Researcher writes codeless exploit that bypasses Linux security measures

best linux distros
Spectral-Design/Shutterstock
If you’re a Linux administrator, then you’re likely aware that even being fully up to date on all of the patches for your Linux distribution of choice is no guarantee that you’re free from vulnerabilities. Linux is made up of numerous components, any of which can open up an installation to one exploit or another.

Such is the case with an exploit that was recently released by security researcher Chis Evans. Although the exploit is quite well-written and uses some unusual methods to exploit a memory corruption vulnerability in GStreamer, it is of primarily academic interest, Ars Technica reports.

The exploit attacks two security protections built into Linux, address space layout randomization (ASLR) and data execution protection (DEP). DEP is meant to block an exploit’s ability to load into memory and is otherwise known as NX or No-Execute, while ASLR is meant to randomize where code loads into memory and thus limit then exploit’s impact on a system to a crash rather than compromise.

The exploit, which is written specifically for Linux distribution Fedora, does not use actual code to exploit the Gstreamer framework. Rather, it bypasses the protections with carefully written code that is arranged in such a way as to essentially disable ASLR and DEP. As Evans said about his code in a blog post, “This was a fairly ridiculous exploit. But it was worth doing because it’s proof that scriptless exploits are possible, even within the context of decent 64-bit ASLR. It was possible to commandeer memory reads, writes and even additions within the decoder loop to slowly but surely advance the exploit and gain control.”

The following screenshot demonstrates how Fedora can be commandeered using the exploit:

chris-evans-linux-exploit
Chris Evans
Chris Evans

Evans released his code as a FLAC media file supported by Fedora version 24, and exploits the GStreamer vulnerability and also attacks Rhythmbox and Totem media players. Because it’s written specifically for Fedora and would specifically only threaten the relatively small number of Linux users who play media on the platform, it doesn’t pose a threat to any other Linux distributions or to the community at large.

Researchers create these kinds exploits to help move the state of Linux security forward. By demonstrating how an exploit can be written to work around just about any vulnerability, exploits like this one highlight the need for Linux vendors to actively improve Linux security rather than merely reacting to threats as they arise.

Mobile

Sonarax harnesses ultrasonic sound for improved security, indoor navigation

Navigating the mall, finding your car, and authenticating your identity for mobile payments can all be a pain, but that's not all they have in common -- they could also potentially be made much easier with high-frequency ultrasonic sound.
Movies & TV

The best shows on Netflix right now (June 2019)

Looking for a new show to binge? Lucky for you, we've curated a list of the best shows on Netflix, whether you're a fan of outlandish anime, dramatic period pieces, or shows that leave you questioning what lies beyond.
Small Business

The 15 best tech jobs boast top salaries, high satisfaction, lots of openings

May may be coming to an end, but the bonanza of tech jobs just keeps coming. High-paying jobs abound at companies where people love to work. If you’re ready to make a change, this is a great time to look for something more fulfilling…
Mobile

Protect your new smartphone with one of our favorite iPhone XR cases

Apple's new iPhone range was the toast of 2018, with beautiful style and more power than you can shake a stick at. But beauty can often be fragile -- keep the damage to a minimum with the best iPhone XR cases.
Deals

Amazon cuts prices on Microsoft Surface Pro 6 and Surface Go

The Microsoft Surface series is an excellent alternative to other tablets if you're a dedicated Windows user, and the superb Surface Pro 6 (our favorite 2-in-1) and its cheaper sibling, the Surface Go, are both on sale right now.
Deals

Amazon sale drops deals on Microsoft Surface laptops

Despite an increasingly crowded market, the sleek Microsoft Surface laptops have left their mark. Both the Microsoft Surface Laptop 2 and Surface Book 2 are discounted on Amazon right now, too, with deals that can save you up to $300.
Computing

AMD’s Ryzen one-two punch will end with a 64-core Threadripper in 2019

AMD's Threadripper may be set to deliver the killing blow to Intel in Q4 2019, with a rumor suggesting a new Zen 2-based Threadripper line is coming down the pipe with a top chip that has as many as 64 cores.
Computing

If you need your laptop to be large, these ones are most in charge

Whether you're in the market for a mobile workstation or a gaming behemoth, there's probably something in the 15-inch form factor that can fit the bill. Here, we've rounded up the best 15-inch laptops available.
Computing

Need more pixels? These 4K laptops have the eye-popping visuals you crave

If you're looking for the best 4K laptops, you need to find one that has powerful internal hardware, and doesn't scrimp on weight and battery life. All of these 4K notebooks are great options, but which one is the right one for you?
Photography

What’s the difference between Lightroom CC and Lightroom Classic?

Lightroom CC has evolved into a capable photo editor, but is it enough to supplant Lightroom Classic? We took each program for a test drive to compare the two versions and see which is faster, more powerful, and better organized.
Computing

HP's Spectre x360 is a better 2-in-1 than Microsoft's Surface Laptop 2 is a clamshell

The Microsoft Surface Laptop 2 is a refresh of Microsoft's clamshell option, an oddity given Microsoft's creation of the modern 2-in-1. The HP Spectre x360 13 is, therefore, an interesting comparison.
Deals

Amazon deal drops prices on Asus VivoBook laptops and 2-in-1s

Asus is one of the premier PC brands cranking out Windows ultrabooks today with its sleek VivoBook series, and these Amazon deals let you score one for $700 or less. Read on to find out what we love about these laptops and how you can save.
Deals

The best Amazon Prime Day 2019 deals: Leaked date and what you need to know

Amazon Prime Day 2019 is still a month away, but it's never too early to start preparing. We've been taking a look at the best discounts from previous Prime Days to give you our predictions of what to expect this year.
Computing

Air, Pro, or just a MacBook? Here's our guide to finding the right Apple laptop

Apple's lineup of MacBooks has started to swell, leaving fans a bit confused about which laptop they should buy. Depending on what you're looking for, we'll point you in the right direction.