GStreamer Linux Exploit

LinuxA newly discovered exploit has the possibility to open up Linux users running Fedora and possibly other Linux versions to backdoors, key loggers and other drive-by types of malware by attacking a vulnerability in GStreamer decoder for the FLIC file format. Chris Evans, the security researcher behind the exploit, was able to go after the binary code used by the Rhythmbox media player, but said the same could be done with the Totem media player.

In the GStreamer exploit, Evans found a clever way to circumvent both the address space layout randomization (ASLR) and data execution prevention (DEP) protections that are built into Linux. ASLR is a process that randomizes locations where software loads code within the computer memory, while DEP blocks code loaded by an exploit. Consequently, trying to exploit existing code tends to end up in a computer crash.

In most case, exploits try to bypass ASLR and DEP, but the one for GStreamer avoids the pitfalls of manipulating how the memory is laid out by carefully laying out pieces of code in such a way that slowly advances the exploit and ultimately disable the protections altogether. By not requiring the use of JavaScript or some other type of code that affects memory to execute, it opens up attacks on targets that were impossible up to this point.

The GStreamer exploit is not particularly that practical, considering it would take some serious retooling to work on other Linux based operating systems. That said, it does act as a proof-of-concept of the possibility of a scriptless exploit that could eventually be tweaked into a drive-by download type of malware. The good news, however, is that fixes have already been released for Ubuntu, which underscores the importance of this type of research.


Leave a Reply