Originally Posted by
Hungry Man
All threats are theoretical until they're not. Maybe this will never be exploited and maybe it will be. If I were to bet, I'd bet that it never gets exploited. But setting up an apparmor profile takes all of 5 minutes... so I don't see any issue with a user doing so.
I'm not sure how media programs work. ASLR and DEP don't apply to all programs. EX: Java with a JIT compiler by necessity creates executable code, which means that it's vulnerable to a whole set of other attacks and needs to make use of a whole set of other mitigations. Worth noting since, again, I have close to no idea how th emusic program works.
You don't. If my malicious payload is a music file I never execute that file. The user simply double clicks it and what executes is the program (totem? I'll call lit totem.) So I, the hacker, get you to download the music file (or I use an exploit in your browser or plugin to drop it, whatever) and then you the user open the file. The file doesn't need exec permissions. I can open a text file without executing it, right? What executes is "notepad.exe" or gedit or whatever and it's notepad.exe that I'm exploiting.
At no point is the media player "Executing" the file. Even if the file were marked executable it wouldn't matter, there's no code in there. There's no script saying "do X if Y" - it's simply data. Or rather, there's virtually no code. I'll have "datadatadatadata*endofbuffer*code" in my media file. So, it wouuld be like a song with code attached at the end... sorta.
So (in one scenario, the second listed) the music player loads up the media file (in the other it would copy or read data from the file, any data will do such as the artist title etc.) The file is too large and overruns the buffer. What's left is a hanging piece of code (that I'd appended) now in the address space. Without DEP I'm able to do whatever I want with this code, I can execute it right then and there. With DEP I have to jump through a hurdle (not a hard one.)
Bookmarks