Friday, March 20, 2009

How to Create a "Drive-by" Download for Ubuntu

Charlie Miller Hacking the Apple AirImage by ggee via Flickr
In Pwn2Own trifecta: Hacker exploits IE8, Firefox, Safari, it's obvious that the browser situation is pretty bad. Mac with Safari fell first with the first contestant, but the contestant order was by luck of the draw, meaning that any of the exploited browsers (that's all of them, by the way) could have been first to go. Ubuntu never fell, but that's mostly because it wasn't in the competition. The P2O discussion gets a lot of people stating that Linux (generally Ubuntu) is too well designed to be pwned this way. I say rubbish.

While getting a straight "drive-by" download going for a Linux distro would be difficult, if you include a little social engineering, it becomes quite easy.

Necessary ingredients:
1) Functionality the user want (e.g. porn viewing directly in Totem via a plugin)
2) A browser vuln giving you the ability to run a local command. Firefox has a few.
3) A distribution which uses gksudo to elevate permissions with a time-out policy. Ubuntu will work fine.

Process
1) Create a HowTo page or spam e-mail.
2) Ask the use to install software which is likely not installed -- totem-xine for example. If you use and apt: link, it will help. These are from the repos and are absolutely safe, and everyone knows it.
3) Break to second page (via link) with the browser exploit running gksudo and whatever command you need. It will not time out (using the gksudo token from the totem-xine install) and will elevate privileges automatically.
4) If your "Porn viewer" really works, you'll get plenty of traffic and plenty of bots. Make it really work.
5) Almost no one will ever know that they are owned because few run anti-virus or rootkit detection, and they didn't install anything outside of the repositories.

Not too difficult. Or you can take the more direct approach -- package your exploit in a .deb file with your porn viewer. The user downloads, double-clicks, and installs your malware.


Reblog this post [with Zemanta]

1 comment:

  1. That sums it up quite nicely, have been dabbling around with security issues and was wondering what they actually were thinking with the timeout gksudo, it leave quite a bit open via the trusted install then hidden malware install.

    Conclusion - best virus/malware program sits between keyboard and chair

    ReplyDelete

Other I' Been to Ubuntu Stories

Related Posts with Thumbnails