danwalsh


Dan Walsh's Blog

Got SELinux?


Previous Entry Share Next Entry
Fedora 17 New Security Feature part VII - thumbnail protection.
danwalsh

John Leyden wrote an interesting article Linux vulnerable to Windows-style autorun exploits, about how security researches had discovered that Linux is potentially vulnerable to a user sticking a USB device or CDRom into a locked machine.  The basic idea was that "Nautilus" would execute thumbnail drive code, to display thumbnails icons in the file browsers based on the content on the removable media, even if the machine was locked.  If the thumbnail executables were vulnerabile, a cracker could use the code used to process the thumbnail images to kill the screensaver/lock. 

Never mind this, just plugging in a USB stick when you a logged in, could allow a cracker to take over your machine.

At that time, I wrote policy for all thumbnail drivers to be locked down with SELinux, but I only turned it on for confined users.
I and other users have been running this confinement thoughout Fedora 16. 

In Fedora 17 I have turned this on for the unconfined user. 

We are confining the following applications.

/usr/bin/evince-thumbnailer
/usr/bin/ffmpegthumbnailer
/usr/bin/gnome-exe-thumbnailer.sh
/usr/bin/gnome-nds-thumbnailer
/usr/bin/gnome-xcf-thumbnailer
/usr/bin/gsf-office-thumbnailer
/usr/bin/raw-thumbnailer
/usr/bin/shotwell-video-thumbnailer
/usr/bin/totem-video-thumbnailer
/usr/bin/whaaw-thumbnailer
/usr/lib(64)?/tumbler-1/tumblerd


I have seen these applications try to "execstack" when running mplayer executable on an thumbnails, kind of scary.

If you know of other thumbnail applications that get launched as thumbnails, please tell me.


Updated policy and the blog to add tumblerd support

Thanks for that, that is a needed feature but I think GNOME auto mounter must not mount devices if the session is locked. It should add a notification that the user could see when he unlocks the screensaver

But confining those applications is good because the attack could be done from a trusted device using a file someone sent to the user

Updated again.

There are a few more thumbnailers in the repository. I don't know much about programming, so I'm not sure if they are vulnerable. Here are the packages (all in Fedora repos):

raw-thumbnailer - Thumbnailer for RAW images
gnome-exe-thumbnailer - Thumbnailer for Windows exe files
gnome-nds-thumbnailer - Thumbnailer for Nintendo DS ROMS
gnome-xcf-thumbnailer - Thumbnailer for GIMP xcf files

Thank you for all your work in making Fedora more secure!

(Deleted comment)
Yes, Although I am not sure all of the updates have made it to release yet.

Here is what I have

ls -lZ /usr/bin/*thumb*
-rwxr-xr-x. root root system_u:object_r:thumb_exec_t:s0 /usr/bin/evince-thumbnailer
-rwxr-xr-x. root root system_u:object_r:thumb_exec_t:s0 /usr/bin/ffmpegthumbnailer
-rwxr-xr-x. root root system_u:object_r:thumb_exec_t:s0 /usr/bin/gnome-exe-thumbnailer.sh
-rwxr-xr-x. root root system_u:object_r:thumb_exec_t:s0 /usr/bin/gnome-nds-thumbnailer
-rwxr-xr-x. root root system_u:object_r:thumb_exec_t:s0 /usr/bin/gnome-xcf-thumbnailer
-rwxr-xr-x. root root system_u:object_r:thumb_exec_t:s0 /usr/bin/gsf-office-thumbnailer
-rwxr-xr-x. root root system_u:object_r:thumb_exec_t:s0 /usr/bin/raw-thumbnailer
-rwxr-xr-x. root root system_u:object_r:thumb_exec_t:s0 /usr/bin/shotwell-video-thumbnailer
-rwxr-xr-x. root root system_u:object_r:thumb_exec_t:s0 /usr/bin/totem-video-thumbnailer
-rwxr-xr-x. root root system_u:object_r:thumb_exec_t:s0 /usr/bin/whaaw-thumbnailer

rpm -q selinux-policy
selinux-policy-3.10.0-99.fc17.noarch

(Deleted comment)

You are viewing danwalsh