Researcher Demonstrates USB Autorun Attack on Linux

A security researcher has demonstrated an USB device-based attack against Linux systems that is similar in concept to the Windows LNK exploit.

Jon Larimer, a senior researcher with IBM's X-Force Advanced Research team held a presentation about USB attacks on Linux at the ShmooCon 2011 security conference.

His talk focused on thumbnailers, the components responsible for generating previews in file managers, and how vulnerabilities affecting them can be exploited.

Larimer demonstrated an attack by exploiting a vulnerability in the evince-thumbnailer, a component used for icon rendering by the GNOME evince document viewer.

The vulnerability, identified as CVE-2010-2640, was fixed at the beginning of January, but his test system was left unpatched for the demo.

The exploitation occurred when a specially crafted USB drive was inserted into a system with a locked Ubuntu installation. The lock screensaver disappeared and the user's desktop was revealed.

An attack like this one normally requires bypassing the ASLR and AppArmor security mechanisms and techniques used to achieve this were discussed separately.

"While the demo was kind of weak (I disabled ASLR and AppArmor to ensure the demo would work quickly), it did illustrate that it is possible to perform autorun-like attacks against Linux to execute arbitrary code and gain access to machines that you otherwise could not," says the security researcher.

In fact, because it leverages a vulnerability and not a feature like AutoRun, the attack is much more similar to the LNK exploit used by the Stuxnet malware.

That exploit targeted a vulnerability in the way Windows processed shortcuts and allowed the execution of arbitrary code by simply browsing to a folder that contained a specially crafted LNK file.

Multiple strains of malware have since adopted the exploit and are still using it, despite the vulnerability being long patched. In addition, Microsoft pushed an optional update yesterday to restrict the AutoRun functionality, therefore blocking another widely used USB attack vector.

Hot right now  ·  Latest news