LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 04-14-2008, 11:38 AM   #1
thorn168
Member
 
Registered: Oct 2004
Location: USA
Distribution: Vector Linux 5.1 Std., Vector Linux 5.8 Std., Win2k, XP, OS X (10.4 & 10.5)
Posts: 344

Rep: Reputation: 42
FUSE in Debian allowing Memory resident USB File infections


I have been commenting on the following LQ thread:

http://www.linuxquestions.org/questi...or-so.-633192/

In doing some of the research to assist this poster I came to the conclusion that FUSE may allow a memory resident file infector type programs to operate with Linux.

I tried Google searching USB security risks in FUSE but came up with nothing useful.

Then I tried: Linux FUSE file infector and came up with these results:

http://www.google.com/search?hl=en&q...a+&btnG=Search

I just want to report this here so that someone with more experience maybe able to look into this further.
 
Old 04-14-2008, 12:20 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,451
Blog Entries: 54

Rep: Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893
Quote:
Originally Posted by thorn168 View Post
I came to the conclusion that FUSE may allow a memory resident file infector type programs to operate with Linux.
Cold you please support that with specific pointers? I mean Sajin was clearly VB, Silly-B is listed as ClippyOS-only and the URI you posted was for "Linux +FUSE +secunia". Thanks in advance.
 
Old 04-14-2008, 01:47 PM   #3
thorn168
Member
 
Registered: Oct 2004
Location: USA
Distribution: Vector Linux 5.1 Std., Vector Linux 5.8 Std., Win2k, XP, OS X (10.4 & 10.5)
Posts: 344

Original Poster
Rep: Reputation: 42
Here are some links regarding the vulnerability:

http://secunia.com/advisories/16024/

http://secunia.com/advisories/17691/

(Watch out for this link it may have a malicious popup) securitydot.net/vuln/exploits/vulnerabilities/articles/15222/vuln.html

The links refer to older versions that have been reported as updated or patched.

However, that does not mean the vulnerability can not reemerge in distributions with FUSE.
 
Old 04-14-2008, 02:22 PM   #4
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
Look at the History portion of the original advisary:
Quote:
History
=======

2005-06-01 issue found by Sven Tantau
2005-06-02 vendor contacted
2005-06-02 quick vendor reaction with confirmation, patch and public disclosure
2005-06-06 release of this advisory + exploit
2005-06-06 Update of this advisory (affected versions mixup)
The description is of vulnerability is that some information wasn't cleared from memory before the memory was released which could potentially allow other local users access to the information. This isn't an "infection" as you indicated. The problem was patched the day after the discovery. This was almost 3 years ago.
 
Old 04-14-2008, 03:20 PM   #5
thorn168
Member
 
Registered: Oct 2004
Location: USA
Distribution: Vector Linux 5.1 Std., Vector Linux 5.8 Std., Win2k, XP, OS X (10.4 & 10.5)
Posts: 344

Original Poster
Rep: Reputation: 42
Quote:
The description is of vulnerability is that some information wasn't cleared from memory before the memory was released which could potentially allow other local users access to the information. This isn't an "infection" as you indicated. The problem was patched the day after the discovery. This was almost 3 years ago.
I am aware of that. I am stating that another user has experienced a problem similar to this with a malware infection on a USB drive on a Debian Etch system.

For a history of this discussion see this link: http://www.linuxquestions.org/questi...or-so.-633192/
 
Old 04-15-2008, 12:14 AM   #6
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
There is no evidence in the thread you are referencing that the problem is due to fuse. You brought up fuse in the post yourself. I looked through eight of the links from the google search page you posted and they all were dealing with a local exploit revealing information. The other links you provided deal with the same issue. If you found a different CVE notice following one of those links, then please post a link to the notice itself instead of a generic google search.

The OP of the other thread could easily unload the "fuse" module, then delete the partiton and repartition and format the flash drive. If after inserting the pendrive an exe file still appears, the user may have had a different kernel module modified. Or the user may have picked up a flash drive from hell which contains the smarts to reinfect itself when powercycled.

In the very least, the user should be validating all of his packages. Especially the kernel and kernel modules.

Last edited by jschiwal; 04-15-2008 at 12:28 AM.
 
Old 04-16-2008, 11:36 AM   #7
thorn168
Member
 
Registered: Oct 2004
Location: USA
Distribution: Vector Linux 5.1 Std., Vector Linux 5.8 Std., Win2k, XP, OS X (10.4 & 10.5)
Posts: 344

Original Poster
Rep: Reputation: 42
The "problem" is not in or even with FUSE. The Problem is that FUSE, doing what is it supposed to do, gives the malware an environment in which it can operate.

I posted this thread because while it may seem local and insignificant in the reported instance this issue may evolve as more and more users choose to use Linux.
 
Old 04-16-2008, 12:02 PM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,451
Blog Entries: 54

Rep: Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893
With all due respect but I think you don't have a clear understanding of how some things work in GNU/Linux or at least are misinterpreting things. Mitigating circumstances enough, since the other threads OP posted his messages in a way which wasn't factual and detailed enough for it to be taken as "evidence" anyway. I'm afraid though this thread will remain inconclusive for you until somebody explains by either a: 0) theoretical explanation, walking the kernel, device and filesystem tree, 1) post-mortem of the OPs machine or 2) mimicking the OPs machine and the sick stick in a VM. Whatever the choice I am confident you will see there can be no (sign of) activation, infection or residual traces, proving it's impossible for those viruses to be activated in GNU/Linux.
 
Old 04-17-2008, 08:26 AM   #9
thorn168
Member
 
Registered: Oct 2004
Location: USA
Distribution: Vector Linux 5.1 Std., Vector Linux 5.8 Std., Win2k, XP, OS X (10.4 & 10.5)
Posts: 344

Original Poster
Rep: Reputation: 42
OK Fair enough.
 
  


Reply

Tags
file, fuse, memory


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Difference between resident memory,shared memory and virtual memory in system monitor mathimca05 Linux - Newbie 1 11-11-2007 04:05 AM
How do I connect usb memory to Debian Sarge? zoffmann Debian 5 06-17-2006 09:38 PM
General query: diff bw virtual vs. resident memory Kropotkin Linux - Newbie 3 02-06-2006 06:52 PM
usb memory stick in debian jimjamjahaa Debian 8 01-24-2006 02:16 PM
memory types - what's what: vm resident shared rss X's jonaskoelker Linux - Software 2 05-26-2005 04:59 AM


All times are GMT -5. The time now is 09:44 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration