14 DAY TRIAL // Linux is generally referred to as a more secure operating system and it happens for a good reason: the number of hacks, malware, and vulnerabilities that can be used to compromise a Linux machine is substantially smaller than in the case of Windows, and it’s all thanks to security features that are baked into the OS.
But security researcher Chris Evans says that it’s easier than most of us think to break into a Linux system and all you need is a scriptless exploit.
How it works
First of all, some context. Evans says that his exploit attempts to use a memory corruption vulnerability in the GStreamer framework that’s available in the majority of Linux distributions - his demonstration, however, was made on Fedora.
The exploit bypasses two of the security systems that are integrated into Linux, namely address space layout randomization (ASLR) and data execution protection (DEP), which is also known as NX or No-Execute.
Specifically, ASLR’s main purpose is to randomize where code loads into memory, which makes it possible for any active exploit to be less successful and to reduce its impact on the system. At the same time, DEP adds a new protection layer by simply blocking the exploit from loading into memory.
So what the researcher tried to do was to actually bypass these security systems using code that can eventually disable both of them and allow further action on a target machine.
“In order to attack the FLIC decoder, there simply isn’t any scripting opportunity. The attacker gets, once, to submit a bunch of scriptless bytes into the decoder, and try and gain code execution without further interaction... and good luck with that! Welcome to the world of scriptless exploitation in an ASLR environment,” the security researcher explains.
Evan points out that the same vulnerability also exists in Ubuntu 16.04 and in any other distribution with gstreamer installed, but he notes that getting the exploit to work on anything else than Fedora involves quite a lot of work, including optimizing a larger number of heap and code offsets.
“This was a fairly ridiculous exploit. But it was worth doing because it’s proof that scriptless exploits are possible, even within the context of decent 64-bit ASLR. It was possible to commandeer memory reads, writes and even additions within the decoder loop to slowly but surely advance the exploit and gain control,” he explains.
The vulnerability will most likely be patched as soon as possible, but for the moment, it’s important to note that the exploit works exclusively on Fedora.