A security researcher found zero-day exploits in Linux distributions like Fedora and Ubuntu. All you have to do is play a particular music file, and you’re vulnerable.
Researcher Chris Evans can hijack your Linux computer with a music file. And if you’re using Chrome on Fedora 25, the latest release, he can target you with a code-execution attack. Mr. Evans published the results on Tuesday, with details of the attacks.
In popular tech culture, many people say that Linux is immune to most types of malware and attacks. But Mr. Evans has shown that this isn’t true. His exploits don’t work on most Linux servers, but personal desktop versions are another story. In a statement to Ars Technica, he said:
“I like to prove that vulnerabilities are not just theoretical—that they are actually exploitable to cause real problems. Unfortunately, there’s still the occasional vulnerability disclosure that is met with skepticism about exploitability. I’m helping to stamp that out.”
Mr. Evans’s zero-days exploit a memory corruption vulnerability related to GStreamer. GStreamer is a media framework that many Linux distros include by default. The new exploit takes advantage of a flaw in the software library Game Music Emu, as well as libgme. Both of these emulate music from game consoles.
He encodes the two audio files in the SPC music format used in the Super Nintendo Entertainment System. They use a heap overflow bug in the emulation code found in the SNES Sony SPC700 processor. By changing the .spc extension to .flac and .mp3, GStreamer and Game Music Emu automatically open them.
The FLAC exploit works when a person using Fedora 25 opens a booby-trapped web page. It only takes a click; then the file opens the system calculator. Then, it loads any code that Evans—or an attacker—wants. It executes the code by using whatever system privileges the user has.
In Linux, users have limited system privileges, although they are still powerful. For example, the exploit can read/steal personal data like documents, photos, email and chat history.
Other functions include stealing browser cookies and sessions for Gmail, Facebook, Twitter and other sites. The exploit can even remain across persistent reboots, although not as hidden as a root exploit. And it could even combine with a root exploit to attain full system rights. Watch the video below:
The MP3 exploit works when a user views a folder that contains the music file, or clicks on it. An attacker can modify it to run any code, like the FLAC exploit. A video exists showing how it works on Ubuntu 16.04 LTS. It works equally well on Fedora and possibly other Linux distros too.
On almost all operating systems, media files parsing can be complicated. This makes them ripe for exploits. This is why many media players put untrusted content from the internet inside sandboxes, for greater security. But this isn’t what Mr. Evans found.
He discovered that Game Music EMU, GStreamer, the GNOME desktop video player, video thumbnail, and the media indexing software that Fedora and Ubuntu use don’t sandbox audio files. Mr. Evans continues:
“You could argue that it’s the responsibility of these applications to implement sandboxing themselves. Or you could argue that since media file parsing is known to be dangerous, that the GStreamer library should provide an API that…provides sandboxed media parsing…”
Remember when we mentioned that these exploits make use of Chrome too? Chrome does sandbox its built-in media players, but apparently, this doesn’t make a difference in these cases.
Luckily, Mr. Evans is a good (whitehat) researcher and proposed a patch that fixes the vulnerabilities. A snippet of the code is below:
There doesn’t seem to be much users of these Linux distributions can do. You can wait around for Fedora and Ubuntu to release an official patch for this. Or you can use a browser other than Google Chrome in the meantime.