Exploiting the Stupid Blogger Bug

Currently a story about a possible Linux DoS scenario is making the rounds.

Some self-anointed security bloggers are snapping it up and are making link-baiting ado about it with headlines like "Dangerous 0DAY Denial-of-Service Attack Against Apt".

The whole truth is, of course, a lot less alarming.

Some Background

Debian and derivative distros use a package management system called dpkg which in turn is controlled through a collection of front-end methods known under the collective name of apt.

Some enterprising folks coded up utils that allow browsers to pass URLs using the apt:// protocol to a handler. Those utils are apturl and aptlinex, depending on which distro you run. The procedure required to get the whole shebang working is enough to scare off any casual user.

In addition to installing the said utils, which is the easy part thanks to apt-get, the user also has to add 2 string values and 2 boolean values to about:config, the rather daunting configuration database of Firefox.

Next the user has to click on a link using the apt protocol to teach the browser that he/she always wants it to be passed to the protocol handling util.

Since the running of apt requires root privileges or sudo the user also has to confirm a gksudo dialoque everytime he/she clicks on a link.

I sincerely doubt that there are many users who would want to go through all the above in a world where installation of any piece of software is only as far away as sudo apt-get install package-name.

Go ahead and google for any apt://package-name URLs. Not a lot around, if any. (Ahem, I was slightly wrong. See update at end of post.)

So, what’s the danger?

Well, we all know that the universe is pretty good at breeding advanced persistent dummies who just can’t resist peeing on the electric fence.

These are the people who will have their browsers configured to handle the apt protocol and who will click on anything promising them a "great app or tool".

So yes, there is danger.

With an apt link that contains a sufficiently long string (app. 10 k chars) you can crash the windowing server (xorg). But this only works if and ONLY IF the target’s compositing manager happens to be compiz.

Crashing a piece of vital infrastructure like xorg, which runs with root privileges, can possibly open a route for a real and serious exploit.

Alas, as mentioned above, it is not possible on a sanely configured install of any Debian derivative. And plain vanilla Debian is configured sanely by default.

Update 2011-05-20: I just looked at a very popular blog for Ubuntu users. Full of apt:// links and no mention of a possible DoS. I guess that’s why they are called Ubuntards.


About dozykraut

Proud member of Hillbilly's on Linux, promoting open source redneckism in remote parts of the Milky Way.
This entry was posted in Linux and tagged , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s