If you run a mainstream distribution of Linux on a desktop computer, there’s a good chance security researcher Chris Evans can hijack it when you do nothing more than open or even browse a specially crafted music file. And in the event you’re running Chrome on the just-released Fedora 25, his code-execution attack works as a classic drive-by.
The zero-day exploits, which Evans published on Tuesday, are the latest to challenge the popular conceit that Linux, at least in its desktop form, is more immune to the types of attacks that have felled Windows computers for more than a decade and have increasingly snared Macs in recent years.
While Evans’ attacks won’t work on most Linux servers, they will reliably compromise most desktop versions of Linux, which employees at Google, Facebook, and other security conscious companies often use in an attempt to avoid the pitfalls of Windows and Mac OS X. Three weeks ago, Evans released a separate Linux zero-day that had similarly dire consequences.
“I like to prove that vulnerabilities are not just theoretical—that they are actually exploitable to cause real problems,” Evans told Ars when explaining why he developed—and released—an exploit for fully patched systems. “Unfortunately, there’s still the occasional vulnerability disclosure that is met with skepticism about exploitability. I’m helping to stamp that out.”
Like Evans’ previous Linux zero-day, the proof-of-concept attacks released Tuesday exploit a memory-corruption vulnerability closely tied to GStreamer, a media framework that by default ships with many mainstream Linux distributions. This time, the exploit takes aim at a flaw in a software library alternately known as Game Music Emu and libgme, which is used to emulate music from game consoles. The two audio files are encoded in the SPC music format used in the Super Nintendo Entertainment System console from the 1990s. Both take aim at a heap overflow bug contained in code that emulates the console’s Sony SPC700 processor. By changing the .spc extension to .flac and .mp3, GSteamer and Game Music Emu automatically open them.
The exploit ending in .flac works as a drive-by attack when a Fedora 25 user visits a booby-trapped webpage. With nothing more than a click required, the file will open the desktop calculator. With modification, it could load any code an attacker chooses and execute it with the same system privileges afforded to the user. While users typically don’t have the same unfettered system privileges granted to root, the ones they do have are plenty powerful. Such an exploit can, for instance, read and steal all the user’s most personal data, including documents, pictures, e-mail, and chat transcripts. It could also steal the user’s browser cookies and sessions for Gmail, Facebook, Twitter, and other sites. It could additionally persist across reboots, although not as stealthily as a root exploit. And as is growing increasingly common, it could be combined with a local root privilege exploit to gain full system rights. Here’s a video of it in action:
The exploit ending in .mp3 works when a user either views a folder containing the poisoned music file or clicks on it. It could also be modified to run code of the attacker’s choice. Here’s a video of it working on Ubuntu 16.04 LTS, but it will also work equally well on Fedora and most likely other Linux distributions Evans hasn’t tested.
Prime candidates for exploitation
On just about any operating system, the parsing of media files is fraught with a complexity that makes them prime candidates for exploitation. And that’s why media players developed by security-conscious coders take pains to put untrusted content downloaded from the Internet inside security sandboxes, where they can’t get access to sensitive operating system resources. Remarkably, that’s not what Evans found in this case. Game Music Emu doesn’t sandbox the malicious audio files, and neither does GStreamer, the GNOME desktop video player, video thumbnailer, and media file indexing software used by Fedora and Ubuntu.
“You could argue that it’s the responsibility of these applications to implement sandboxing themselves,” Evans told Ars. “Or you could argue that since media file parsing is known to be dangerous, that the GStreamer library should provide an API that fundamentally provides sandboxed media parsing primitives. It’s an interesting discussion, for sure.”
While Chrome does a good job sandboxing its built-in media players, it too provides no help here.
For anyone who’s versed in software development or security engineering, Tuesday’s post offers a spectacularly deep dive into the mechanics of exploiting what at first blush appeared to be a non-exploitable flaw. The larger message coming out of Evans’ recent work—which has already inspired the development of at least one other serious code-execution exploit—is that at the very least, desktop Linux is no more immune than Windows and OS X to catastrophic exploits. And given the past decade of top-flight security talent Microsoft and Apple have hired to lock down their OSes, it’s arguable that key parts of desktop Linux are less hardened. To think otherwise may not be just wrong, it could be dangerous as well.