It's Been a Bad Week for Linux as Several Security Flaws Surface

[starbuck]

Two security researchers published details this week about several security flaws that allow attackers to execute code on affected machines and take over devices.

 

These security flaws affect Linux distros such as Fedora and Ubuntu, and two of these exploits are zero-days, meaning there's no patch to prevent attacks.

 

Zero-days discovered affecting Fedora and Ubuntu

 

The first to publish his research was Chris Evans, who disclosed the two zero-days affecting Gstreamer, an application responsible for indexing and generating thumbnails and previews for files in various Linux desktop environments.

 

Evans says that an attacker can host a malicious audio file online that when the user downloads on his computer, will automatically be indexed by Gstreamer.

 

The file, either a FLAC or MP3, would tell Gstreamer that it's a SNES music file.

Because Gstreamer comes with support for playing these files, it will emulate a SNES (Super Nintendo Entertainment System) and attempt to index the file.

 

The libraries part of Gstreamer tasked with this operation include vulnerabilities that allow the attacker to execute code on the user's machine.

 

This occurs when the file contains malicious instructions telling Gstreamer to emulate a SNES with a Sony SPC700 audio processor.

Additionally, Gstreamer isn't sandboxed, so any code executed via the framework has access to the OS, with the user's native privileges.

 

Evans has tested his attack scenario on Fedora 25 and Ubuntu 16.04 LTS distros but says that other Linux versions might be affected as well.

He also recorded two videos of his exploit in action.

 

 

 

This is not the first time Evans abuses Nintendo file playback on Fedora.

A few weeks before, he leveraged another zero-day in NES (Nintendo Entertainment System) file playback to run malicious code on a Fedora desktop.

Similarly, Evans found other flaws in Fedora desktops involving Chrome.

 

Abusing Ubuntu's crash reporter

 

The other vulnerability that came to light this past week affects Ubuntu 12.10 (Quantal) and later, and was discovered by security researcher Donncha O'Cearbhaill.

 

According to the researcher, the bug affected the Apport crash reporting tool found in all Ubuntu installations.

Unlike the flaws Evans found, this one has been patched on Wednesday, December 14.

 

The attack scenario involves social engineering and requires an attacker to convince Ubuntu users to open a malformed crash report file.

 

Opening the file triggers the exploit, which in turn allows the attacker to execute code on the user's system.

 

The bug affected all Apport versions released in the past four years.

The researcher published both proof-of-concept code and a video demonstrating his attack.

 

View: https://vimeo.com/194586375

 

 

 

Source:

https://www.bleepingcomputer.com/news/security/its-been-a-bad-week-for-linux-as-several-security-flaw