvements in various AppArmor profiles have already been implemented for Ubuntu - see https://bugs.launchpad.net/ubuntu/ source/apparmor/ bug/698194

BTW: I didn't know this interesting overview site mentioned in above posting.

katio · Feb 8, 2011

Thanks for sharing.

However I have to say labeling this as "autorun attacks against Linux" is a bit sensationalist.
In contrast to older Windows the autorun behaviour in Linux is by design secure and sound: It will never execute code from the external device.
This presentation deals with exploiting vulnerabilities through automounting. This is quite different: It only works against unpatched OSs, is costly for the attacker (as he has to work around several mitigations and 0days are especially expensive) and can be defeated for a large part by simply running a 64bit OS.

The other thing we can take home is that the default Apparmor configuration is only offering a false sense of security, it needs to be enabled for far more processes in order to offer any tangible benefit.

katio · Feb 8, 2011

I know this is the Linux forum but this was just released today and it's very relevant to what I just said:
https://www.wilderssecurity.com/showthread.php?t=292632
http://blogs.technet.com/b/msrc/arc...into-the-security-advisory-967940-update.aspx

It's about the Autorun hardening in Windows 7 being backported to older version with an update that was made available through the update channel today:

We're marking this as an "Important, non-security update." It may seem a little odd to call this a "non-security update," especially since we're delivering it alongside our February bulletins. But at Microsoft we reserve the term "Security Update" to mean "a broadly released fix for a product-specific security-related vulnerability." And it would be odd to refer to Autorun as a vulnerability. That term is generally used, and we use it, to mean accidental functionality that allows someone to violate the security of the system. But Autorun isn't an accident -- it's by design, and as I mentioned we care about the very real positive uses of the feature. In other words, in a very real sense, it's not a bug, it's a feature, and we documented it as such.
Click to expand...

chronomatic · Feb 8, 2011

I've never been too interested in (or worried about) autorun vulnerabilities. They require the attacker to have physical access to the machine. In most cases physical access = root access, no matter the OS. Just don't give untrustworthy people physical access to your machine and the problem is solved.

wat0114 · Feb 9, 2011

It was a good video (I skipped a few parts of it) explaining the weaknesses in Nautilus' thumbnail generation, recommending it be disabled, how it and totem gnome is not protected by AppArmor (though maybe this is/has changed with regards to tlu's link??) and how he mentions the Linux locked screensaver is not as difficult to defeat as Windows' locked screensaver. Also interesting to me are the cached thumbnails in ~./thumbnails/normal. I never knew that. It could be a good idea for some to clean that out once in a while

tlu · Feb 12, 2011

There are some other related fixes in the making:

https://bugs.launchpad.net/ubuntu/ source/nautilus/ bug/714958
https://bugs.launchpad.net/ubuntu/ source/gnome-control-center/ bug/715874
https://bugs.launchpad.net/ubuntu/ source/linux/ bug/717412

Log in or Sign up

USB autorun attacks against Linux

tlu Guest

katio Guest

katio Guest

chronomatic Registered Member

wat0114 Guest

tlu Guest

Log in or Sign up

USB autorun attacks against Linux

tlu Guest

katio Guest

katio Guest

chronomatic Registered Member

wat0114 Guest

tlu Guest

Useful Searches