Elegant 0-day unicorn underscores “serious concerns” about Linux security

Enlarge / A screenshot showing an exploit that takes full control of a fully updated version of Fedora. (credit: Chris Evans)

Recently released exploit code makes people running fully patched versions of Fedora and other Linux distributions vulnerable to drive-by attacks that can install keyloggers, backdoors, and other types of malware, a security researcher says.

One of the exploits—which targets a memory corruption vulnerability in the GStreamer framework that by default ships with many mainstream Linux distributions—is also noteworthy for its elegance. To wit: it uses a rarely seen approach to defeat address space layout randomization and data execution prevention, which are two of the security protections built in to Linux to make software exploits harder to carry out. ASLR randomizes the locations in computer memory where software loads specific chunks of code. As a result, code that exploits existing flaws often results in a simple computer crash rather than a catastrophic system compromise. Meanwhile, DEP, which is often referred to as NX or No-Execute, blocks the execution of code that such exploits load into memory.

Unlike most ASLR and DEP bypasses, the one folded into the GStreamer exploit doesn’t rely on code to manipulate the memory layout or other environmental variables. Instead, it painstakingly arranges the bytes of code in a way that completely disables the protections. And by eliminating the need for JavaScript or other memory-massaging code to execute on a targeted computer, it’s possible to carry out attacks that otherwise wouldn’t be possible. Chris Evans, the security researcher who developed the exploit, describes the challenge as “a real beast.”

Read 6 remaining paragraphs | Comments