Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Umm..that is pretty "common" in Windows, partly because it has been so popular operating system (and not too well secured), so a lot of malware exists that runs on it, and can in some cases be run when a USB stick is inserted. Not every piece of malware "infects" the machine as soon as you plug in the disk it resides in, but some might.
On Linux computer viruses are either very rare or nonexistent, so it's somewhat probable that you'll never bump into one. A more serious danger are crackers and rootkits. Of course anything can happen, so I can't say it's completely impossible that a "Linux operating system virus" jumps off a USB stick right when you plug it, and wreck havocs the machine.
"completely impossible" is indeed completely impossible with computers
The USB viruses under windows are very specific as it creates an autorun, which launch malware. Then this malware tries to infect every removable device, floppies and cd/dvd-rw too, as XP has an integrated burner. I saw this malware acting myself.
So is it possible to imagine a key designed to abuse hal or dbus ? Or the filesystem on it corrupted a way it exploits the mount ?
So is it possible to imagine a key designed to abuse hal or dbus ? Or the filesystem on it corrupted a way it exploits the mount ?
My thoughts too. But I wonder if that is common since most of the these viruses are aimed at windows and tend to exploit things like the common locations of address books, registry files etc. I guess someone versed in linux could create one but he/she would likely be aiming at an organisation that he knows uses linux - i.e. an inside job where he has some physical contact. Can't really see this developing in a way outside of this type of situation.
Aside from that, it would be interesting to see if hal, dbus, or mount could be exploited, just for the fun of trying.
I have a doubt because i saw a computer acting strangely after the insertion of a strange key (weird partitioning + hidden data).
Would this be one of the U3 "smart" disks? They have an extra "hidden" partition that detects as read-only and contains the preinstalled utilities. And all the ones that I've seen have an autorun program, either LaunchU3.exe or Autorun.exe and what it does seems to depend on the disk and the preinstalled stuff.
Quote:
Then this malware tries to infect every removable device, floppies and cd/dvd-rw too, as XP has an integrated burner.
Can you describe what it "tried" to do and why it was unsuccessful?
Aside from that I've experienced infected floppies and infected files burned onto cds. So why not a USB disk? Anything that can be used to transport files can transport viruses and malware. If there were any current Linux-targeting viruses in the wild this might be a concern. However, in Linux, we can protect ourselves: we can boot into a CLI where we can view detailed messages about hardware detection and mounting, we can easily turn off hal and dbus to disable automounting and autorunning, we normally boot into a user account which doesn't have permission to modify or reconfigure hal, dbus or udev.
Nope, it was a corsair. Indeed there was an utility on it, but the disk were formated before i used it.
Quote:
Originally Posted by dracolich
Can you describe what it "tried" to do and why it was unsuccessful?
The XP virus tried every ~10 second to replicate itself on every removable device. As nowadays a simple worm can lead to a trojan or rootkit infection, consequences can be bad.
Quote:
Originally Posted by dracolich
we can boot into a CLI where we can view detailed messages about hardware detection and mounting, we can easily turn off hal and dbus to disable automounting and autorunning, we normally boot into a user account which doesn't have permission to modify or reconfigure hal, dbus or udev.
What is a CLI ?
And of course we can disable things, but this is a regression.
Nope, it was a corsair. Indeed there was an utility on it, but the disk were formated before i used it.
The XP virus tried every ~10 second to replicate itself on every removable device. As nowadays a simple worm can lead to a trojan or rootkit infection, consequences can be bad.
What is a CLI ?
And of course we can disable things, but this is a regression.
CLI stands for Command Line Interface
I don't think it's possible for a virus to even explote DBUS or HAL, because remember the user is part of dbus or hals group, so it doesn't necessarily mean that virus has root privileges and thus limited to the damage it can cause, at the most it can infect the folder it has been mounted.
Do any GNU/Linux distros come with autorun type functionality? It would be insane if plugging someone's USB drive into your GNU/Linux computer puts you at risk for arbitrary code execution. But does anyone know for sure whether this is currently the case or not? I remember I had to plug-in a dude's iPod a few weeks ago to copy some spreadsheet files to it, and when I gave him back the iPod I had a little voice in the back of my mind saying something like "Are you sure he only got the spreadsheets?". I figured my tinfoil hat might have been too tight but now I'm wondering again.
Alright now let's leave the sarcastic part aside and get into talking about the real business .
The Reason why such won't hit the streets as a probability of 99.99% is that :
1) Linux is constantly getting updated
2) Any process from auto-mount to low-level kernel stuff can be adjusted unpredictably by the user
3) and the fact that each different linux distro behaves differently , Hell even each distro behaves NOT the same on each different hardware box !
trust me I've seen USB's mounting and sometimes not , on 2 different machines and sometimes even on the every same one.
so finding exact behavioral patterns is ....Unlikely
and finding exact security holes is ......Highly Unlikely
Besides that , Windows is a piece of shit and can't be compared to linux or even to *nix in general.
I've even looked into an exploit myself that successfully exploits the program (whose name i forgot about) , that creates thumbnails for icons , resulting in the opportunity of ripping a windoze apart by fitting an icon file with this particular exploit and putting this file on a cd , dvd or perhaps a USB flash .
Do any GNU/Linux distros come with autorun type functionality?
I clearly remember an icon automagically appearing on my desktop when I plugged in an USB device. Not automounting, but nearly there. In any case the kernel and overlayed subsystems do their best to find out what the device is. Automation. Nice. Unless you read something like this and this.
Quote:
Originally Posted by entz
and finding exact security holes is ......Highly Unlikely
I clearly remember an icon automagically appearing on my desktop when I plugged in an USB device. Not automounting, but nearly there. In any case the kernel and overlayed subsystems do their best to find out what the device is. Automation. Nice. Unless you read something like this and this.
If I plug-in a USB flash drive into my laptop (on my account) it will get auto-mounted. Also, Nautilus opens a file manager window displaying the drive's contents. That could indeed be a vulnerability, as if for example someone has an exploit for the thumbnail preview function (any PDFs, JPGs, etc. get thumbnails generated for them when the Nautilus window opens). So if you know about a thumbnail/image preview vulnerability in Nautilus, and you have an exploit for it, you could pretty much OWN my user account right now by just plugging-in a USB drive while my screensaver is running and I'm getting something from the snack machine.
I remember when I plugged-in this guy's iPod I got a weird icon too, and I think Rhythmbox opened and stuff IIRC. In any case, my fear is that someone can execute something from the USB drive when inserted. I know that this should be easy to configure (if one would actually want a certain file to be auto-executed whenever a USB drive is mounted), but I'm hoping someone could confirm that it's not something which can be done by default in any way. If this auto-execute functionality is non-existant on most distros out-of-the-box, then I think that would also help answer the OP's question regarding the possibility of getting some sort of virus (or whatever) by simply plugging-in a USB drive. There would need to be a vulnerability (and an exploit) for something further up the chain (such as Nautilus).
PS: I think I'm gonna try to edit my config so that Nautilus won't automatically open when I insert a USB drive. This way I can at least scan the USB drive's contents with ClamAV or something before having any of my programs touch it. I think I do remember some PNG vulnerabilities in the past which might have been used to execute arbitrary code from a Nautilus image preview thinggy.
so without making this too lengthy , what i wanted to illustrate is that Linux behaves different under different situations according to my personal observation , now why this happens so ? well i can't tell ...
and even if it does behave exactly the same , then probably not all users gonna run dbus or hal of the very same version , meaning that a remarkable versatility exists on linux boxes in general.
So if you find a bug in the automount system and abuse it , then this doesn't guarantee that it would work on all distro's
don't actually software authors spend alot of time making their code work universally on each machine?
If I plug-in a USB flash drive into my laptop (on my account) it will get auto-mounted. Also, Nautilus opens a file manager window displaying the drive's contents. That could indeed be a vulnerability, as if for example someone has an exploit for the thumbnail preview function (any PDFs, JPGs, etc. get thumbnails generated for them when the Nautilus window opens). So if you know about a thumbnail/image preview vulnerability in Nautilus, and you have an exploit for it, you could pretty much OWN my user account right now by just plugging-in a USB drive while my screensaver is running and I'm getting something from the snack machine.
I remember when I plugged-in this guy's iPod I got a weird icon too, and I think Rhythmbox opened and stuff IIRC. In any case, my fear is that someone can execute something from the USB drive when inserted. I know that this should be easy to configure (if one would actually want a certain file to be auto-executed whenever a USB drive is mounted), but I'm hoping someone could confirm that it's not something which can be done by default in any way. If this auto-execute functionality is non-existant on most distros out-of-the-box, then I think that would also help answer the OP's question regarding the possibility of getting some sort of virus (or whatever) by simply plugging-in a USB drive. There would need to be a vulnerability (and an exploit) for something further up the chain (such as Nautilus).
PS: I think I'm gonna try to edit my config so that Nautilus won't automatically open when I insert a USB drive. This way I can at least scan the USB drive's contents with ClamAV or something before having any of my programs touch it. I think I do remember some PNG vulnerabilities in the past which might have been used to execute arbitrary code from a Nautilus image preview thinggy.
I first experienced automounting in Linux distros with Knoppix and Ubuntu. I have long suspected that, although it's convenient and helpful for new users, such automation can become a vulnerability. That's one reason I keep it disabled on my machines by chmodding rc.hald and rc.dbusd. I don't mind mounting my usb devices from the CLI. I believe that, in the event of such a threat, it would provide an opportunity to scan files before anything is opened or executed.
I'm pretty sure that the autorunning of applications from a "smart" USB disk works in Windows because of Windows and not the "smart" program. I had my U3 disk for a few months before I plugged it into an XP machine and saw it work. In Win2K SP3 it would always just popup a message that LaunchU3.exe requires SP4. I think that in Linux the wm (KDE or GNOME) would have to be designed to recognize and execute a Linux-compatible autorun file.
I, too, remember some PNG and GIF exploits, but they were via email. I don't recall which os's or apps they targeted, but if someone were to save such a file from their email onto a USB disk...
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
