If you’re a Linux administrator, then you’re likely aware that even being fully up to date on all of the patches for your Linux distribution of choice is no guarantee that you’re free from vulnerabilities. Linux is made up of numerous components, any of which can open up an installation to one exploit or another.
Such is the case with an exploit that was recently released by security researcher Chis Evans. Although the exploit is quite well-written and uses some unusual methods to exploit a memory corruption vulnerability in GStreamer, it is of primarily academic interest, Ars Technica reports.
The exploit attacks two security protections built into Linux, address space layout randomization (ASLR) and data execution protection (DEP). DEP is meant to block an exploit’s ability to load into memory and is otherwise known as NX or No-Execute, while ASLR is meant to randomize where code loads into memory and thus limit then exploit’s impact on a system to a crash rather than compromise.
The exploit, which is written specifically for Linux distribution Fedora, does not use actual code to exploit the Gstreamer framework. Rather, it bypasses the protections with carefully written code that is arranged in such a way as to essentially disable ASLR and DEP. As Evans said about his code in a blog post, “This was a fairly ridiculous exploit. But it was worth doing because it’s proof that scriptless exploits are possible, even within the context of decent 64-bit ASLR. It was possible to commandeer memory reads, writes and even additions within the decoder loop to slowly but surely advance the exploit and gain control.”
The following screenshot demonstrates how Fedora can be commandeered using the exploit:
Evans released his code as a FLAC media file supported by Fedora version 24, and exploits the GStreamer vulnerability and also attacks Rhythmbox and Totem media players. Because it’s written specifically for Fedora and would specifically only threaten the relatively small number of Linux users who play media on the platform, it doesn’t pose a threat to any other Linux distributions or to the community at large.
Researchers create these kinds exploits to help move the state of Linux security forward. By demonstrating how an exploit can be written to work around just about any vulnerability, exploits like this one highlight the need for Linux vendors to actively improve Linux security rather than merely reacting to threats as they arise.