Elegant 0-day unicorn underscores “serious concerns” about Linux security

Scriptless exploit bypasses state-of-the-art protections baked into the OS. Recently released exploit code makes people running fully patched versions of Fedora and other Linux distributions vulnerable to drive-by attacks that can install keyloggers, backdoors, and other types of malware, a security researcher says.

One of the exploits—which targets a memory corruption vulnerability in the GStreamer framework that by default ships with many mainstream Linux distributions—is also noteworthy for its elegance. To wit: it uses a rarely seen approach to defeat address space layout randomization and data execution prevention, which are two of the security protections built in to Linux to make software exploits harder to carry out. ASLR randomizes the locations in computer memory where software loads specific chunks of code. As a result, code that exploits existing flaws often results in a simple computer crash rather than a catastrophic system compromise. Meanwhile, DEP, which is often referred to as NX or No-Execute, blocks the execution of code that such exploits load into memory. (Ars Technology Editor Peter Bright has much more about ASLR and DEP here.)

Unlike most ASLR and DEP bypasses, the one folded into the GStreamer exploit doesn’t rely on code to manipulate the memory layout or other environmental variables. Instead, it painstakingly arranges the bytes of code in a way that completely disables the protections. And by eliminating the need for JavaScript or other memory-massaging code to execute on a targeted computer, it’s possible to carry out attacks that otherwise wouldn’t be possible. Chris Evans, the security researcher who developed the exploit, describes the challenge as “a real beast.”

“This was a fairly ridiculous exploit,” he wrote in a blog post published Monday. “But it was worth doing because it’s proof that scriptless exploits are possible, even within the context of decent 64-bit ASLR. It was possible to commandeer memory reads, writes and even additions within the decoder loop to slowly but surely advance the exploit and gain control.”

Dan Rosenberg, a senior researcher at Azimuth Security who specializes in Linux exploit prevention, agreed. In an e-mail, he wrote:

This exploit is impressive because it manages to bypass modern protections such as ASLR and NX without being able to programmatically interact with the target software.

To elaborate, when attacking a browser vulnerability, an exploit can use JavaScript to influence the memory layout of the target during the exploitation process. Similarly, when exploiting a local kernel vulnerability, an exploit can make system calls to influence the target environment. This case is different, because the exploit is a single media file, so the attacker doesn’t have any opportunity to make adjustments on-the-fly during the course of the exploit.

Evans went on to release an exploit in the form of this FLAC media file that works on the default version of Fedora version 24 running the most up-to-date version of GStreamer. He said it would have been easier to write the exploit for Ubuntu because it “has problems with missing defenses such as ASLR, RELRO, etc., even in the latest 16.04 LTS release.” Still, the exploit he published would have to be rewritten for it to work against anything other than Fedora 24. While the attack exploits a vulnerability in the GStreamer decoder for the FLIC file format, Evans said it targets binary code contained in the Rhythmbox media player. The Totem media player could be targeted in a similar way.

The exploit is mostly of academic or research interest rather than having immediate practical significance because it has to be extensively rewritten to work on different Linux distributions. Combined with the relatively small number of people who play media files on any distribution of Linux, that means it’s highly unlikely that anyone will actively exploit the vulnerability. Still, with a little work, the attack Evans published for Fedora could be fashioned into a “full serious drive-by download exploit” when combined with a separate exploit he released last week for Google’s Chrome browser running on that Linux distribution. With more tweaking still, the exploits will work on non-Fedora distributions as well, at least until patches are released. On Tuesday, shortly before this post went live, maintainers of Ubuntu issued fixes, and more distributions are likely to follow in the coming hours or days.

And that means that the research is important for the long-term security of Linux. Asked why he devoted so much time to the project, Evans wrote:

“From a technical perspective, I’d say this is a continuation in proving that there are usually subtle ways to exploit almost any vulnerability. From a broader perspective, I think there are serious concerns about the state of security on the Linux desktop. Is there much proactive work going on to improve it, or are the Linux vendors mainly reactive?”

Source:https://arstechnica.com

Alisa Esage G

Working as a cyber security solutions architect, Alisa focuses on application and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.

Elegant 0-day unicorn underscores “serious concerns” about Linux security

A Malware That EDR Can’t See?If You Rely on Antivirus for Protection, Read This Before It’s Too Late!

WinRAR and ZIP File Exploits: This ZIP File Hack Could Let Malware Bypass Your Antivirus

5 Techniques Hackers Use to Jailbreak ChatGPT, Gemini, and Copilot AI systems

This Hacker Toolkit Can Breach Any Air-Gapped System – Here’s How It Works

Hacking Pagers to Explosions: Israel’s Covert Cyber-Physical Sabotage Operation Against Hezbollah!

Five Techniques for Bypassing Microsoft SmartScreen and Smart App Control (SAC) to Run Malware in Windows

How Millions of Phishing Emails were Sent from Trusted Domains: EchoSpoofing Explained

How to implement Principle of Least Privilege(Cloud Security) in AWS, Azure, and GCP cloud

TunnelCrack: Two serious vulnerabilities in VPNs discovered, had been dormant since 1996

How to easily hack TP-Link Archer AX21 Wi-Fi router

US Govt wants new label on secure IoT devices or wants to discourage use of Chinese IoT gadgets

24,649,096,027 (24.65 billion) account usernames and passwords have been leaked by cyber criminals till now in 2022

How Chinese APT hackers stole Lockheed Martin F-35 fighter plane to develop its own J-20 stealth fighter aircraft [VIDEO]

Hackers Can Manipulate Your Heart Rate Monitor – Unbelievable Security Flaw!

FortiGate Firewalls Zero-Day Chaos: How Hackers Are Gaining Control of Firewalls Worldwide – Is Your Network at Risk?

How Hackers Can Hijack Your Device Without You Knowing – MediaTek’s RCE Flaw Explained

Hacking Active Directory: Learn How LDAPNightmare Flaw Shuts Down AD Services

PAN-OS DoS Flaw: Is Your Network at Risk? Learn How to Secure It Now!

A Malware That EDR Can’t See?If You Rely on Antivirus for Protection, Read This Before It’s Too Late!

WinRAR and ZIP File Exploits: This ZIP File Hack Could Let Malware Bypass Your Antivirus

5 Techniques Hackers Use to Jailbreak ChatGPT, Gemini, and Copilot AI systems

This Hacker Toolkit Can Breach Any Air-Gapped System – Here’s How It Works

Hacking Pagers to Explosions: Israel’s Covert Cyber-Physical Sabotage Operation Against Hezbollah!

Five Techniques for Bypassing Microsoft SmartScreen and Smart App Control (SAC) to Run Malware in Windows

How Millions of Phishing Emails were Sent from Trusted Domains: EchoSpoofing Explained

How to implement Principle of Least Privilege(Cloud Security) in AWS, Azure, and GCP cloud

The 11 Essential Falco Cloud Security Rules for Securing Containerized Applications at No Cost

Hack-Proof Your Cloud: The Step-by-Step Continuous Threat Exposure Management CTEM Strategy for AWS & AZURE

A Malware That EDR Can’t See?If You Rely on Antivirus for Protection, Read This Before It’s Too Late!

Top 2 Malicious Python Packages You Must Avoid! Zebo-0.1.0 & Cometlogger-0.1

This Hacker Toolkit Can Breach Any Air-Gapped System – Here’s How It Works

Hackers’ Guide to Rogue VM Deployment: Lessons from the MITRE hack

Eternal Malware: CVE-2024-3400 Rootkits Persist Through Palo Alto Firewalls Updates and Resets

Cyber Security Channel

US Govt wants new label on secure IoT devices or wants to discourage use of Chinese IoT gadgets

24,649,096,027 (24.65 billion) account usernames and passwords have been leaked by cyber criminals till now in 2022

How Chinese APT hackers stole Lockheed Martin F-35 fighter plane to develop its own J-20 stealth fighter aircraft [VIDEO]