The modern Linux desktop is frighteningly vulnerable
Update Dec 20, 2011
This post and accompanying video were made at a time when I was hearing a lot of folks talking about Linux on the desktop, particularly Ubuntu, as if it were a panacea for all Windows woes, specifically security. For years I’ve been a huge Linux fan, and specifically an Ubuntu fan (at least until Unity…). But I began to see, and read, that the desktop stack added lots of potential holes and problems, just like all other desktop systems.
This post was merely an attempt to point out that we as a community need to be aware that we are not invulnerable. It’s not even a criticism of Linux/Gnome/etc. It’s just a call to think. The specific example I used here (.desktop files) was not at all the point. Neither was the “malware” I wrote meant to be an excellent example of a virus. These were simple (though admittedly destructive) demonstrations meant to prove that concerns about Linux desktop security were not purely theoretical.
Incidentally, people much more knowledgeable than I posted about the .desktop issue as well. Ubuntu (or Gnome, not sure which) eventually took notice and fixed this particular problem by only executing white-listed .desktop files.
Onto the original post
Despite the sensational title, I promise you there is nothing new in this post. Every exploit I mention is well-documented and supposedly considered “expected behavior” by the Gnome and KDE development communities. I must credit many of the ideas I have implemented to a certain article by foobar at geekzone.co.nz. Other ideas I mention, such as harvesting data from browser caches, are not Linux-specific and should be well-known. However, I have included them to reinforce the real-world impact of these Linux vectors.
With major personal computer manufactures selling machines running GNU/Linux desktops, and the French police force converting to Ubuntu, the geek threshold for the Linux OS is dropping, and security is becoming a larger concern. Or it should be. The days when we can assume a Linux user will know to not open unexpected email attachments or run “sudo rm -rf /*” may be ending. While many contend Linux is one of the more secure OS’s, remember that technically Linux is just a kernel, and that the core GNU/Linux OS lies several layers beneath the desktop environment we commonly refer to as “Linux.”
While this core, with sane firewall policies and other access restrictions, may be very secure (I do not claim to know, and it is not the point here), a system is only as secure as its weakest element. The Linux desktop is a multilayered beast. Do we know exactly what we’re stacking on it? Do we know what holes we’re introducing?
Yes, since it’s open-source we can examine the code for ourselves. But Grandma-who-just-bought-a-Dell-with-Ubuntu-because-her-grandson-told-her-to probably isn’t going to grab a checkout from github and start patching. “Well maybe Grandma shouldn’t be using Linux,” say the kernel hackers. “Well kernel hackers,” rebuts Grandma, “maybe you shouldn’t have made a GUI that any joker can use!” If we want Linux adoption to grow in the general populace, then we have to acknowledge the weakest layer of all: the user. If the user is opening email attachments from the King of Nigeria, then Linux is in the exact same vulnerable position as Windows.
There are many vectors through which malware can be delivered to a user. Email is certainly among the most prominent for Windows. And Linux is no different. “But your email client won’t save your attachments as executable files!” Probably true. “And Linux won’t run non-executable files!” True in theory, naive in the real world. Remember the layers? While the core GNU/Linux OS may not run non-executable files, popular desktop environments like KDE and Gnome allow a way around this: the .desktop file.
.desktop files allow the system to represent an arbitrary command as an icon with a name, description, a menu to appear in, associated mime types, etc. Here is an example .desktop file for the popular VLC media player:
[Desktop Entry] Version=1.0 Name=VLC media player Comment=Read, capture, broadcast your multimedia streams Exec=vlc %f Icon=vlc Type=Application Categories=AudioVideo;Player;
Regardless of the file’s execution permissions, the system will read it and run the command assigned to “Exec.” As you can imagine, it is trivial to place a malicious command in an otherwise innocuous .desktop file. Since most desktop environments trim the .desktop extension when displaying the file name, the malicious file “funny_video.ogg.desktop” would appear as “funny_video.ogg,” completing the facade. The user might think he is opening an Open Document file, a video, or a common application. Instead he may be deleting his home directory or installing a malicious program.
In the following video, I demonstrate this vector of attack, inspired by foobar’s above-mentioned post. I first run a malicious .desktop file which installs malware to my user account. It will steal my name, address, social security number, credit card number, birthday, bank-routing and checking-account numbers. This is the goal of today’s economically-driven malware market – not messing with your system files. But just for fun, the malware will reconfigure my environment to trick me into giving it root access, which it will use to wipe my entire hard drive. Nothing in this video is staged. It’s real malicious code behaving just like it would on a real, infected system.
Today, erasing hard drives is often a waste of a compromised system. A better use would be to install rootkits and turn the machine into a botnet drone. Since I have no evil intent, my malware didn’t do anything that insidious. I programmed it only far enough to demonstrate that today’s Linux desktops are secure only until enough people realize that they aren’t. The unsinkable ship is headed for the iceberg. Lower the lifeboats. Women and children first. Trust no one. File a complaint or brilliant solution with your local Gnome and KDE representatives. Listservs are standing by.