Image by ggee via FlickrIn Pwn2Own trifecta: Hacker exploits IE8, Firefox, Safari, it's obvious that the browser situation is pretty bad. Mac with Safari fell first with the first contestant, but the contestant order was by luck of the draw, meaning that any of the exploited browsers (that's all of them, by the way) could have been first to go. Ubuntu never fell, but that's mostly because it wasn't in the competition. The P2O discussion gets a lot of people stating that Linux (generally Ubuntu) is too well designed to be pwned this way. I say rubbish.
While getting a straight "drive-by" download going for a Linux distro would be difficult, if you include a little social engineering, it becomes quite easy.
1) Functionality the user want (e.g. porn viewing directly in Totem via a plugin)
2) A browser vuln giving you the ability to run a local command. Firefox has a few.
3) A distribution which uses gksudo to elevate permissions with a time-out policy. Ubuntu will work fine.
1) Create a HowTo page or spam e-mail.
2) Ask the use to install software which is likely not installed -- totem-xine for example. If you use and apt: link, it will help. These are from the repos and are absolutely safe, and everyone knows it.
3) Break to second page (via link) with the browser exploit running gksudo and whatever command you need. It will not time out (using the gksudo token from the totem-xine install) and will elevate privileges automatically.
4) If your "Porn viewer" really works, you'll get plenty of traffic and plenty of bots. Make it really work.
5) Almost no one will ever know that they are owned because few run anti-virus or rootkit detection, and they didn't install anything outside of the repositories.
Not too difficult. Or you can take the more direct approach -- package your exploit in a .deb file with your porn viewer. The user downloads, double-clicks, and installs your malware.