SlideShare une entreprise Scribd logo

HES2011 - Jon Larimer - Autorun Vulnerabilities on Linux

Hackito Ergo Sum
Hackito Ergo Sum
Technologie
1  sur  40
Télécharger pour lire hors ligne
USB Autorun attacks against Linux Hackito Ergo Sum 2011 / April 9 / Paris, France jlarimer@us.ibm.com Jon Larimer jlarimer@gmail.com IBM X-Force Advanced R&D
Autorun malware ■ On Windows, the autorun.inf file could be used to automatically launch programs when a CD/Floppy/USB driver was inserted ■ Many people disable this feature now! ■ Windows 7 changed how AutoRun works from USB drives ■ Malware and hackers could still take advantage of vulnerabilities... –LNK vulnerability (Stuxnet) –PDF previews –Embedded BMP thumbnail vulnerability © 2011 IBM Corporation
Autorun malware on Linux? ■ Some desktop environments support autorun scripts on external media ■ freedesktop.org specifications allow: .autorun, autorun, autorun.sh ■ Specs specifically forbid running these scripts automatically – the desktop environment should always ask ■ What about taking advantage of security vulnerabilities? © 2011 IBM Corporation
Autorun vulnerabilities ■ Lots of code executes when a new mass storage device is connected... ■ Removable storage subsystem drivers –USB, SecureDigital, eSATA, FireWire, PCMCIA ■ File system drivers –Kernel drivers: ext3, ext4, etc –User mode (FUSE) drivers: ntfs-3g ■ Desktop applications –Desktop file browsers, thumbnailers ■ Vulnerabilities could exist at any of these layers! © 2011 IBM Corporation
Attacks on physical systems ■ Physical access is 'game over' ■ What about full disk encryption? ■ IEEE 1394 (FireWire) DMA physical memory access –Requires FireWire port and drivers ■ Cold boot attack –Requires being able to boot from external media, stealing the RAM, or swapping out an internal drive ■ Removable storage attacks! –Most desktop OS's will automatically mount file systems on USB –Physical access not really necessary, just find someone to plug a device into their PC –If an exploit runs while the PC is already booted and the user is logged on, full disk encryption could be defeated © 2011 IBM Corporation
USB on Linux ■ usbcore in drivers/usb/core ■ Host controller driver framework is drivers/usb/core/hdc.c –UHCI: drivers/usb/host/usb-uhci.c –EHCI: drivers/usb/host/usb-ehci.c ■ Hub driver in drivers/usb/core/hub.c ■ Interface drivers register by calling usb_register() or usb_register_driver(), specifying which vendor/product IDs they work with ■ drivers/core/usb/driver.c usb_match_id() takes care of the matching, then the driver is loaded © 2011 IBM Corporation
USB Vulnerabilities on Linux ■ MWR InfoSecurity Auerswald Linux USB driver bug, 2009 –Driver provides support for Auerswald USB ISDN devices –Had a problem handing USB descriptors, resulting in a buffer overflow ■ Fuzzing USB drivers –Mortiz Jodiet – hardware+software (2009) –Tobias Mueller – QEMU-based fuzzer (2010) ■ Vulnerabilities in USB drivers can be exploited with cheap, small, off-the-shelf programmable USB development boards © 2011 IBM Corporation
USB mass storage on Linux ■ Storage class driver in drivers/usb/storage/usb.c ■ storage_probe() –Sets up a SCSI host structure –adds SCSI host to SCSI subsystem –scsiglue.c and protocol.c take care of converting SRBs to URBs for the USB drivers ■ SCSI subsystem adds a block device (/dev/sdb) ■ udev is notified © 2011 IBM Corporation
udev, udisks, and D-Bus ■ udev –device manager for Linux –adds/remove entries in /dev –can trigger events based on rules or through a netlink socket ■ D-Bus –IPC mechanism –allows applications to register for system device events ■ udisks –provides a D-Bus interface for dealing with disk devices –uses GUdev library (part of udev) to subscribe to udev events through a netlink socket, republishes them through D-Bus © 2011 IBM Corporation
File systems in Linux ■ Traditionally lived in fs/ branch of kernel source tree ■ File systems operate between low level disk bus drivers and virtual file system ■ FUSE – file system in userspace ■ GVFS – GNOME Virtual File System –not a traditional file system –can only be access through GVFS, GIO, or the ~/.gvfs FUSE mountpoint –Can access also access files through SMB, FTP, DAV, etc © 2011 IBM Corporation
File system driver vulnerabilities ■ Vulnerabilities in FS drivers could be exploited by malformed FS images on a USB drive ■ Successfully exploited vulnerabilities result in root access – file system drivers run in kernel mode ■ User mode file system driver exploits run in the context of whoever mounted the volume ■ Would be considered a 'local' kernel-mode bug because it requires physical access ■ For the purpose of exploitation, it can be considered remote since you don't already have access to the OS © 2011 IBM Corporation
Finding file system driver vulns ■ Manually auditing the code (read The Art of Software Security Assessment by Dowd/McDonald/Schuh) –Concentrate on how structures on disk sectors are parsed ■ Static code analysis (lint, clang static analyzer, etc) ■ Fuzzing –In Linux, any block device (including a file) can be mounted as a volume –Write code to modify a FS image, mount, perform various operations, then unmount –Fuzz smarter by understanding FS structure, use code coverage/taint analysis tools ■ Automatically Generating Malicious Disks using Symbolic Execution (Stanford, 2006) © 2011 IBM Corporation
GNOME Nautilus ■ GNOME Nautilus is the file browser used by Ubuntu Desktop Linux10.10 ■ Supports most of the freedesktop.org specifications ■ Will automatically mount known file systems on USB drives by default –Volume mounted in /media/XXX, where XXX is the volume name ■ Will automatically open a browsing window when a new file system is mounted ■ File browsing window will generate thumbnails for all files in the root directory of the device ■ It does this even with the screensaver running and locked! © 2011 IBM Corporation
GNOME Nautilus file browser © 2011 IBM Corporation
Nautilus thumbnail/media settings © 2011 IBM Corporation
GNOME Nautilus operation ■ Detects when new storage devices are connected ■ Uses GVFS to access browse file systems over SMB, FTP, DAV, etc ■ Uses GVFS to be notified of newly mounted file systems © 2011 IBM Corporation
GNOME Nautilus – thumbnailers ■ Nautilus will generate thumbnail images for images, movies, documents, and other file types to use as icons in the file browser ■ Settings stored in gconf system ■ Image icons generated internally using GdkPixBuf ■ Also allows 3rd party icon handlers –evince-thumbnailer: document files –totem-video-thumbnailer: video and audio files –gnome-thumbnail-font: font files ■ Thumbnails cached in ~/.thumbnails/normal © 2011 IBM Corporation
GdkPixBuf thumbnails ■ Relies on some 3rd party libraries for some image formats (libpng, libtiff, libjpeg) ■ All 3 of those libraries have had security vulnerabilities before... ■ Contains built-in code for other formats (bmp, gif, ico, tga, xpm, and others) ■ Full list of supported extensions (in Ubuntu 10.10): –wmf, apm, ani, bmp, gif, icns, ico, cur, jp2, jpc, jpx, j2k, jpf, jpeg, jpe, jpg, pcx, png, pnm, pbm, pgm, ppm, qtif, qif, ras, svg, tga, targa, tiff, tif, wbmp, xbm © 2011 IBM Corporation
Exploiting bugs in GdkPixBuf ■ Thumbnailing happens in the Nautilus process ■ If the process crashes, the file browsing window goes away ■ Difficult to defeat NX and ASLR (can't brute force against ASLR...) ■ Nautilus isn't protected by AppArmor © 2011 IBM Corporation
Nautilus external thumbnail settings © 2011 IBM Corporation
External thumbnailers ■ Configured with gconf: –gconftool –R /desktop/gnome/thumbnailers ■ Example: –/usr/bin/totem-video-thumbnailer -s %s %u %o • %s = size • %u = input file • %o = output file ■ Nautilus looks up thumbnailer application for each file based on the MIME type ■ Separate process is launched for each file that gets thumbnailed © 2011 IBM Corporation
evince-thumbnailer ■ Part of GNOME evince, the document reader ■ Supports file types: –pdf, djvu, djv, pdf.bz2, cbr, cbz, cbt, dvi, pdf.gz, ps.bz2, ps, ps.gz, eps.bz2, epsi.bz2, epsf.bz2, eps, epsi, epsf, dvi.gz, dvi.bz2, eps.gz, epsi.gz, epsf.gz, cb7 ■ Renders the first page of a document to use as the icon ■ Relies on 3rd party libraries for some formats, internal code for others ■ Protected with PIE, AppArmor © 2011 IBM Corporation
totem-video-thumbnailer ■ totem-video-thumbnailer thumbnails these extensions: –anim[1-9j], mp4, m4v, m2t, m2ts, ts, mts, cpi, clpi, mpl, mpls, bdm, bdmv, asf, ogx, shn, mxf, gvp, avi, divx, qt, mov, moov, qtvr, wmv, webm, wmx, ra, rm, ram, ogv, ram, mpeg, mpg, mp2, mpe, vob, dv, mkv, wpl, fli, rm, rmj, rmm, rms, rmx, rmvb, wvx, rv, rvx, rp, flv, pict, pict1, pict2, nsc, fli, flc, wm, sdp, qtl, 3gp, 3g2, 3gpp, 3ga, nsv, viv, vivo ■ Relies on many 3rd party libraries ■ Not protected by PIE or AppArmor! © 2011 IBM Corporation
gnome-thumbnail-font ■ Provides thumbnails for: –ttf, ttc, otf, pfa, pfb, gsf, pcf, pcf.Z, pcf.gz ■ Uses the FreeType library for rendering fonts ■ There have been vulnerabilities in FreeType reported in the past ■ Not protected by PIE or AppArmor! © 2011 IBM Corporation
What about mitigations? ■ Ubuntu 10.10 has many security features and exploit mitigations in place by default ■ NX (non-executable memory), ASLR (address space layout randomization) on everything, PIE (position independent executable) on some files ■ AppArmor – kind of a firewall for system calls ■ NX is not very effective, attackers can use ret2libc or return- oriented-programming (ROP) exploitation techniques ■ ASLR mitigates ROP... ■ AppArmor can be tough to defeat, but there are weaknesses –Protection is defined by per-application profiles –There are some things AppArmor can't protect against © 2011 IBM Corporation
Defeating ASLR/PIE ■ ASLR can be brute-forced ■ External thumbnailers are launched as a separate process for each file –If the process crashes, the other files will continue to be thumbnailed ■ Figure out which addresses libc (or other target library) can be loaded at ■ There are only around ~3000 addresses that will be used with the standard Linux kernel ASLR implementation on 32 bit systems ■ Sometimes less are needed... © 2011 IBM Corporation
Count 100 120 20 40 60 80 0 00236000 0046B000 004E4000 00538000 00583000 005C5000 0060A000 0064C000 00691000 006D3000 00713000 00753000 00796000 007D6000 00818000 00857000 00896000 008D8000 00916000 00954000 00992000 009D0000 00A0E000 00A4C000 00A8A000 ASLR Weaknesses? 00AC8000 00B06000 Address thumbnailer 00B44000 00B82000 00BC0000 00BFE000 00C3C000 00C7A000 00CB8000 00CF6000 00D34000 00D72000 00DB0000 00DEE000 00E2C000 Base address of libc per 40960 runs of evince- 00E6A000 00EA8000 00EE6000 00F24000 00F62000 00FA0000 00FDE000 0410E000 0C893000 14DE6000 1D4C0000 © 2011 IBM Corporation
Defeating AppArmor ■ AppArmor is only as strong as the application's profile –evince-thumbnailer's profile used to allow writing to ~/.config/autostart –Could be used to install malware to start when the user logs in –See https://code.launchpad.net/bugs/698194 ■ There are some things that AppArmor can't protect against –X11 library calls (could block network access in some cases) –Kill screensaver, sniff keystrokes, inject keystrokes, etc © 2011 IBM Corporation
Autorun exploit payloads? ■ Copy files from the user's home directory – useful for defeating full disk encryption, TrueCrypt, etc –Get browser cookies, documents ■ Kill screensaver process –killall gnome-screensaver –Gives you full access to the user's desktop ■ Install a backdoor –Add script to ~/.bash_profile, ~/.profile –Add desktop file to ~/.config/autostart ■ Elevate privileges –Install rootkit © 2011 IBM Corporation
Killing the screensaver ■ The screen saver is just a process that runs as a window at the top of the X11 window tree ■ killall gnome-screensaver will kill the process, bypassing the authentication dialog ■ Alternatively, locate the X11 library in the process and use that to kill the screen saver window: –XOpenDisplay(":0.0") –XQueryTree() to enumerate windows –XFetchName() to look for "gnome-screensaver" –XKillClient() to terminate the process © 2011 IBM Corporation
Install a backdoor? ■ Can be done without root ■ ~/.config/autostart is analogous to the Windows "Startup" folder –Drop a shortcut there (.desktop file) that points to a script and it'll be launched whenever the user logs in –.desktop file format is part of freedesktop.org specifications ■ Or use .profile, .bash_profile... ■ Script could download remote access trojan from the web, or just copy one from the USB drive © 2011 IBM Corporation
evince vulnerabilities ■ Vulnerabilities in handling external font files for DVI documents (CVE-2010-2640, CVE-2010-2641, CVE- 2010-2642, CVE-2010-2643) ■ http://www.ubuntu.com/usn/usn-1035-1 ■ DVI files are generated from LaTeX documents ■ DVI files can reference external fonts that get loaded when the DVI file is processed ■ External fonts can be specified with an absolute path (/media/XXX) ■ Easier to exploit from USB than any remote vector... © 2011 IBM Corporation
CVE-2010-2640 – PK font parsing © 2011 IBM Corporation
CVE-2010-2640 © 2011 IBM Corporation
CVE-2010-2640 ■ So we can write an arbitrary value to a semi-arbitrary location in memory ■ We don't know where the stack is, can't overwrite the return address ■ The write is relative to the heap, so ASLR won't impact our ability to overwrite a function pointer on the heap © 2011 IBM Corporation
CVE-2010-2640 © 2011 IBM Corporation
CVE-2010-2640 ■ We can overwrite ptr->info.lookup with the address of system()in libc ■ name is a string representing the font file it's looking for ■ To write this exploit: –figure out what cc needs to be so that w, h, x, or y overwrites ptr->info.lookup for one of the fonts –specify that cc value for the first font, and put the address in system in w, h, x, y –for the 2nd font, specify the name to be /media/XXX/kill.sh, where XXX is volume name of USB device –/media/XXX/kill.sh can be a shell script to do whatever you want – mine kills the screensaver © 2011 IBM Corporation
Problems... ■ AppArmor will prevent loading a .pk600 file, but creating a symlink from the .pk600 file to a file ending in .png will get around this restriction ■ AppArmor won't let you execute a process ■ How do we get around this? –Write a ROP 2nd stage shellcode loader –mmap/open/read –AppArmor won't let you map executable files, but you can create an anonymous W+X mapping –2nd stage shellcode can search for X11 library, use X11 APIs to enumerate root windows then kill the one labeled "gnome-screensaver" ■ Still working on it... © 2011 IBM Corporation
Demo! DEMO DEMO DEMO © 2011 IBM Corporation
Conclusion ■ It's possible for software vulnerabilities to be used for autorun attacks against Linux ■ Not just GNOME, KDE has similar functionality ■ Recommendations: –Disable auto-mounting and auto-browsing of removable storage and media –Disable thumbnailing of files –Make use of technologies like AppArmor to provide enhanced protection for desktop user interface processes –PaX (grsecurity) offer more bits of entropy for ASLR than the default Linux kernel and other security features –Use a 64 bit OS, which makes it even harder to brute force ASLR © 2011 IBM Corporation

Recommandé

Information Computer Technology Handouts (Part I)
Information Computer Technology Handouts (Part I)Information Computer Technology Handouts (Part I)
Information Computer Technology Handouts (Part I)ella dimaiwat
 
Unix Security
Unix SecurityUnix Security
Unix SecurityKumar Setty, HCISPP, CISA, CCSK, ITIL, CHSP
 
Nim
NimNim
Nimmuhammad adeel
 
Introduction to Linux Kernel
Introduction to Linux KernelIntroduction to Linux Kernel
Introduction to Linux KernelStryker King
 
Linux [2005]
Linux [2005]Linux [2005]
Linux [2005]Raul Soto
 
Ch12
Ch12Ch12
Ch12Raja Waseem Akhtar
 
K04 software
K04 softwareK04 software
K04 softwareCoky Fauzi Alfi
 
Linux Disaster Recovery Best Practices with rear
Linux Disaster Recovery Best Practices with rearLinux Disaster Recovery Best Practices with rear
Linux Disaster Recovery Best Practices with rearGratien D'haese
 

Recommandé

Information Computer Technology Handouts (Part I)
Information Computer Technology Handouts (Part I)Information Computer Technology Handouts (Part I)
Information Computer Technology Handouts (Part I)ella dimaiwat
 
Unix Security
Unix SecurityUnix Security
Unix SecurityKumar Setty, HCISPP, CISA, CCSK, ITIL, CHSP
 
Nim
NimNim
Nimmuhammad adeel
 
Introduction to Linux Kernel
Introduction to Linux KernelIntroduction to Linux Kernel
Introduction to Linux KernelStryker King
 
Linux [2005]
Linux [2005]Linux [2005]
Linux [2005]Raul Soto
 
Ch12
Ch12Ch12
Ch12Raja Waseem Akhtar
 
K04 software
K04 softwareK04 software
K04 softwareCoky Fauzi Alfi
 
Linux Disaster Recovery Best Practices with rear
Linux Disaster Recovery Best Practices with rearLinux Disaster Recovery Best Practices with rear
Linux Disaster Recovery Best Practices with rearGratien D'haese
 
P05-slides
P05-slidesP05-slides
P05-slidesIsaac (.ike) Levy
 
Linux Disaster Recovery Made Easy
Linux Disaster Recovery Made EasyLinux Disaster Recovery Made Easy
Linux Disaster Recovery Made EasyNovell
 
Unix seminar
Unix seminarUnix seminar
Unix seminarAjeet Kushwaha
 
Unix memory management
Unix memory managementUnix memory management
Unix memory managementTech_MX
 
Linux Disaster Recovery Solutions
Linux Disaster Recovery SolutionsLinux Disaster Recovery Solutions
Linux Disaster Recovery SolutionsGratien D'haese
 
UNIX Operating System
UNIX Operating SystemUNIX Operating System
UNIX Operating SystemFatima Qayyum
 
Cfg2html fosdem2014
Cfg2html fosdem2014Cfg2html fosdem2014
Cfg2html fosdem2014Gratien D'haese
 
Usenix Invited Talk
Usenix Invited TalkUsenix Invited Talk
Usenix Invited Talkwebhostingguy
 
Unix lecture1
Unix lecture1Unix lecture1
Unix lecture1dolleyj
 
LinuxTag2012 Rear
LinuxTag2012 RearLinuxTag2012 Rear
LinuxTag2012 RearGratien D'haese
 
BrainShare 2010 SLC - ELS306 Linux Disaster Recovery Made Easy
BrainShare 2010 SLC - ELS306 Linux Disaster Recovery Made EasyBrainShare 2010 SLC - ELS306 Linux Disaster Recovery Made Easy
BrainShare 2010 SLC - ELS306 Linux Disaster Recovery Made EasySchlomo Schapiro
 
Intro tounix
Intro tounixIntro tounix
Intro tounixdjprince
 
Introduction to Linux Kernel by Quontra Solutions
Introduction to Linux Kernel by Quontra SolutionsIntroduction to Linux Kernel by Quontra Solutions
Introduction to Linux Kernel by Quontra SolutionsQUONTRASOLUTIONS
 
Desktop Linux - Part 1, Basics
Desktop Linux - Part 1, BasicsDesktop Linux - Part 1, Basics
Desktop Linux - Part 1, BasicsDaniel FitzGerald
 
Intro tounix
Intro tounixIntro tounix
Intro tounixHamza Abdolateef
 
UALUG SFD Pesentation
UALUG SFD PesentationUALUG SFD Pesentation
UALUG SFD PesentationRob Connolly
 
UNIX and Linux - an introduction by Mathias Homann
UNIX and Linux - an introduction by Mathias HomannUNIX and Linux - an introduction by Mathias Homann
UNIX and Linux - an introduction by Mathias HomannMathias Homann
 
Linux 101
Linux 101Linux 101
Linux 101Justin Reock
 
How to install gentoo distributed
How to install gentoo distributedHow to install gentoo distributed
How to install gentoo distributedSongWang54
 
Intro ch 07_a
Intro ch 07_aIntro ch 07_a
Intro ch 07_aQuaid-e-Awam University of Engineering Science and Technology Nawabshah Sindh Pakistan
 
WinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage ToolWinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage ToolBrent Muir
 
Linux kernel booting
Linux kernel bootingLinux kernel booting
Linux kernel bootingRamin Farajpour Cami
 

Contenu connexe

Tendances

Linux Disaster Recovery Made Easy
Linux Disaster Recovery Made EasyLinux Disaster Recovery Made Easy
Linux Disaster Recovery Made EasyNovell
 
Unix memory management
Unix memory managementUnix memory management
Unix memory managementTech_MX
 
Linux Disaster Recovery Solutions
Linux Disaster Recovery SolutionsLinux Disaster Recovery Solutions
Linux Disaster Recovery SolutionsGratien D'haese
 
UNIX Operating System
UNIX Operating SystemUNIX Operating System
UNIX Operating SystemFatima Qayyum
 
Unix lecture1
Unix lecture1Unix lecture1
Unix lecture1dolleyj
 
BrainShare 2010 SLC - ELS306 Linux Disaster Recovery Made Easy
BrainShare 2010 SLC - ELS306 Linux Disaster Recovery Made EasyBrainShare 2010 SLC - ELS306 Linux Disaster Recovery Made Easy
BrainShare 2010 SLC - ELS306 Linux Disaster Recovery Made EasySchlomo Schapiro
 
Intro tounix
Intro tounixIntro tounix
Intro tounixdjprince
 
Introduction to Linux Kernel by Quontra Solutions
Introduction to Linux Kernel by Quontra SolutionsIntroduction to Linux Kernel by Quontra Solutions
Introduction to Linux Kernel by Quontra SolutionsQUONTRASOLUTIONS
 
Desktop Linux - Part 1, Basics
Desktop Linux - Part 1, BasicsDesktop Linux - Part 1, Basics
Desktop Linux - Part 1, BasicsDaniel FitzGerald
 
UALUG SFD Pesentation
UALUG SFD PesentationUALUG SFD Pesentation
UALUG SFD PesentationRob Connolly
 
UNIX and Linux - an introduction by Mathias Homann
UNIX and Linux - an introduction by Mathias HomannUNIX and Linux - an introduction by Mathias Homann
UNIX and Linux - an introduction by Mathias HomannMathias Homann
 
How to install gentoo distributed
How to install gentoo distributedHow to install gentoo distributed
How to install gentoo distributedSongWang54
 

Tendances (20)

P05-slides
P05-slidesP05-slides
P05-slides
 
Linux Disaster Recovery Made Easy
Linux Disaster Recovery Made EasyLinux Disaster Recovery Made Easy
Linux Disaster Recovery Made Easy
 
Unix seminar
Unix seminarUnix seminar
Unix seminar
 
Unix memory management
Unix memory managementUnix memory management
Unix memory management
 
Linux Disaster Recovery Solutions
Linux Disaster Recovery SolutionsLinux Disaster Recovery Solutions
Linux Disaster Recovery Solutions
 
UNIX Operating System
UNIX Operating SystemUNIX Operating System
UNIX Operating System
 
Cfg2html fosdem2014
Cfg2html fosdem2014Cfg2html fosdem2014
Cfg2html fosdem2014
 
Usenix Invited Talk
Usenix Invited TalkUsenix Invited Talk
Usenix Invited Talk
 
Unix lecture1
Unix lecture1Unix lecture1
Unix lecture1
 
LinuxTag2012 Rear
LinuxTag2012 RearLinuxTag2012 Rear
LinuxTag2012 Rear
 
BrainShare 2010 SLC - ELS306 Linux Disaster Recovery Made Easy
BrainShare 2010 SLC - ELS306 Linux Disaster Recovery Made EasyBrainShare 2010 SLC - ELS306 Linux Disaster Recovery Made Easy
BrainShare 2010 SLC - ELS306 Linux Disaster Recovery Made Easy
 
Intro tounix
Intro tounixIntro tounix
Intro tounix
 
Introduction to Linux Kernel by Quontra Solutions
Introduction to Linux Kernel by Quontra SolutionsIntroduction to Linux Kernel by Quontra Solutions
Introduction to Linux Kernel by Quontra Solutions
 
Desktop Linux - Part 1, Basics
Desktop Linux - Part 1, BasicsDesktop Linux - Part 1, Basics
Desktop Linux - Part 1, Basics
 
Intro tounix
Intro tounixIntro tounix
Intro tounix
 
UALUG SFD Pesentation
UALUG SFD PesentationUALUG SFD Pesentation
UALUG SFD Pesentation
 
UNIX and Linux - an introduction by Mathias Homann
UNIX and Linux - an introduction by Mathias HomannUNIX and Linux - an introduction by Mathias Homann
UNIX and Linux - an introduction by Mathias Homann
 
Linux 101
Linux 101Linux 101
Linux 101
 
How to install gentoo distributed
How to install gentoo distributedHow to install gentoo distributed
How to install gentoo distributed
 
Intro ch 07_a
Intro ch 07_aIntro ch 07_a
Intro ch 07_a
 

Similaire à HES2011 - Jon Larimer - Autorun Vulnerabilities on Linux

WinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage ToolWinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage ToolBrent Muir
 
"Relax and Recover", an Open Source mksysb for Linux on Power
"Relax and Recover", an Open Source mksysb for Linux on Power"Relax and Recover", an Open Source mksysb for Linux on Power
"Relax and Recover", an Open Source mksysb for Linux on PowerSebastien Chabrolles
 
Building Mini Embedded Linux System for X86 Arch
Building Mini Embedded Linux System for X86 ArchBuilding Mini Embedded Linux System for X86 Arch
Building Mini Embedded Linux System for X86 ArchSherif Mousa
 
Security Walls in Linux Environment: Practice, Experience, and Results
Security Walls in Linux Environment: Practice, Experience, and ResultsSecurity Walls in Linux Environment: Practice, Experience, and Results
Security Walls in Linux Environment: Practice, Experience, and ResultsIgor Beliaiev
 
Unix and Linux Common Boot Disk Disaster Recovery Tools by Dusan Baljevic
Unix and Linux Common Boot Disk Disaster Recovery Tools by Dusan BaljevicUnix and Linux Common Boot Disk Disaster Recovery Tools by Dusan Baljevic
Unix and Linux Common Boot Disk Disaster Recovery Tools by Dusan BaljevicCircling Cycle
 
Linux fundamentals Training
Linux fundamentals TrainingLinux fundamentals Training
Linux fundamentals TrainingLove Steven
 
11. operating-systems-part-1
11. operating-systems-part-111. operating-systems-part-1
11. operating-systems-part-1Muhammad Ahad
 
Lec9chap8f04
Lec9chap8f04Lec9chap8f04
Lec9chap8f04screaminc
 
Problem Reporting and Analysis Linux on System z -How to survive a Linux Crit...
Problem Reporting and Analysis Linux on System z -How to survive a Linux Crit...Problem Reporting and Analysis Linux on System z -How to survive a Linux Crit...
Problem Reporting and Analysis Linux on System z -How to survive a Linux Crit...IBM India Smarter Computing
 
Introduction to linux
Introduction to linuxIntroduction to linux
Introduction to linuxplarsen67
 
The Deck by Phil Polstra GrrCON2012
The Deck by Phil Polstra GrrCON2012The Deck by Phil Polstra GrrCON2012
The Deck by Phil Polstra GrrCON2012Philip Polstra
 
Hacking and Forensics on the Go - 44CON 2012
Hacking and Forensics on the Go - 44CON 2012Hacking and Forensics on the Go - 44CON 2012
Hacking and Forensics on the Go - 44CON 201244CON
 

Similaire à HES2011 - Jon Larimer - Autorun Vulnerabilities on Linux (20)

WinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage ToolWinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage Tool
 
Linux kernel booting
Linux kernel bootingLinux kernel booting
Linux kernel booting
 
"Relax and Recover", an Open Source mksysb for Linux on Power
"Relax and Recover", an Open Source mksysb for Linux on Power"Relax and Recover", an Open Source mksysb for Linux on Power
"Relax and Recover", an Open Source mksysb for Linux on Power
 
Building Mini Embedded Linux System for X86 Arch
Building Mini Embedded Linux System for X86 ArchBuilding Mini Embedded Linux System for X86 Arch
Building Mini Embedded Linux System for X86 Arch
 
Security Walls in Linux Environment: Practice, Experience, and Results
Security Walls in Linux Environment: Practice, Experience, and ResultsSecurity Walls in Linux Environment: Practice, Experience, and Results
Security Walls in Linux Environment: Practice, Experience, and Results
 
Unix and Linux Common Boot Disk Disaster Recovery Tools by Dusan Baljevic
Unix and Linux Common Boot Disk Disaster Recovery Tools by Dusan BaljevicUnix and Linux Common Boot Disk Disaster Recovery Tools by Dusan Baljevic
Unix and Linux Common Boot Disk Disaster Recovery Tools by Dusan Baljevic
 
Linux fundamentals Training
Linux fundamentals TrainingLinux fundamentals Training
Linux fundamentals Training
 
Linux basics
Linux basics Linux basics
Linux basics
 
11. operating-systems-part-1
11. operating-systems-part-111. operating-systems-part-1
11. operating-systems-part-1
 
Linux forensics
Linux forensicsLinux forensics
Linux forensics
 
Linux introduction (eng)
Linux introduction (eng)Linux introduction (eng)
Linux introduction (eng)
 
Before begining linux
Before begining linuxBefore begining linux
Before begining linux
 
Lec9chap8f04
Lec9chap8f04Lec9chap8f04
Lec9chap8f04
 
Problem Reporting and Analysis Linux on System z -How to survive a Linux Crit...
Problem Reporting and Analysis Linux on System z -How to survive a Linux Crit...Problem Reporting and Analysis Linux on System z -How to survive a Linux Crit...
Problem Reporting and Analysis Linux on System z -How to survive a Linux Crit...
 
Linux basics
Linux basicsLinux basics
Linux basics
 
Introduction to linux
Introduction to linuxIntroduction to linux
Introduction to linux
 
The Deck by Phil Polstra GrrCON2012
The Deck by Phil Polstra GrrCON2012The Deck by Phil Polstra GrrCON2012
The Deck by Phil Polstra GrrCON2012
 
Linux basics
Linux basics Linux basics
Linux basics
 
Polstra 44con2012
Polstra 44con2012Polstra 44con2012
Polstra 44con2012
 
Hacking and Forensics on the Go - 44CON 2012
Hacking and Forensics on the Go - 44CON 2012Hacking and Forensics on the Go - 44CON 2012
Hacking and Forensics on the Go - 44CON 2012
 

Plus de Hackito Ergo Sum

HES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talk
HES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talkHES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talk
HES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talkHackito Ergo Sum
 
HES2011 - Jon Oberheide and Dan Rosenberg - Stackjacking
HES2011 - Jon Oberheide and Dan Rosenberg - StackjackingHES2011 - Jon Oberheide and Dan Rosenberg - Stackjacking
HES2011 - Jon Oberheide and Dan Rosenberg - StackjackingHackito Ergo Sum
 
HES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profit
HES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profitHES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profit
HES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profitHackito Ergo Sum
 
HES2011 - Sebastien Tricaud - Capture me if you can
HES2011 - Sebastien Tricaud - Capture me if you canHES2011 - Sebastien Tricaud - Capture me if you can
HES2011 - Sebastien Tricaud - Capture me if you canHackito Ergo Sum
 
HES2011 - Eloi Vanderbeken - Hackito Ergo Sum Crackme
HES2011 - Eloi Vanderbeken - Hackito Ergo Sum CrackmeHES2011 - Eloi Vanderbeken - Hackito Ergo Sum Crackme
HES2011 - Eloi Vanderbeken - Hackito Ergo Sum CrackmeHackito Ergo Sum
 
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe Shockwave
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe ShockwaveHES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe Shockwave
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe ShockwaveHackito Ergo Sum
 
HES2011 - James Oakley and Sergey bratus-Exploiting-the-Hard-Working-DWARF
HES2011 - James Oakley and Sergey bratus-Exploiting-the-Hard-Working-DWARFHES2011 - James Oakley and Sergey bratus-Exploiting-the-Hard-Working-DWARF
HES2011 - James Oakley and Sergey bratus-Exploiting-the-Hard-Working-DWARFHackito Ergo Sum
 
HES2011 - joernchen - Ruby on Rails from a Code Auditor Perspective
HES2011 - joernchen - Ruby on Rails from a Code Auditor PerspectiveHES2011 - joernchen - Ruby on Rails from a Code Auditor Perspective
HES2011 - joernchen - Ruby on Rails from a Code Auditor PerspectiveHackito Ergo Sum
 
HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...
HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...
HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...Hackito Ergo Sum
 
HES2011 - Richard Johnson - A Castle Made of Sand Adobe Reader X Sandbox
HES2011 - Richard Johnson - A Castle Made of Sand Adobe Reader X SandboxHES2011 - Richard Johnson - A Castle Made of Sand Adobe Reader X Sandbox
HES2011 - Richard Johnson - A Castle Made of Sand Adobe Reader X SandboxHackito Ergo Sum
 
HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7
HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7
HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7Hackito Ergo Sum
 
HES2011 - Yuval Vadim Polevoy – Money Is In The Eye Of The Beholder: New And ...
HES2011 - Yuval Vadim Polevoy – Money Is In The Eye Of The Beholder: New And ...HES2011 - Yuval Vadim Polevoy – Money Is In The Eye Of The Beholder: New And ...
HES2011 - Yuval Vadim Polevoy – Money Is In The Eye Of The Beholder: New And ...Hackito Ergo Sum
 
HES2011 - Itzik Kolter - Let me Stuxnet You
HES2011 - Itzik Kolter - Let me Stuxnet YouHES2011 - Itzik Kolter - Let me Stuxnet You
HES2011 - Itzik Kolter - Let me Stuxnet YouHackito Ergo Sum
 

Plus de Hackito Ergo Sum (13)

HES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talk
HES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talkHES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talk
HES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talk
 
HES2011 - Jon Oberheide and Dan Rosenberg - Stackjacking
HES2011 - Jon Oberheide and Dan Rosenberg - StackjackingHES2011 - Jon Oberheide and Dan Rosenberg - Stackjacking
HES2011 - Jon Oberheide and Dan Rosenberg - Stackjacking
 
HES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profit
HES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profitHES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profit
HES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profit
 
HES2011 - Sebastien Tricaud - Capture me if you can
HES2011 - Sebastien Tricaud - Capture me if you canHES2011 - Sebastien Tricaud - Capture me if you can
HES2011 - Sebastien Tricaud - Capture me if you can
 
HES2011 - Eloi Vanderbeken - Hackito Ergo Sum Crackme
HES2011 - Eloi Vanderbeken - Hackito Ergo Sum CrackmeHES2011 - Eloi Vanderbeken - Hackito Ergo Sum Crackme
HES2011 - Eloi Vanderbeken - Hackito Ergo Sum Crackme
 
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe Shockwave
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe ShockwaveHES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe Shockwave
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe Shockwave
 
HES2011 - James Oakley and Sergey bratus-Exploiting-the-Hard-Working-DWARF
HES2011 - James Oakley and Sergey bratus-Exploiting-the-Hard-Working-DWARFHES2011 - James Oakley and Sergey bratus-Exploiting-the-Hard-Working-DWARF
HES2011 - James Oakley and Sergey bratus-Exploiting-the-Hard-Working-DWARF
 
HES2011 - joernchen - Ruby on Rails from a Code Auditor Perspective
HES2011 - joernchen - Ruby on Rails from a Code Auditor PerspectiveHES2011 - joernchen - Ruby on Rails from a Code Auditor Perspective
HES2011 - joernchen - Ruby on Rails from a Code Auditor Perspective
 
HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...
HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...
HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...
 
HES2011 - Richard Johnson - A Castle Made of Sand Adobe Reader X Sandbox
HES2011 - Richard Johnson - A Castle Made of Sand Adobe Reader X SandboxHES2011 - Richard Johnson - A Castle Made of Sand Adobe Reader X Sandbox
HES2011 - Richard Johnson - A Castle Made of Sand Adobe Reader X Sandbox
 
HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7
HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7
HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7
 
HES2011 - Yuval Vadim Polevoy – Money Is In The Eye Of The Beholder: New And ...
HES2011 - Yuval Vadim Polevoy – Money Is In The Eye Of The Beholder: New And ...HES2011 - Yuval Vadim Polevoy – Money Is In The Eye Of The Beholder: New And ...
HES2011 - Yuval Vadim Polevoy – Money Is In The Eye Of The Beholder: New And ...
 
HES2011 - Itzik Kolter - Let me Stuxnet You
HES2011 - Itzik Kolter - Let me Stuxnet YouHES2011 - Itzik Kolter - Let me Stuxnet You
HES2011 - Itzik Kolter - Let me Stuxnet You
 

Dernier

The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 

Dernier (20)

The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 

HES2011 - Jon Larimer - Autorun Vulnerabilities on Linux

  • 1. USB Autorun attacks against Linux Hackito Ergo Sum 2011 / April 9 / Paris, France jlarimer@us.ibm.com Jon Larimer jlarimer@gmail.com IBM X-Force Advanced R&D
  • 2. Autorun malware ■ On Windows, the autorun.inf file could be used to automatically launch programs when a CD/Floppy/USB driver was inserted ■ Many people disable this feature now! ■ Windows 7 changed how AutoRun works from USB drives ■ Malware and hackers could still take advantage of vulnerabilities... –LNK vulnerability (Stuxnet) –PDF previews –Embedded BMP thumbnail vulnerability © 2011 IBM Corporation
  • 3. Autorun malware on Linux? ■ Some desktop environments support autorun scripts on external media ■ freedesktop.org specifications allow: .autorun, autorun, autorun.sh ■ Specs specifically forbid running these scripts automatically – the desktop environment should always ask ■ What about taking advantage of security vulnerabilities? © 2011 IBM Corporation
  • 4. Autorun vulnerabilities ■ Lots of code executes when a new mass storage device is connected... ■ Removable storage subsystem drivers –USB, SecureDigital, eSATA, FireWire, PCMCIA ■ File system drivers –Kernel drivers: ext3, ext4, etc –User mode (FUSE) drivers: ntfs-3g ■ Desktop applications –Desktop file browsers, thumbnailers ■ Vulnerabilities could exist at any of these layers! © 2011 IBM Corporation
  • 5. Attacks on physical systems ■ Physical access is 'game over' ■ What about full disk encryption? ■ IEEE 1394 (FireWire) DMA physical memory access –Requires FireWire port and drivers ■ Cold boot attack –Requires being able to boot from external media, stealing the RAM, or swapping out an internal drive ■ Removable storage attacks! –Most desktop OS's will automatically mount file systems on USB –Physical access not really necessary, just find someone to plug a device into their PC –If an exploit runs while the PC is already booted and the user is logged on, full disk encryption could be defeated © 2011 IBM Corporation
  • 6. USB on Linux ■ usbcore in drivers/usb/core ■ Host controller driver framework is drivers/usb/core/hdc.c –UHCI: drivers/usb/host/usb-uhci.c –EHCI: drivers/usb/host/usb-ehci.c ■ Hub driver in drivers/usb/core/hub.c ■ Interface drivers register by calling usb_register() or usb_register_driver(), specifying which vendor/product IDs they work with ■ drivers/core/usb/driver.c usb_match_id() takes care of the matching, then the driver is loaded © 2011 IBM Corporation
  • 7. USB Vulnerabilities on Linux ■ MWR InfoSecurity Auerswald Linux USB driver bug, 2009 –Driver provides support for Auerswald USB ISDN devices –Had a problem handing USB descriptors, resulting in a buffer overflow ■ Fuzzing USB drivers –Mortiz Jodiet – hardware+software (2009) –Tobias Mueller – QEMU-based fuzzer (2010) ■ Vulnerabilities in USB drivers can be exploited with cheap, small, off-the-shelf programmable USB development boards © 2011 IBM Corporation
  • 8. USB mass storage on Linux ■ Storage class driver in drivers/usb/storage/usb.c ■ storage_probe() –Sets up a SCSI host structure –adds SCSI host to SCSI subsystem –scsiglue.c and protocol.c take care of converting SRBs to URBs for the USB drivers ■ SCSI subsystem adds a block device (/dev/sdb) ■ udev is notified © 2011 IBM Corporation
  • 9. udev, udisks, and D-Bus ■ udev –device manager for Linux –adds/remove entries in /dev –can trigger events based on rules or through a netlink socket ■ D-Bus –IPC mechanism –allows applications to register for system device events ■ udisks –provides a D-Bus interface for dealing with disk devices –uses GUdev library (part of udev) to subscribe to udev events through a netlink socket, republishes them through D-Bus © 2011 IBM Corporation
  • 10. File systems in Linux ■ Traditionally lived in fs/ branch of kernel source tree ■ File systems operate between low level disk bus drivers and virtual file system ■ FUSE – file system in userspace ■ GVFS – GNOME Virtual File System –not a traditional file system –can only be access through GVFS, GIO, or the ~/.gvfs FUSE mountpoint –Can access also access files through SMB, FTP, DAV, etc © 2011 IBM Corporation
  • 11. File system driver vulnerabilities ■ Vulnerabilities in FS drivers could be exploited by malformed FS images on a USB drive ■ Successfully exploited vulnerabilities result in root access – file system drivers run in kernel mode ■ User mode file system driver exploits run in the context of whoever mounted the volume ■ Would be considered a 'local' kernel-mode bug because it requires physical access ■ For the purpose of exploitation, it can be considered remote since you don't already have access to the OS © 2011 IBM Corporation
  • 12. Finding file system driver vulns ■ Manually auditing the code (read The Art of Software Security Assessment by Dowd/McDonald/Schuh) –Concentrate on how structures on disk sectors are parsed ■ Static code analysis (lint, clang static analyzer, etc) ■ Fuzzing –In Linux, any block device (including a file) can be mounted as a volume –Write code to modify a FS image, mount, perform various operations, then unmount –Fuzz smarter by understanding FS structure, use code coverage/taint analysis tools ■ Automatically Generating Malicious Disks using Symbolic Execution (Stanford, 2006) © 2011 IBM Corporation
  • 13. GNOME Nautilus ■ GNOME Nautilus is the file browser used by Ubuntu Desktop Linux10.10 ■ Supports most of the freedesktop.org specifications ■ Will automatically mount known file systems on USB drives by default –Volume mounted in /media/XXX, where XXX is the volume name ■ Will automatically open a browsing window when a new file system is mounted ■ File browsing window will generate thumbnails for all files in the root directory of the device ■ It does this even with the screensaver running and locked! © 2011 IBM Corporation
  • 14. GNOME Nautilus file browser © 2011 IBM Corporation
  • 15. Nautilus thumbnail/media settings © 2011 IBM Corporation
  • 16. GNOME Nautilus operation ■ Detects when new storage devices are connected ■ Uses GVFS to access browse file systems over SMB, FTP, DAV, etc ■ Uses GVFS to be notified of newly mounted file systems © 2011 IBM Corporation
  • 17. GNOME Nautilus – thumbnailers ■ Nautilus will generate thumbnail images for images, movies, documents, and other file types to use as icons in the file browser ■ Settings stored in gconf system ■ Image icons generated internally using GdkPixBuf ■ Also allows 3rd party icon handlers –evince-thumbnailer: document files –totem-video-thumbnailer: video and audio files –gnome-thumbnail-font: font files ■ Thumbnails cached in ~/.thumbnails/normal © 2011 IBM Corporation
  • 18. GdkPixBuf thumbnails ■ Relies on some 3rd party libraries for some image formats (libpng, libtiff, libjpeg) ■ All 3 of those libraries have had security vulnerabilities before... ■ Contains built-in code for other formats (bmp, gif, ico, tga, xpm, and others) ■ Full list of supported extensions (in Ubuntu 10.10): –wmf, apm, ani, bmp, gif, icns, ico, cur, jp2, jpc, jpx, j2k, jpf, jpeg, jpe, jpg, pcx, png, pnm, pbm, pgm, ppm, qtif, qif, ras, svg, tga, targa, tiff, tif, wbmp, xbm © 2011 IBM Corporation
  • 19. Exploiting bugs in GdkPixBuf ■ Thumbnailing happens in the Nautilus process ■ If the process crashes, the file browsing window goes away ■ Difficult to defeat NX and ASLR (can't brute force against ASLR...) ■ Nautilus isn't protected by AppArmor © 2011 IBM Corporation
  • 20. Nautilus external thumbnail settings © 2011 IBM Corporation
  • 21. External thumbnailers ■ Configured with gconf: –gconftool –R /desktop/gnome/thumbnailers ■ Example: –/usr/bin/totem-video-thumbnailer -s %s %u %o • %s = size • %u = input file • %o = output file ■ Nautilus looks up thumbnailer application for each file based on the MIME type ■ Separate process is launched for each file that gets thumbnailed © 2011 IBM Corporation
  • 22. evince-thumbnailer ■ Part of GNOME evince, the document reader ■ Supports file types: –pdf, djvu, djv, pdf.bz2, cbr, cbz, cbt, dvi, pdf.gz, ps.bz2, ps, ps.gz, eps.bz2, epsi.bz2, epsf.bz2, eps, epsi, epsf, dvi.gz, dvi.bz2, eps.gz, epsi.gz, epsf.gz, cb7 ■ Renders the first page of a document to use as the icon ■ Relies on 3rd party libraries for some formats, internal code for others ■ Protected with PIE, AppArmor © 2011 IBM Corporation
  • 23. totem-video-thumbnailer ■ totem-video-thumbnailer thumbnails these extensions: –anim[1-9j], mp4, m4v, m2t, m2ts, ts, mts, cpi, clpi, mpl, mpls, bdm, bdmv, asf, ogx, shn, mxf, gvp, avi, divx, qt, mov, moov, qtvr, wmv, webm, wmx, ra, rm, ram, ogv, ram, mpeg, mpg, mp2, mpe, vob, dv, mkv, wpl, fli, rm, rmj, rmm, rms, rmx, rmvb, wvx, rv, rvx, rp, flv, pict, pict1, pict2, nsc, fli, flc, wm, sdp, qtl, 3gp, 3g2, 3gpp, 3ga, nsv, viv, vivo ■ Relies on many 3rd party libraries ■ Not protected by PIE or AppArmor! © 2011 IBM Corporation
  • 24. gnome-thumbnail-font ■ Provides thumbnails for: –ttf, ttc, otf, pfa, pfb, gsf, pcf, pcf.Z, pcf.gz ■ Uses the FreeType library for rendering fonts ■ There have been vulnerabilities in FreeType reported in the past ■ Not protected by PIE or AppArmor! © 2011 IBM Corporation
  • 25. What about mitigations? ■ Ubuntu 10.10 has many security features and exploit mitigations in place by default ■ NX (non-executable memory), ASLR (address space layout randomization) on everything, PIE (position independent executable) on some files ■ AppArmor – kind of a firewall for system calls ■ NX is not very effective, attackers can use ret2libc or return- oriented-programming (ROP) exploitation techniques ■ ASLR mitigates ROP... ■ AppArmor can be tough to defeat, but there are weaknesses –Protection is defined by per-application profiles –There are some things AppArmor can't protect against © 2011 IBM Corporation
  • 26. Defeating ASLR/PIE ■ ASLR can be brute-forced ■ External thumbnailers are launched as a separate process for each file –If the process crashes, the other files will continue to be thumbnailed ■ Figure out which addresses libc (or other target library) can be loaded at ■ There are only around ~3000 addresses that will be used with the standard Linux kernel ASLR implementation on 32 bit systems ■ Sometimes less are needed... © 2011 IBM Corporation
  • 27. Count 100 120 20 40 60 80 0 00236000 0046B000 004E4000 00538000 00583000 005C5000 0060A000 0064C000 00691000 006D3000 00713000 00753000 00796000 007D6000 00818000 00857000 00896000 008D8000 00916000 00954000 00992000 009D0000 00A0E000 00A4C000 00A8A000 ASLR Weaknesses? 00AC8000 00B06000 Address thumbnailer 00B44000 00B82000 00BC0000 00BFE000 00C3C000 00C7A000 00CB8000 00CF6000 00D34000 00D72000 00DB0000 00DEE000 00E2C000 Base address of libc per 40960 runs of evince- 00E6A000 00EA8000 00EE6000 00F24000 00F62000 00FA0000 00FDE000 0410E000 0C893000 14DE6000 1D4C0000 © 2011 IBM Corporation
  • 28. Defeating AppArmor ■ AppArmor is only as strong as the application's profile –evince-thumbnailer's profile used to allow writing to ~/.config/autostart –Could be used to install malware to start when the user logs in –See https://code.launchpad.net/bugs/698194 ■ There are some things that AppArmor can't protect against –X11 library calls (could block network access in some cases) –Kill screensaver, sniff keystrokes, inject keystrokes, etc © 2011 IBM Corporation
  • 29. Autorun exploit payloads? ■ Copy files from the user's home directory – useful for defeating full disk encryption, TrueCrypt, etc –Get browser cookies, documents ■ Kill screensaver process –killall gnome-screensaver –Gives you full access to the user's desktop ■ Install a backdoor –Add script to ~/.bash_profile, ~/.profile –Add desktop file to ~/.config/autostart ■ Elevate privileges –Install rootkit © 2011 IBM Corporation
  • 30. Killing the screensaver ■ The screen saver is just a process that runs as a window at the top of the X11 window tree ■ killall gnome-screensaver will kill the process, bypassing the authentication dialog ■ Alternatively, locate the X11 library in the process and use that to kill the screen saver window: –XOpenDisplay(":0.0") –XQueryTree() to enumerate windows –XFetchName() to look for "gnome-screensaver" –XKillClient() to terminate the process © 2011 IBM Corporation
  • 31. Install a backdoor? ■ Can be done without root ■ ~/.config/autostart is analogous to the Windows "Startup" folder –Drop a shortcut there (.desktop file) that points to a script and it'll be launched whenever the user logs in –.desktop file format is part of freedesktop.org specifications ■ Or use .profile, .bash_profile... ■ Script could download remote access trojan from the web, or just copy one from the USB drive © 2011 IBM Corporation
  • 32. evince vulnerabilities ■ Vulnerabilities in handling external font files for DVI documents (CVE-2010-2640, CVE-2010-2641, CVE- 2010-2642, CVE-2010-2643) ■ http://www.ubuntu.com/usn/usn-1035-1 ■ DVI files are generated from LaTeX documents ■ DVI files can reference external fonts that get loaded when the DVI file is processed ■ External fonts can be specified with an absolute path (/media/XXX) ■ Easier to exploit from USB than any remote vector... © 2011 IBM Corporation
  • 33. CVE-2010-2640 – PK font parsing © 2011 IBM Corporation
  • 34. CVE-2010-2640 © 2011 IBM Corporation
  • 35. CVE-2010-2640 ■ So we can write an arbitrary value to a semi-arbitrary location in memory ■ We don't know where the stack is, can't overwrite the return address ■ The write is relative to the heap, so ASLR won't impact our ability to overwrite a function pointer on the heap © 2011 IBM Corporation
  • 36. CVE-2010-2640 © 2011 IBM Corporation
  • 37. CVE-2010-2640 ■ We can overwrite ptr->info.lookup with the address of system()in libc ■ name is a string representing the font file it's looking for ■ To write this exploit: –figure out what cc needs to be so that w, h, x, or y overwrites ptr->info.lookup for one of the fonts –specify that cc value for the first font, and put the address in system in w, h, x, y –for the 2nd font, specify the name to be /media/XXX/kill.sh, where XXX is volume name of USB device –/media/XXX/kill.sh can be a shell script to do whatever you want – mine kills the screensaver © 2011 IBM Corporation
  • 38. Problems... ■ AppArmor will prevent loading a .pk600 file, but creating a symlink from the .pk600 file to a file ending in .png will get around this restriction ■ AppArmor won't let you execute a process ■ How do we get around this? –Write a ROP 2nd stage shellcode loader –mmap/open/read –AppArmor won't let you map executable files, but you can create an anonymous W+X mapping –2nd stage shellcode can search for X11 library, use X11 APIs to enumerate root windows then kill the one labeled "gnome-screensaver" ■ Still working on it... © 2011 IBM Corporation
  • 39. Demo! DEMO DEMO DEMO © 2011 IBM Corporation
  • 40. Conclusion ■ It's possible for software vulnerabilities to be used for autorun attacks against Linux ■ Not just GNOME, KDE has similar functionality ■ Recommendations: –Disable auto-mounting and auto-browsing of removable storage and media –Disable thumbnailing of files –Make use of technologies like AppArmor to provide enhanced protection for desktop user interface processes –PaX (grsecurity) offer more bits of entropy for ASLR than the default Linux kernel and other security features –Use a 64 bit OS, which makes it even harder to brute force ASLR © 2011 IBM Corporation