Results 1 to 10 of 50

Thread: What is the worst a browser exploit could do in Ubuntu?

Hybrid View

  1. #1
    Join Date
    Mar 2012
    Beans
    143

    What is the worst a browser exploit could do in Ubuntu?

    Out of curiosity, let's say I visited a site that was designed to exploit Chrome. What is the worst it could do? Install a keylogger for example?

    Or would it basically be browser only?

  2. #2
    Join Date
    Oct 2005
    Location
    Al Ain
    Beans
    8,370

    Re: What is the worst a browser exploit could do in Ubuntu?

    Theoretically, it can do anything that the logged in user can do.

    In practise, I haven't ever seen a successful browser exploit on Linux.

    However, I have had to clean a number of mismanaged Linux servers that were infested with spam sending engines. In all cases it was due to some asshats who thought that a four character root password was really super cool...

  3. #3
    Join Date
    Nov 2009
    Beans
    919
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: What is the worst a browser exploit could do in Ubuntu?

    The worst thing an exploit can do is cause the execution of commands you didn't intend to execute. But I wouldn't think it would lead to installation of a keylogger, because at that point the exploit developer could do basically anything, so there'd be no need for one.

    But as people are fond of saying, that usually doesn't happen. The economics of exploit development for criminal activity are such that it makes the most sense to go from exploit to malware installation, which is going to target Windows systems for the most part. It's not that it can't be done on Linux desktops, just that there's not much economic advantage or incentive in it.

    Most of the time the worst result will be that the application crashes.

  4. #4
    Join Date
    Mar 2011
    Beans
    680

    Re: What is the worst a browser exploit could do in Ubuntu?

    Chrome's a poor example, you can do very little with a compromised Chrome due to its sandbox. An attacker who exploits Chrome is very limited.

    If we talk about Firefox then it can do anything that the logged in user can do. It can keylog, write files to anywhere that your Firefox process can write them, read any files it can read, etc. Your attacker essentially "controls" Firefox's processes and it inherits those abilities.
    sig

  5. #5
    Join Date
    Nov 2012
    Beans
    27

    Re: What is the worst a browser exploit could do in Ubuntu?

    This scenario is hard to answer since it relies on so many different variables to give an answer in-depth. However, let us assume this is a default installation of Ubuntu being exploited.

    Scenario: You're surfing the Internet with your favorite browser and you stumble upon a malicious website that is compromising browsers with a shiny new zero-day.

    Cause: Assume the exploit has set the payload to download, compile and execute a bindshell. Now the bindshell is running with whatever account privileges the browser had when exploited. The attacker can now connect to you and further compromise your machine by escalating his/her privileges using whatever exploits he/she has access to.

    Prevention: Using secure App Armor profiles (not the default ones) to mitigate the damage compromised software can do would have likely prevented this from happening.

    If you get creative, there is so much someone could do given your criteria. However, my given scenario would be the most common and most dangerous of them.

    Even if IPTables were set up to disallow all incoming connections except for related/established ones, you would still be vulnerable, because it would be trivial to modify the aforementioned program to connect to the attacker instead of waiting for a remote connection (a reverse shell). Therefore, you are literally establishing the connection to the attacker, and once he/she has completely compromised the machine by escalating his/her privileges, there is no limit to what they could do.
    Last edited by KaosuX; November 4th, 2012 at 12:41 AM.

  6. #6
    Join Date
    Jun 2012
    Beans
    301

    Re: What is the worst a browser exploit could do in Ubuntu?

    Quote Originally Posted by KaosuX View Post
    {snip}
    Prevention: Using secure App Armor profiles (not the default ones) to mitigate the damage compromised software can do would have likely prevented this from happening.
    {snip /}
    Have you had a chance to review the Firefox profile provided by Jamie Strandboge of Canonical ?

    it came with my system in a disabled condition; I enabled it and tested it in complain mode; I have it running in fail mode now.

  7. #7
    Join Date
    Jan 2012
    Beans
    753

    Re: What is the worst a browser exploit could do in Ubuntu?

    Quote Originally Posted by Hungry Man View Post
    If we talk about Firefox then it can do anything that the logged in user can do. It can keylog, write files to anywhere that your Firefox process can write them, read any files it can read, etc. Your attacker essentially "controls" Firefox's processes and it inherits those abilities.
    Actually, that's not completely true. AFAIK, a keylogger must be run as root to work globally. A compromised Firefox could log keys you input to Firefox, but no where else.

    Quote Originally Posted by movieman View Post
    The worst thing a browser exploit can do is install an addon which captures all your banking passwords and sends it to some guy in Russia who steals all your money and uses it to retire to Hawaii. That solely needs access to your account as your user ID.
    This is what I'd be worried about because it's independent of operating system. Malicious addons and extensions can do a lot of harm, even if they don't use any fancy 0-days or backdoors.

    To answer OP's question, the worst would be to compromise the browser, use a 0-day to get out of any sandboxes (if the browser uses one), use a 0-day to gain root privileges, install a rootkit, and then do whatever it wants. More realistically though, you have to look at what a potential hacker would actually want to do. And most in this case want to make money. Most hackers infect computers by using "exploit packs", which are programs that a very advanced hacker makes and updates, and sells to other hackers, who can use it to put various exploits on either their own website(s) or hacked website(s). They can cost thousands of dollars, but they update themselves to include new 0-days as old ones are patched, and often include several different types of exploits to raise the chance success (such as a Java exploit, a Flash exploit, an ActiveX exploit, etc). Anyone who visits a website with an exploit pack has a chance of getting compromised. To understand the risk, very cheap exploit packs have infection success rate in the single digits, whereas the most expensive (that cost tens of thousands of dollars or more) ones have success rates only around 20-30%, and that's with Windows/Macintosh. So if you do visit a compromised site, not only is it unlikely it'll have an up-to-date exploit for your browser version, but you're also using Linux so even if Chrome/Firefox could be compromised its unlikely do be able to do anything because the exploit was designed for Windows/Mac.

    Even if your computer was compromised and made part of, say, a botnet, even then there's no guarantee the effect will be horrible. Most botnets in fact are not designed to steal things like credit card or account info, but rather other activities such as Bitcoin mining (uses more electricity and may stress the computer but otherwise harmless), DDoSing (other than taking up internet bandwidth it's harmless to the bot), becoming a SOCKS proxy (may cause you to get caught for things you didn't do), hiding illegal data such as child pornography on your computer (this is probably the worst because "A virus did it" won't fly with the feds, but it is also the least likely scenario), etc.

    A well funded government or private organization could probably pull this off if they target specifically you, but a hacker who's only in it for the money is going to stick with Windows/Mac (and more and more recently smart-phone OSes like iOS and Android). It is far, far, far more likely someone is going to steal your computer or your wallet than use a browser exploit targeted to Linux to steal credit card information, etc from your computer.

    If you want to stay safe from browser exploits, I suggest you use either Firefox with NoScript (Firefox is the least secure but only it has NoScript which is a huge plus), or Chromium with all scripting disabled (Chromium has the best built-in security, but its extensions API makes it hard to port NoScript to it, and ScriptNo and NotScript all suck), and a secure AppArmor profile for either. Also exercise common sense. If you download everything you see and go to obscure Russian warez and porn sites, don't expect to stay safe with only technical barriers in place. If you are wise in your browsing habits, and also use secure applications, etc you'll be very secure.

  8. #8
    Join Date
    Mar 2011
    Beans
    680

    Re: What is the worst a browser exploit could do in Ubuntu?

    It doesn't need root. Any process with X access can log keys.
    sig

  9. #9
    Join Date
    Feb 2008
    Beans
    606
    Distro
    Ubuntu 11.04 Natty Narwhal

    Re: What is the worst a browser exploit could do in Ubuntu?

    Quote Originally Posted by OpSecShellshock View Post
    The worst thing an exploit can do is cause the execution of commands you didn't intend to execute.
    The worst thing a browser exploit can do is install an addon which captures all your banking passwords and sends it to some guy in Russia who steals all your money and uses it to retire to Hawaii. That solely needs access to your account as your user ID.

    I'm far more concerned about that scenario than someone using a second exploit to install a rootkit so they can use my Ubuntu box as a spam server. That's why I only log into my bank from a separate Linux box which isn't used for anything other than work and banking.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •