Enviar búsqueda
Cargar
HES2011 - Jon Larimer - Autorun Vulnerabilities on Linux
•
3 recomendaciones
•
2,012 vistas
Hackito Ergo Sum
Seguir
Tecnología
Denunciar
Compartir
Denunciar
Compartir
1 de 40
Descargar ahora
Descargar para leer sin conexión
Recomendados
Information Computer Technology Handouts (Part I)
Information Computer Technology Handouts (Part I)
ella dimaiwat
Unix Security
Unix Security
Kumar Setty, HCISPP, CISA, CCSK, ITIL, CHSP
Nim
Nim
muhammad adeel
Introduction to Linux Kernel
Introduction to Linux Kernel
Stryker King
Linux [2005]
Linux [2005]
Raul Soto
Ch12
Ch12
Raja Waseem Akhtar
K04 software
K04 software
Coky Fauzi Alfi
Linux Disaster Recovery Best Practices with rear
Linux Disaster Recovery Best Practices with rear
Gratien D'haese
Recomendados
Information Computer Technology Handouts (Part I)
Information Computer Technology Handouts (Part I)
ella dimaiwat
Unix Security
Unix Security
Kumar Setty, HCISPP, CISA, CCSK, ITIL, CHSP
Nim
Nim
muhammad adeel
Introduction to Linux Kernel
Introduction to Linux Kernel
Stryker King
Linux [2005]
Linux [2005]
Raul Soto
Ch12
Ch12
Raja Waseem Akhtar
K04 software
K04 software
Coky Fauzi Alfi
Linux Disaster Recovery Best Practices with rear
Linux Disaster Recovery Best Practices with rear
Gratien D'haese
P05-slides
P05-slides
Isaac (.ike) Levy
Linux Disaster Recovery Made Easy
Linux Disaster Recovery Made Easy
Novell
Unix seminar
Unix seminar
Ajeet Kushwaha
Unix memory management
Unix memory management
Tech_MX
Linux Disaster Recovery Solutions
Linux Disaster Recovery Solutions
Gratien D'haese
UNIX Operating System
UNIX Operating System
Fatima Qayyum
Cfg2html fosdem2014
Cfg2html fosdem2014
Gratien D'haese
Usenix Invited Talk
Usenix Invited Talk
webhostingguy
Unix lecture1
Unix lecture1
dolleyj
LinuxTag2012 Rear
LinuxTag2012 Rear
Gratien D'haese
BrainShare 2010 SLC - ELS306 Linux Disaster Recovery Made Easy
BrainShare 2010 SLC - ELS306 Linux Disaster Recovery Made Easy
Schlomo Schapiro
Intro tounix
Intro tounix
djprince
Introduction to Linux Kernel by Quontra Solutions
Introduction to Linux Kernel by Quontra Solutions
QUONTRASOLUTIONS
Desktop Linux - Part 1, Basics
Desktop Linux - Part 1, Basics
Daniel FitzGerald
Intro tounix
Intro tounix
Hamza Abdolateef
UALUG SFD Pesentation
UALUG SFD Pesentation
Rob Connolly
UNIX and Linux - an introduction by Mathias Homann
UNIX and Linux - an introduction by Mathias Homann
Mathias Homann
Linux 101
Linux 101
Justin Reock
How to install gentoo distributed
How to install gentoo distributed
SongWang54
Intro ch 07_a
Intro ch 07_a
Quaid-e-Awam University of Engineering Science and Technology Nawabshah Sindh Pakistan
WinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage Tool
Brent Muir
Linux kernel booting
Linux kernel booting
Ramin Farajpour Cami
Más contenido relacionado
La actualidad más candente
P05-slides
P05-slides
Isaac (.ike) Levy
Linux Disaster Recovery Made Easy
Linux Disaster Recovery Made Easy
Novell
Unix seminar
Unix seminar
Ajeet Kushwaha
Unix memory management
Unix memory management
Tech_MX
Linux Disaster Recovery Solutions
Linux Disaster Recovery Solutions
Gratien D'haese
UNIX Operating System
UNIX Operating System
Fatima Qayyum
Cfg2html fosdem2014
Cfg2html fosdem2014
Gratien D'haese
Usenix Invited Talk
Usenix Invited Talk
webhostingguy
Unix lecture1
Unix lecture1
dolleyj
LinuxTag2012 Rear
LinuxTag2012 Rear
Gratien D'haese
BrainShare 2010 SLC - ELS306 Linux Disaster Recovery Made Easy
BrainShare 2010 SLC - ELS306 Linux Disaster Recovery Made Easy
Schlomo Schapiro
Intro tounix
Intro tounix
djprince
Introduction to Linux Kernel by Quontra Solutions
Introduction to Linux Kernel by Quontra Solutions
QUONTRASOLUTIONS
Desktop Linux - Part 1, Basics
Desktop Linux - Part 1, Basics
Daniel FitzGerald
Intro tounix
Intro tounix
Hamza Abdolateef
UALUG SFD Pesentation
UALUG SFD Pesentation
Rob Connolly
UNIX and Linux - an introduction by Mathias Homann
UNIX and Linux - an introduction by Mathias Homann
Mathias Homann
Linux 101
Linux 101
Justin Reock
How to install gentoo distributed
How to install gentoo distributed
SongWang54
Intro ch 07_a
Intro ch 07_a
Quaid-e-Awam University of Engineering Science and Technology Nawabshah Sindh Pakistan
La actualidad más candente
(20)
P05-slides
P05-slides
Linux Disaster Recovery Made Easy
Linux Disaster Recovery Made Easy
Unix seminar
Unix seminar
Unix memory management
Unix memory management
Linux Disaster Recovery Solutions
Linux Disaster Recovery Solutions
UNIX Operating System
UNIX Operating System
Cfg2html fosdem2014
Cfg2html fosdem2014
Usenix Invited Talk
Usenix Invited Talk
Unix lecture1
Unix lecture1
LinuxTag2012 Rear
LinuxTag2012 Rear
BrainShare 2010 SLC - ELS306 Linux Disaster Recovery Made Easy
BrainShare 2010 SLC - ELS306 Linux Disaster Recovery Made Easy
Intro tounix
Intro tounix
Introduction to Linux Kernel by Quontra Solutions
Introduction to Linux Kernel by Quontra Solutions
Desktop Linux - Part 1, Basics
Desktop Linux - Part 1, Basics
Intro tounix
Intro tounix
UALUG SFD Pesentation
UALUG SFD Pesentation
UNIX and Linux - an introduction by Mathias Homann
UNIX and Linux - an introduction by Mathias Homann
Linux 101
Linux 101
How to install gentoo distributed
How to install gentoo distributed
Intro ch 07_a
Intro ch 07_a
Similar a HES2011 - Jon Larimer - Autorun Vulnerabilities on Linux
WinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage Tool
Brent Muir
Linux kernel booting
Linux kernel booting
Ramin Farajpour Cami
"Relax and Recover", an Open Source mksysb for Linux on Power
"Relax and Recover", an Open Source mksysb for Linux on Power
Sebastien Chabrolles
Building Mini Embedded Linux System for X86 Arch
Building Mini Embedded Linux System for X86 Arch
Sherif Mousa
Security Walls in Linux Environment: Practice, Experience, and Results
Security Walls in Linux Environment: Practice, Experience, and Results
Igor Beliaiev
Unix and Linux Common Boot Disk Disaster Recovery Tools by Dusan Baljevic
Unix and Linux Common Boot Disk Disaster Recovery Tools by Dusan Baljevic
Circling Cycle
Linux fundamentals Training
Linux fundamentals Training
Love Steven
Linux basics
Linux basics
suniljosekerala
11. operating-systems-part-1
11. operating-systems-part-1
Muhammad Ahad
Linux forensics
Linux forensics
Santosh Khadsare
Linux introduction (eng)
Linux introduction (eng)
Anatoliy Okhotnikov
Before begining linux
Before begining linux
Shiwang Kalkhanda
Lec9chap8f04
Lec9chap8f04
screaminc
Problem Reporting and Analysis Linux on System z -How to survive a Linux Crit...
Problem Reporting and Analysis Linux on System z -How to survive a Linux Crit...
IBM India Smarter Computing
Linux basics
Linux basics
Santosh Khadsare
Introduction to linux
Introduction to linux
plarsen67
The Deck by Phil Polstra GrrCON2012
The Deck by Phil Polstra GrrCON2012
Philip Polstra
Linux basics
Linux basics
suniljosekerala
Polstra 44con2012
Polstra 44con2012
Philip Polstra
Hacking and Forensics on the Go - 44CON 2012
Hacking and Forensics on the Go - 44CON 2012
44CON
Similar a HES2011 - Jon Larimer - Autorun Vulnerabilities on Linux
(20)
WinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage Tool
Linux kernel booting
Linux kernel booting
"Relax and Recover", an Open Source mksysb for Linux on Power
"Relax and Recover", an Open Source mksysb for Linux on Power
Building Mini Embedded Linux System for X86 Arch
Building Mini Embedded Linux System for X86 Arch
Security Walls in Linux Environment: Practice, Experience, and Results
Security Walls in Linux Environment: Practice, Experience, and Results
Unix and Linux Common Boot Disk Disaster Recovery Tools by Dusan Baljevic
Unix and Linux Common Boot Disk Disaster Recovery Tools by Dusan Baljevic
Linux fundamentals Training
Linux fundamentals Training
Linux basics
Linux basics
11. operating-systems-part-1
11. operating-systems-part-1
Linux forensics
Linux forensics
Linux introduction (eng)
Linux introduction (eng)
Before begining linux
Before begining linux
Lec9chap8f04
Lec9chap8f04
Problem Reporting and Analysis Linux on System z -How to survive a Linux Crit...
Problem Reporting and Analysis Linux on System z -How to survive a Linux Crit...
Linux basics
Linux basics
Introduction to linux
Introduction to linux
The Deck by Phil Polstra GrrCON2012
The Deck by Phil Polstra GrrCON2012
Linux basics
Linux basics
Polstra 44con2012
Polstra 44con2012
Hacking and Forensics on the Go - 44CON 2012
Hacking and Forensics on the Go - 44CON 2012
Más de Hackito Ergo Sum
HES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talk
HES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talk
Hackito Ergo Sum
HES2011 - Jon Oberheide and Dan Rosenberg - Stackjacking
HES2011 - Jon Oberheide and Dan Rosenberg - Stackjacking
Hackito Ergo Sum
HES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profit
HES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profit
Hackito Ergo Sum
HES2011 - Sebastien Tricaud - Capture me if you can
HES2011 - Sebastien Tricaud - Capture me if you can
Hackito Ergo Sum
HES2011 - Eloi Vanderbeken - Hackito Ergo Sum Crackme
HES2011 - Eloi Vanderbeken - Hackito Ergo Sum Crackme
Hackito Ergo Sum
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe Shockwave
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe Shockwave
Hackito Ergo Sum
HES2011 - James Oakley and Sergey bratus-Exploiting-the-Hard-Working-DWARF
HES2011 - James Oakley and Sergey bratus-Exploiting-the-Hard-Working-DWARF
Hackito Ergo Sum
HES2011 - joernchen - Ruby on Rails from a Code Auditor Perspective
HES2011 - joernchen - Ruby on Rails from a Code Auditor Perspective
Hackito Ergo Sum
HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...
HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...
Hackito Ergo Sum
HES2011 - Richard Johnson - A Castle Made of Sand Adobe Reader X Sandbox
HES2011 - Richard Johnson - A Castle Made of Sand Adobe Reader X Sandbox
Hackito Ergo Sum
HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7
HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7
Hackito Ergo Sum
HES2011 - Yuval Vadim Polevoy – Money Is In The Eye Of The Beholder: New And ...
HES2011 - Yuval Vadim Polevoy – Money Is In The Eye Of The Beholder: New And ...
Hackito Ergo Sum
HES2011 - Itzik Kolter - Let me Stuxnet You
HES2011 - Itzik Kolter - Let me Stuxnet You
Hackito Ergo Sum
Más de Hackito Ergo Sum
(13)
HES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talk
HES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talk
HES2011 - Jon Oberheide and Dan Rosenberg - Stackjacking
HES2011 - Jon Oberheide and Dan Rosenberg - Stackjacking
HES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profit
HES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profit
HES2011 - Sebastien Tricaud - Capture me if you can
HES2011 - Sebastien Tricaud - Capture me if you can
HES2011 - Eloi Vanderbeken - Hackito Ergo Sum Crackme
HES2011 - Eloi Vanderbeken - Hackito Ergo Sum Crackme
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe Shockwave
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe Shockwave
HES2011 - James Oakley and Sergey bratus-Exploiting-the-Hard-Working-DWARF
HES2011 - James Oakley and Sergey bratus-Exploiting-the-Hard-Working-DWARF
HES2011 - joernchen - Ruby on Rails from a Code Auditor Perspective
HES2011 - joernchen - Ruby on Rails from a Code Auditor Perspective
HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...
HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...
HES2011 - Richard Johnson - A Castle Made of Sand Adobe Reader X Sandbox
HES2011 - Richard Johnson - A Castle Made of Sand Adobe Reader X Sandbox
HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7
HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7
HES2011 - Yuval Vadim Polevoy – Money Is In The Eye Of The Beholder: New And ...
HES2011 - Yuval Vadim Polevoy – Money Is In The Eye Of The Beholder: New And ...
HES2011 - Itzik Kolter - Let me Stuxnet You
HES2011 - Itzik Kolter - Let me Stuxnet You
Último
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
Khushali Kathiriya
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Deepika Singh
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
apidays
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
rafiqahmad00786416
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
The Digital Insurer
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
Rustici Software
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
apidays
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
Zilliz
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
Remote DBA Services
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Juan lago vázquez
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
WSO2
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
apidays
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
Último
(20)
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
HES2011 - Jon Larimer - Autorun Vulnerabilities on Linux
1.
USB Autorun attacks
against Linux Hackito Ergo Sum 2011 / April 9 / Paris, France jlarimer@us.ibm.com Jon Larimer jlarimer@gmail.com IBM X-Force Advanced R&D
2.
Autorun malware ■
On Windows, the autorun.inf file could be used to automatically launch programs when a CD/Floppy/USB driver was inserted ■ Many people disable this feature now! ■ Windows 7 changed how AutoRun works from USB drives ■ Malware and hackers could still take advantage of vulnerabilities... –LNK vulnerability (Stuxnet) –PDF previews –Embedded BMP thumbnail vulnerability © 2011 IBM Corporation
3.
Autorun malware on
Linux? ■ Some desktop environments support autorun scripts on external media ■ freedesktop.org specifications allow: .autorun, autorun, autorun.sh ■ Specs specifically forbid running these scripts automatically – the desktop environment should always ask ■ What about taking advantage of security vulnerabilities? © 2011 IBM Corporation
4.
Autorun vulnerabilities ■
Lots of code executes when a new mass storage device is connected... ■ Removable storage subsystem drivers –USB, SecureDigital, eSATA, FireWire, PCMCIA ■ File system drivers –Kernel drivers: ext3, ext4, etc –User mode (FUSE) drivers: ntfs-3g ■ Desktop applications –Desktop file browsers, thumbnailers ■ Vulnerabilities could exist at any of these layers! © 2011 IBM Corporation
5.
Attacks on physical
systems ■ Physical access is 'game over' ■ What about full disk encryption? ■ IEEE 1394 (FireWire) DMA physical memory access –Requires FireWire port and drivers ■ Cold boot attack –Requires being able to boot from external media, stealing the RAM, or swapping out an internal drive ■ Removable storage attacks! –Most desktop OS's will automatically mount file systems on USB –Physical access not really necessary, just find someone to plug a device into their PC –If an exploit runs while the PC is already booted and the user is logged on, full disk encryption could be defeated © 2011 IBM Corporation
6.
USB on Linux ■
usbcore in drivers/usb/core ■ Host controller driver framework is drivers/usb/core/hdc.c –UHCI: drivers/usb/host/usb-uhci.c –EHCI: drivers/usb/host/usb-ehci.c ■ Hub driver in drivers/usb/core/hub.c ■ Interface drivers register by calling usb_register() or usb_register_driver(), specifying which vendor/product IDs they work with ■ drivers/core/usb/driver.c usb_match_id() takes care of the matching, then the driver is loaded © 2011 IBM Corporation
7.
USB Vulnerabilities on
Linux ■ MWR InfoSecurity Auerswald Linux USB driver bug, 2009 –Driver provides support for Auerswald USB ISDN devices –Had a problem handing USB descriptors, resulting in a buffer overflow ■ Fuzzing USB drivers –Mortiz Jodiet – hardware+software (2009) –Tobias Mueller – QEMU-based fuzzer (2010) ■ Vulnerabilities in USB drivers can be exploited with cheap, small, off-the-shelf programmable USB development boards © 2011 IBM Corporation
8.
USB mass storage
on Linux ■ Storage class driver in drivers/usb/storage/usb.c ■ storage_probe() –Sets up a SCSI host structure –adds SCSI host to SCSI subsystem –scsiglue.c and protocol.c take care of converting SRBs to URBs for the USB drivers ■ SCSI subsystem adds a block device (/dev/sdb) ■ udev is notified © 2011 IBM Corporation
9.
udev, udisks, and
D-Bus ■ udev –device manager for Linux –adds/remove entries in /dev –can trigger events based on rules or through a netlink socket ■ D-Bus –IPC mechanism –allows applications to register for system device events ■ udisks –provides a D-Bus interface for dealing with disk devices –uses GUdev library (part of udev) to subscribe to udev events through a netlink socket, republishes them through D-Bus © 2011 IBM Corporation
10.
File systems in
Linux ■ Traditionally lived in fs/ branch of kernel source tree ■ File systems operate between low level disk bus drivers and virtual file system ■ FUSE – file system in userspace ■ GVFS – GNOME Virtual File System –not a traditional file system –can only be access through GVFS, GIO, or the ~/.gvfs FUSE mountpoint –Can access also access files through SMB, FTP, DAV, etc © 2011 IBM Corporation
11.
File system driver
vulnerabilities ■ Vulnerabilities in FS drivers could be exploited by malformed FS images on a USB drive ■ Successfully exploited vulnerabilities result in root access – file system drivers run in kernel mode ■ User mode file system driver exploits run in the context of whoever mounted the volume ■ Would be considered a 'local' kernel-mode bug because it requires physical access ■ For the purpose of exploitation, it can be considered remote since you don't already have access to the OS © 2011 IBM Corporation
12.
Finding file system
driver vulns ■ Manually auditing the code (read The Art of Software Security Assessment by Dowd/McDonald/Schuh) –Concentrate on how structures on disk sectors are parsed ■ Static code analysis (lint, clang static analyzer, etc) ■ Fuzzing –In Linux, any block device (including a file) can be mounted as a volume –Write code to modify a FS image, mount, perform various operations, then unmount –Fuzz smarter by understanding FS structure, use code coverage/taint analysis tools ■ Automatically Generating Malicious Disks using Symbolic Execution (Stanford, 2006) © 2011 IBM Corporation
13.
GNOME Nautilus ■
GNOME Nautilus is the file browser used by Ubuntu Desktop Linux10.10 ■ Supports most of the freedesktop.org specifications ■ Will automatically mount known file systems on USB drives by default –Volume mounted in /media/XXX, where XXX is the volume name ■ Will automatically open a browsing window when a new file system is mounted ■ File browsing window will generate thumbnails for all files in the root directory of the device ■ It does this even with the screensaver running and locked! © 2011 IBM Corporation
14.
GNOME Nautilus file
browser © 2011 IBM Corporation
15.
Nautilus thumbnail/media settings
© 2011 IBM Corporation
16.
GNOME Nautilus operation ■
Detects when new storage devices are connected ■ Uses GVFS to access browse file systems over SMB, FTP, DAV, etc ■ Uses GVFS to be notified of newly mounted file systems © 2011 IBM Corporation
17.
GNOME Nautilus –
thumbnailers ■ Nautilus will generate thumbnail images for images, movies, documents, and other file types to use as icons in the file browser ■ Settings stored in gconf system ■ Image icons generated internally using GdkPixBuf ■ Also allows 3rd party icon handlers –evince-thumbnailer: document files –totem-video-thumbnailer: video and audio files –gnome-thumbnail-font: font files ■ Thumbnails cached in ~/.thumbnails/normal © 2011 IBM Corporation
18.
GdkPixBuf thumbnails ■
Relies on some 3rd party libraries for some image formats (libpng, libtiff, libjpeg) ■ All 3 of those libraries have had security vulnerabilities before... ■ Contains built-in code for other formats (bmp, gif, ico, tga, xpm, and others) ■ Full list of supported extensions (in Ubuntu 10.10): –wmf, apm, ani, bmp, gif, icns, ico, cur, jp2, jpc, jpx, j2k, jpf, jpeg, jpe, jpg, pcx, png, pnm, pbm, pgm, ppm, qtif, qif, ras, svg, tga, targa, tiff, tif, wbmp, xbm © 2011 IBM Corporation
19.
Exploiting bugs in
GdkPixBuf ■ Thumbnailing happens in the Nautilus process ■ If the process crashes, the file browsing window goes away ■ Difficult to defeat NX and ASLR (can't brute force against ASLR...) ■ Nautilus isn't protected by AppArmor © 2011 IBM Corporation
20.
Nautilus external thumbnail
settings © 2011 IBM Corporation
21.
External thumbnailers ■
Configured with gconf: –gconftool –R /desktop/gnome/thumbnailers ■ Example: –/usr/bin/totem-video-thumbnailer -s %s %u %o • %s = size • %u = input file • %o = output file ■ Nautilus looks up thumbnailer application for each file based on the MIME type ■ Separate process is launched for each file that gets thumbnailed © 2011 IBM Corporation
22.
evince-thumbnailer ■
Part of GNOME evince, the document reader ■ Supports file types: –pdf, djvu, djv, pdf.bz2, cbr, cbz, cbt, dvi, pdf.gz, ps.bz2, ps, ps.gz, eps.bz2, epsi.bz2, epsf.bz2, eps, epsi, epsf, dvi.gz, dvi.bz2, eps.gz, epsi.gz, epsf.gz, cb7 ■ Renders the first page of a document to use as the icon ■ Relies on 3rd party libraries for some formats, internal code for others ■ Protected with PIE, AppArmor © 2011 IBM Corporation
23.
totem-video-thumbnailer ■
totem-video-thumbnailer thumbnails these extensions: –anim[1-9j], mp4, m4v, m2t, m2ts, ts, mts, cpi, clpi, mpl, mpls, bdm, bdmv, asf, ogx, shn, mxf, gvp, avi, divx, qt, mov, moov, qtvr, wmv, webm, wmx, ra, rm, ram, ogv, ram, mpeg, mpg, mp2, mpe, vob, dv, mkv, wpl, fli, rm, rmj, rmm, rms, rmx, rmvb, wvx, rv, rvx, rp, flv, pict, pict1, pict2, nsc, fli, flc, wm, sdp, qtl, 3gp, 3g2, 3gpp, 3ga, nsv, viv, vivo ■ Relies on many 3rd party libraries ■ Not protected by PIE or AppArmor! © 2011 IBM Corporation
24.
gnome-thumbnail-font ■
Provides thumbnails for: –ttf, ttc, otf, pfa, pfb, gsf, pcf, pcf.Z, pcf.gz ■ Uses the FreeType library for rendering fonts ■ There have been vulnerabilities in FreeType reported in the past ■ Not protected by PIE or AppArmor! © 2011 IBM Corporation
25.
What about mitigations? ■
Ubuntu 10.10 has many security features and exploit mitigations in place by default ■ NX (non-executable memory), ASLR (address space layout randomization) on everything, PIE (position independent executable) on some files ■ AppArmor – kind of a firewall for system calls ■ NX is not very effective, attackers can use ret2libc or return- oriented-programming (ROP) exploitation techniques ■ ASLR mitigates ROP... ■ AppArmor can be tough to defeat, but there are weaknesses –Protection is defined by per-application profiles –There are some things AppArmor can't protect against © 2011 IBM Corporation
26.
Defeating ASLR/PIE ■
ASLR can be brute-forced ■ External thumbnailers are launched as a separate process for each file –If the process crashes, the other files will continue to be thumbnailed ■ Figure out which addresses libc (or other target library) can be loaded at ■ There are only around ~3000 addresses that will be used with the standard Linux kernel ASLR implementation on 32 bit systems ■ Sometimes less are needed... © 2011 IBM Corporation
27.
Count
100 120 20 40 60 80 0 00236000 0046B000 004E4000 00538000 00583000 005C5000 0060A000 0064C000 00691000 006D3000 00713000 00753000 00796000 007D6000 00818000 00857000 00896000 008D8000 00916000 00954000 00992000 009D0000 00A0E000 00A4C000 00A8A000 ASLR Weaknesses? 00AC8000 00B06000 Address thumbnailer 00B44000 00B82000 00BC0000 00BFE000 00C3C000 00C7A000 00CB8000 00CF6000 00D34000 00D72000 00DB0000 00DEE000 00E2C000 Base address of libc per 40960 runs of evince- 00E6A000 00EA8000 00EE6000 00F24000 00F62000 00FA0000 00FDE000 0410E000 0C893000 14DE6000 1D4C0000 © 2011 IBM Corporation
28.
Defeating AppArmor ■
AppArmor is only as strong as the application's profile –evince-thumbnailer's profile used to allow writing to ~/.config/autostart –Could be used to install malware to start when the user logs in –See https://code.launchpad.net/bugs/698194 ■ There are some things that AppArmor can't protect against –X11 library calls (could block network access in some cases) –Kill screensaver, sniff keystrokes, inject keystrokes, etc © 2011 IBM Corporation
29.
Autorun exploit payloads? ■
Copy files from the user's home directory – useful for defeating full disk encryption, TrueCrypt, etc –Get browser cookies, documents ■ Kill screensaver process –killall gnome-screensaver –Gives you full access to the user's desktop ■ Install a backdoor –Add script to ~/.bash_profile, ~/.profile –Add desktop file to ~/.config/autostart ■ Elevate privileges –Install rootkit © 2011 IBM Corporation
30.
Killing the screensaver ■
The screen saver is just a process that runs as a window at the top of the X11 window tree ■ killall gnome-screensaver will kill the process, bypassing the authentication dialog ■ Alternatively, locate the X11 library in the process and use that to kill the screen saver window: –XOpenDisplay(":0.0") –XQueryTree() to enumerate windows –XFetchName() to look for "gnome-screensaver" –XKillClient() to terminate the process © 2011 IBM Corporation
31.
Install a backdoor? ■
Can be done without root ■ ~/.config/autostart is analogous to the Windows "Startup" folder –Drop a shortcut there (.desktop file) that points to a script and it'll be launched whenever the user logs in –.desktop file format is part of freedesktop.org specifications ■ Or use .profile, .bash_profile... ■ Script could download remote access trojan from the web, or just copy one from the USB drive © 2011 IBM Corporation
32.
evince vulnerabilities ■
Vulnerabilities in handling external font files for DVI documents (CVE-2010-2640, CVE-2010-2641, CVE- 2010-2642, CVE-2010-2643) ■ http://www.ubuntu.com/usn/usn-1035-1 ■ DVI files are generated from LaTeX documents ■ DVI files can reference external fonts that get loaded when the DVI file is processed ■ External fonts can be specified with an absolute path (/media/XXX) ■ Easier to exploit from USB than any remote vector... © 2011 IBM Corporation
33.
CVE-2010-2640 – PK
font parsing © 2011 IBM Corporation
34.
CVE-2010-2640
© 2011 IBM Corporation
35.
CVE-2010-2640 ■
So we can write an arbitrary value to a semi-arbitrary location in memory ■ We don't know where the stack is, can't overwrite the return address ■ The write is relative to the heap, so ASLR won't impact our ability to overwrite a function pointer on the heap © 2011 IBM Corporation
36.
CVE-2010-2640
© 2011 IBM Corporation
37.
CVE-2010-2640 ■
We can overwrite ptr->info.lookup with the address of system()in libc ■ name is a string representing the font file it's looking for ■ To write this exploit: –figure out what cc needs to be so that w, h, x, or y overwrites ptr->info.lookup for one of the fonts –specify that cc value for the first font, and put the address in system in w, h, x, y –for the 2nd font, specify the name to be /media/XXX/kill.sh, where XXX is volume name of USB device –/media/XXX/kill.sh can be a shell script to do whatever you want – mine kills the screensaver © 2011 IBM Corporation
38.
Problems... ■
AppArmor will prevent loading a .pk600 file, but creating a symlink from the .pk600 file to a file ending in .png will get around this restriction ■ AppArmor won't let you execute a process ■ How do we get around this? –Write a ROP 2nd stage shellcode loader –mmap/open/read –AppArmor won't let you map executable files, but you can create an anonymous W+X mapping –2nd stage shellcode can search for X11 library, use X11 APIs to enumerate root windows then kill the one labeled "gnome-screensaver" ■ Still working on it... © 2011 IBM Corporation
39.
Demo! DEMO
DEMO DEMO © 2011 IBM Corporation
40.
Conclusion ■
It's possible for software vulnerabilities to be used for autorun attacks against Linux ■ Not just GNOME, KDE has similar functionality ■ Recommendations: –Disable auto-mounting and auto-browsing of removable storage and media –Disable thumbnailing of files –Make use of technologies like AppArmor to provide enhanced protection for desktop user interface processes –PaX (grsecurity) offer more bits of entropy for ASLR than the default Linux kernel and other security features –Use a 64 bit OS, which makes it even harder to brute force ASLR © 2011 IBM Corporation
Descargar ahora