The modern Linux desktop is frighteningly vulnerable
Despite the sensational title, I promise you there is nothing new in this post. Every exploit I mention is well-documented and supposedly considered “expected behavior” by the Gnome and KDE development communities. I must credit many of the ideas I have implemented to a certain article by foobar at geekzone.co.nz. Other ideas I mention, such as harvesting data from browser caches, are not Linux-specific and should be well-known. However, I have included them to reinforce the real-world impact of these Linux vectors.
With major personal computer manufactures selling machines running GNU/Linux desktops, and the French police force converting to Ubuntu, the geek threshold for the Linux OS is dropping, and security is becoming a larger concern. Or it should be. The days when we can assume a Linux user will know to not open unexpected email attachments or run “sudo rm -rf /*” may be ending. While many contend Linux is one of the more secure OS’s, remember that technically Linux is just a kernel, and that the core GNU/Linux OS lies several layers beneath the desktop environment we commonly refer to as “Linux.”
While this core, with sane firewall policies and other access restrictions, may be very secure (I do not claim to know, and it is not the point here), a system is only as secure as its weakest element. The Linux desktop is a multilayered beast. Do we know exactly what we’re stacking on it? Do we know what holes we’re introducing?
Yes, since it’s open-source we can examine the code for ourselves. But Grandma-who-just-bought-a-Dell-with-Ubuntu-because-her-grandson-told-her-to probably isn’t going to grab a checkout from github and start patching. “Well maybe Grandma shouldn’t be using Linux,” say the kernel hackers. “Well kernel hackers,” rebuts Grandma, “maybe you shouldn’t have made a GUI that any joker can use!” If we want Linux adoption to grow in the general populace, then we have to acknowledge the weakest layer of all: the user. If the user is opening email attachments from the King of Nigeria, then Linux is in the exact same vulnerable position as Windows.
There are many vectors through which malware can be delivered to a user. Email is certainly among the most prominent for Windows. And Linux is no different. “But your email client won’t save your attachments as executable files!” Probably true. “And Linux won’t run non-executable files!” True in theory, naive in the real world. Remember the layers? While the core GNU/Linux OS may not run non-executable files, popular desktop environments like KDE and Gnome allow a way around this: the .desktop file.
.desktop files allow the system to represent an arbitrary command as an icon with a name, description, a menu to appear in, associated mime types, etc. Here is an example .desktop file for the popular VLC media player:
[Desktop Entry]
Version=1.0
Name=VLC media player
Comment=Read, capture, broadcast your multimedia streams
Exec=vlc %f
Icon=vlc
Type=Application
Categories=AudioVideo;Player;
-
Regardless of the file’s execution permissions, the system will read it and run the command assigned to “Exec.” As you can imagine, it is trivial to place a malicious command in an otherwise innocuous .desktop file. Since most desktop environments trim the .desktop extension when displaying the file name, the malicious file “funny_video.ogg.desktop” would appear as “funny_video.ogg,” completing the facade. The user might think he is opening an Open Document file, a video, or a common application. Instead he may be deleting his home directory or installing a malicious program.
In the following video, I demonstrate this vector of attack, inspired by foobar’s above-mentioned post. I first run a malicious .desktop file which installs malware to my user account. It will steal my name, address, social security number, credit card number, birthday, bank-routing and checking-account numbers. This is the goal of today’s economically-driven malware market – not messing with your system files. But just for fun, the malware will reconfigure my environment to trick me into giving it root access, which it will use to wipe my entire hard drive. Nothing in this video is staged. It’s real malicious code behaving just like it would on a real, infected system.
Today, erasing hard drives is often a waste of a compromised system. A better use would be to install rootkits and turn the machine into a botnet drone. Since I have no evil intent, my malware didn’t do anything that insidious. I programmed it only far enough to demonstrate that today’s Linux desktops are secure only until enough people realize that they aren’t. The unsinkable ship is headed for the iceberg. Lower the lifeboats. Women and children first. Trust no one. File a complaint or brilliant solution with your local Gnome and KDE representatives. Listservs are standing by.
The Rat King
For the past week my roommates and I have heard a scraping, scampering sound coming from our attic. Suspicions range from bird to mouse to squirrel. While probable, these theories lack pizazz and fall bellow our threshold for drama. Instead, we prefer believing out attic is home to a rat king.
Hoping to catch a glimpse of the fabled horror, I climbed the attic stairs armed only with a flashlight. Though energy-efficient and environmentally friendly, the three light-emitting diodes did little to push back the darkness. I know it was watching me. I never saw it, but I knew.
I returned from the attic unharmed but convinced action needed to be taken before it was too late. Someone proposed we call the animal warden. Again, while reasonable, it lacked a certain flair. A friend then suggested I rush the attic with a BB gun and mask (in case I missed and it tried to claw my face off.) That might work on a squirrel. Maybe. But for a rat king, an American Civil War-era cannon and some grapeshot would be more appropriate.
Currently, the rat king and I are at an impasse. If you’ve any ideas, or grapeshot, let me know.