Just last week I was talking with a co-worker about the possibility of USB attacks on his Ubuntu laptop. Using USB drives on Linux used to involve knowing mount commands. Now it’s plug and play. In the Infosec world, everything old is new again, so wondered whether some old Windows vulnerabilities would resurface now that there is more usability in his Ubuntu.
This morning I watched Jon Larimer give a presentation at Shmoocon on USB autorun attacks against Ubuntu 10.10. I watched via the live stream. The talk will eventually be archived online. News of such would probably be posted at www.shmoocon.org/news.
By default, you should be prompted if a script attempts to autorun when you insert a USB drive in Linux. So you’re left looking at what other code is executed when a USB drive attaches. The USB driver, file system drivers and file system previews are the main areas targeted for exploitation.
Gnome Nautilus is the file brower used by ubuntu. It will automount known file systems and create thumbnail images even when the screensaver is enabled and locked. Over the years there have been many image exploitations.
While apparmor and ASLR can make exploitation difficult, Larimer was able to generate an exploit that bypassed the screensaver lock allowing access to the system.
Protection against these types of attacks are similar to Windows.
1. layer 8 protection. Not picking up usb sticks in parking lots and putting them in your computer
2. Staying current on patches.
3. checking your config settings for autorun