Page 2 of 5 FirstFirst 1234 ... LastLast
Results 11 to 20 of 50

Thread: What is the worst a browser exploit could do in Ubuntu?

  1. #11
    Join Date
    Jan 2012
    Beans
    753

    Re: What is the worst a browser exploit could do in Ubuntu?

    Quote Originally Posted by Hungry Man View Post
    If we talk about Firefox then it can do anything that the logged in user can do. It can keylog, write files to anywhere that your Firefox process can write them, read any files it can read, etc. Your attacker essentially "controls" Firefox's processes and it inherits those abilities.
    Actually, that's not completely true. AFAIK, a keylogger must be run as root to work globally. A compromised Firefox could log keys you input to Firefox, but no where else.

    Quote Originally Posted by movieman View Post
    The worst thing a browser exploit can do is install an addon which captures all your banking passwords and sends it to some guy in Russia who steals all your money and uses it to retire to Hawaii. That solely needs access to your account as your user ID.
    This is what I'd be worried about because it's independent of operating system. Malicious addons and extensions can do a lot of harm, even if they don't use any fancy 0-days or backdoors.

    To answer OP's question, the worst would be to compromise the browser, use a 0-day to get out of any sandboxes (if the browser uses one), use a 0-day to gain root privileges, install a rootkit, and then do whatever it wants. More realistically though, you have to look at what a potential hacker would actually want to do. And most in this case want to make money. Most hackers infect computers by using "exploit packs", which are programs that a very advanced hacker makes and updates, and sells to other hackers, who can use it to put various exploits on either their own website(s) or hacked website(s). They can cost thousands of dollars, but they update themselves to include new 0-days as old ones are patched, and often include several different types of exploits to raise the chance success (such as a Java exploit, a Flash exploit, an ActiveX exploit, etc). Anyone who visits a website with an exploit pack has a chance of getting compromised. To understand the risk, very cheap exploit packs have infection success rate in the single digits, whereas the most expensive (that cost tens of thousands of dollars or more) ones have success rates only around 20-30%, and that's with Windows/Macintosh. So if you do visit a compromised site, not only is it unlikely it'll have an up-to-date exploit for your browser version, but you're also using Linux so even if Chrome/Firefox could be compromised its unlikely do be able to do anything because the exploit was designed for Windows/Mac.

    Even if your computer was compromised and made part of, say, a botnet, even then there's no guarantee the effect will be horrible. Most botnets in fact are not designed to steal things like credit card or account info, but rather other activities such as Bitcoin mining (uses more electricity and may stress the computer but otherwise harmless), DDoSing (other than taking up internet bandwidth it's harmless to the bot), becoming a SOCKS proxy (may cause you to get caught for things you didn't do), hiding illegal data such as child pornography on your computer (this is probably the worst because "A virus did it" won't fly with the feds, but it is also the least likely scenario), etc.

    A well funded government or private organization could probably pull this off if they target specifically you, but a hacker who's only in it for the money is going to stick with Windows/Mac (and more and more recently smart-phone OSes like iOS and Android). It is far, far, far more likely someone is going to steal your computer or your wallet than use a browser exploit targeted to Linux to steal credit card information, etc from your computer.

    If you want to stay safe from browser exploits, I suggest you use either Firefox with NoScript (Firefox is the least secure but only it has NoScript which is a huge plus), or Chromium with all scripting disabled (Chromium has the best built-in security, but its extensions API makes it hard to port NoScript to it, and ScriptNo and NotScript all suck), and a secure AppArmor profile for either. Also exercise common sense. If you download everything you see and go to obscure Russian warez and porn sites, don't expect to stay safe with only technical barriers in place. If you are wise in your browsing habits, and also use secure applications, etc you'll be very secure.

  2. #12
    Join Date
    Mar 2011
    Beans
    673

    Re: What is the worst a browser exploit could do in Ubuntu?

    It doesn't need root. Any process with X access can log keys.
    sig

  3. #13
    Join Date
    Jan 2012
    Beans
    753

    Re: What is the worst a browser exploit could do in Ubuntu?

    Quote Originally Posted by Hungry Man View Post
    It doesn't need root. Any process with X access can log keys.
    I thought a non-root applications could only log keys when the application is in focus. Why do packages such as "logkeys" require root then?

  4. #14
    Join Date
    Mar 2011
    Beans
    673

    Re: What is the worst a browser exploit could do in Ubuntu?

    http://www.youtube.com/watch?v=Y1fZAZTwyPQ

    Ubuntu doesn't isolate any applications from each other in terms of X access - they can all send and receive keystrokes between each other without root.
    sig

  5. #15
    Join Date
    Jan 2012
    Beans
    753

    Re: What is the worst a browser exploit could do in Ubuntu?

    Quote Originally Posted by Hungry Man View Post
    http://www.youtube.com/watch?v=Y1fZAZTwyPQ

    Ubuntu doesn't isolate any applications from each other in terms of X access - they can all send and receive keystrokes between each other without root.
    That's creepy. Doesn't that completely defeat the purpose of having sudo/su because any non-root app could could record root/sudo password? And is there any way to prevent this?

  6. #16
    Join Date
    Mar 2011
    Beans
    673

    Re: What is the worst a browser exploit could do in Ubuntu?

    It defeats the purpose of quite a lot, yes. I wrote about it here:
    https://insanitybit.wordpress.com/20...ecurity-model/

    SELinux lets you use a -X sandbox that is kinda cumbersome but will prevent keylogging apparently. I haven't tried this and I'm not sure about the details.

    Otherwise, no, there's no way to prevent this. Any program with X access can send and receive input to all other applications running under that X session.
    sig

  7. #17
    Join Date
    Jan 2012
    Beans
    753

    Re: What is the worst a browser exploit could do in Ubuntu?

    Is there any way to tell what processes are using X?

  8. #18
    Join Date
    Aug 2006
    Location
    Somewhere in the hell
    Beans
    294
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: What is the worst a browser exploit could do in Ubuntu?

    Interesting video and blog indeed.

    I would like to discuss that when the attacker gained access to your box (even in a lower privilege account), he can very easy to escalate to higher privilege, such as root by many methods. The most easy way is by sudoers.

    Moreover, if the attacker already gained access your box, he may or may not use keylogger to record your keystokes as it is very hard to dig out the valuable data from the huge log of the keylogger.

    If he want to steal your password of any website (such as bank or PayPal), he can also very easy to do it with cookie/session stealing.

    In addition, attack your box via browser can be doing with a lot of methods. Attacker do not require to figure out the vulnerability of your browser. He may using XSS or cookie/session stealing and etc.

    Finally, social engineering is another way to attack your box. There may be some other areas/situations that I have not mentioned here.

    By the way, I will not mention the method of attacks here in details.

    Samiux
    Last edited by samiux; November 9th, 2012 at 02:05 AM. Reason: fix typo

  9. #19
    Join Date
    Mar 2011
    Beans
    673

    Re: What is the worst a browser exploit could do in Ubuntu?

    @Stonecold,

    There's probably a way but I don't know of it. Naturally any application that uses graphics/ has some graphic interface will be given access. I would assume (hope) that services running under separate user IDs have had access removed, but I'm not sure.
    sig

  10. #20
    Join Date
    Jan 2012
    Beans
    753

    Re: What is the worst a browser exploit could do in Ubuntu?

    Quote Originally Posted by Hungry Man View Post
    @Stonecold,

    There's probably a way but I don't know of it. Naturally any application that uses graphics/ has some graphic interface will be given access. I would assume (hope) that services running under separate user IDs have had access removed, but I'm not sure.
    So if I were to use a different tty to enter sensitive passwords (such as one for a TrueCrypt volume), would that prevent X access? Because if pressing Control+Alt+F[1-6] and switching to a session without X blocks a keylogger in tty7 then wouldn't that be the best way to go about entering passwords?

    Is there a way to allow only a single process X access at a time? Or maybe two processes at a time (one for the key binds and the other for the application in focus).
    Last edited by Stonecold1995; November 9th, 2012 at 02:17 AM.

Page 2 of 5 FirstFirst 1234 ... LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •