Tesla shill takes a ridiculous swing at Linux

So Chris Evans, a Tesla employee, has posted this very unlike scenario with a lot of publicity as a "zero-day exploit":

He has not gone through the regular channels of security reporting in Linux, which are well known and very efficient.

The situation he describes is not a Linux problem, but a proprietary software problem, because it's a problem of Chrome. Not even chromium would allow for this "security problem" to happen. Chrome nor Chromium are available in the Fedora repos, and the warnings of Fedora against using the crappily coded Google projects are well documented.

Yet Chris Evans thinks that it's a serious security problem of Linux in general that a certain purely theoretical drive-by attack would be possible against Fedora 24 through Chrome. That is of course only if SELinux is not enabled and - as previously mentioned - the user would have installed the proprietary software Chrome, against which Fedora explicitely has warned, including the open source upstream project chromium, which has been kicked out of the Fedora repos because of lack of elementary quality, even though chromium is not concerned by this exploit. Furthermore is the exploit entirely dependant of an additional gstreamer-bad package that is not in the fedora repos, but has to be downloaded from rpmfusion.

And after all this nonsense, the conclusion of Chris Evans at the bottom of his ridiculous hyped up article is:

This was too easy. It should not be possible to find a serious memory corruption vulnerability in the default Linux desktop attack surface with just a few minutes of looking. Although it’s hard to say it, this is not the kind of situation that occurs with a latest Windows 10 default install. Is it possible that Linux desktop security has rotted?

Of course... that explains everything... Tesla huh? Yeah, figures, probably employee of the month... one of those software developers at Tesla that couldn't make the new Autopilot compatible with the Tesla cars sold up to right now because they insisted on avoiding open source licenses in the new software, thereby screwing their customers over because they can't have an update and their expensive cars are obsolete from the moment they get them? Oh, that Tesla... yeah right...

Musk, please fire that stupid idiot, he's making your company look even worse...

Is gstreamer-plugins-bad even in fedora main?

Also does the auto download actually.. auto download? Because it doesn't for me, chrome has always asked by default where I want to save.

And your right on two parts some of this software isn't default as suggested and posting a 0day without reasons le disclosure is irresponsible.

Thing is, he presented a "Proof of Concept"-package of which he himself says that it can't do anything, because it would be very difficult to make an actual explosive package that could be introduced through this mechanism. He says that the mechanism of indexing automatically downloaded media files is not governed by SELinux... well try to load a proof of concept package with an actual payload then, and see what SELinux does lol... it's so stupid
It's 100% pure toxic propaganda against Linux.

its not a PoC if it does not do the exploit in a default setting

its like making a setuid binary for root access with no password and calling that a exploit. you have set the system up to fail

Yeah it's far from a "standard install" of Fedora... and it's also not a 0day PoC if the creator of the PoC himself says that it would be very difficult to actually make a malicious payload for the PoC package lol...
but the maker of this "0day PoC" then goes on and concludes that this wouldn't happen in a "standard install of Windows X", and that "security in Linux desktop is rotten"...

It's like... oh I discovered that when I poop into a bowl of spaghetti, it smells bad and changes colour... therefore poop is good and spaghetti is bad.

"LOOK! If i disable all of the security features of this OS it becomes weaker, there for its shit"

INB4 Gets fired from tesla for disabling security on model S

Both are good when used in their correct setting.

These are the people who are going to be controlling the software of millions of driver-less cars in the future.

Yeah, I was thinking the same thing... don't want to push the concept, but this kind of thing is not good for Tesla, that guy seriously overstepped, to a point where he should be fired, and probably won't find anywhere to work except Microsoft, but they're not hiring, they're firing themselves... uh oh... talking about nomen est omen though... chris evans, name to get fired and booed at tbh

Slightly off topic but the whole IoT & Driverless car thing is a disaster waiting to happen. I just recently went without power for half a day and i shuddered at my lack of preparedness ( which im on route to fixing thanks to a few threads here ). It gave me time to think how utterly dependent on electricity western societies are and how crippled our future could be. Be that war time or seismic global events due to climate change, and how even if a nuclear/fission power station keeps running that doesn't mean all the utility lines, generators & substations will. A car will store battery for a few days at best .. same will go for emergency vehicles.

But firstly, I think hacking is going to keep happening more and more with IoT & Driverless. It will be state sponsored and very dangerous because as demonstrated in the recent electoral debates, at least one party was willing to kill us all in a nuke storm should that happen.Somewhere down the line people should ask themselves just because they can does that automatically mean they should.. do i really need a smart toaster etc..

The real hacking is already happening... have you seen the LB Customs tuned versions of the Tesla in the US? Have you seen the newest Audi electric cars in the EU? It's all about local production. Hackers will have multi-fuel local production and have actual functional electric cars. Sheeple will not hack their cherishes electric cars that's preprogrammed for dependency, crowd control and maximum financial exploitation...

Tesla is like Tucker... the signs are clear... with that article, they have demonstrated having entered the sell-out phase. With Trump being president, that is probably the best Musk can do to hold the floating furniture together while he brings his sheep on dry land, if you know what I mean...

@Zoltan
shoulda merged @Yockanookany post here

will do, thx!

Article:
Recently released exploit code makes people running fully patched versions of Fedora and other Linux distributions vulnerable to drive-by attacks that can install keyloggers, backdoors, and other types of malware, a security researcher says.

One of the exploits—which targets a memory corruption vulnerability in the GStreamer framework that by default ships with many mainstream Linux distributions—is also noteworthy for its elegance. To wit: it uses a rarely seen approach to defeat address space layout randomization and data execution prevention, which are two of the security protections built in to Linux to make software exploits harder to carry out. ASLR randomizes the locations in computer memory where software loads specific chunks of code. As a result, code that exploits existing flaws often results in a simple computer crash rather than a catastrophic system compromise. Meanwhile, DEP, which is often referred to as NX or No-Execute, blocks the execution of code that such exploits load into memory.

Unlike most ASLR and DEP bypasses, the one folded into the GStreamer exploit doesn't rely on code to manipulate the memory layout or other environmental variables. Instead, it painstakingly arranges the bytes of code in a way that completely disables the protections. And by eliminating the need for JavaScript or other memory-massaging code to execute on a targeted computer, it's possible to carry out attacks that otherwise wouldn't be possible. Chris Evans, the security researcher who developed the exploit, describes the challenge as "a real beast."

"This was a fairly ridiculous exploit," he wrote in a blog post published Monday. "But it was worth doing because it’s proof that scriptless exploits are possible, even within the context of decent 64-bit ASLR. It was possible to commandeer memory reads, writes and even additions within the decoder loop to slowly but surely advance the exploit and gain control."

Dan Rosenberg, a senior researcher at Azimuth Security who specializes in Linux exploit prevention, agreed. In an e-mail, he wrote:

This exploit is impressive because it manages to bypass modern protections such as ASLR and NX without being able to programmatically interact with the target software.
To elaborate, when attacking a browser vulnerability, an exploit can use JavaScript to influence the memory layout of the target during the exploitation process. Similarly, when exploiting a local kernel vulnerability, an exploit can make system calls to influence the target environment. This case is different, because the exploit is a single media file, so the attacker doesn't have any opportunity to make adjustments on-the-fly during the course of the exploit.
Evans went on to release an exploit in the form of this FLAC media file that works on the default version of Fedora version 24 running the most up-to-date version of GStreamer. He said it would have been easier to write the exploit for Ubuntu because it "has problems with missing defenses such as ASLR, RELRO, etc., even in the latest 16.04 LTS release." Still, the exploit he published would have to be rewritten for it to work against anything other than Fedora 24. While the attack exploits a vulnerability in the GStreamer decoder for the FLIC file format, Evans said it targets binary code contained in the Rhythmbox media player. The Totem media player could be targeted in a similar way.

The exploit is mostly of academic or research interest rather than having immediate practical significance because it has to be extensively rewritten to work on different Linux distributions. Combined with the relatively small number of people who play media files on any distribution of Linux, that means it's highly unlikely that anyone will actively exploit the vulnerability. Still, with a little work, the attack Evans published for Fedora could be fashioned into a "full serious drive-by download exploit" when combined with a separate exploit he released last week for Google's Chrome browser running on that Linux distribution. With more tweaking still, the exploits will work on non-Fedora distributions as well, at least until patches are released. On Tuesday, shortly before this post went live, maintainers of Ubuntu issued fixes, and more distributions are likely to follow in the coming hours or days.

And that means that the research is important for the long-term security of Linux. Asked why he devoted so much time to the project, Evans wrote:

"From a technical perspective, I'd say this is a continuation in proving that there are usually subtle ways to exploit almost any vulnerability. From a broader perspective, I think there are serious concerns about the state of security on the Linux desktop. Is there much proactive work going on to improve it, or are the Linux vendors mainly reactive?"

Here's a newer blog from Chris Evans on it:

Yup, a bunch of text with one one relevant sentence: "we have to figuer out what exactly to write out of bounds"... so still no option for a real payload, thus still no real PoC, because nothing was actually tested. Also, Fc24 even fixed the gstreamer issue on the 16th, before his first article, and chrome nor chromium are available in the Fedora nor Rpmfusion repos.

I can always guarantee I will learn something useful when reading Zoltan's posts.

This attack seems almost worthless. Again, I'm no linux guru, I get by on my Kali and openSUSE but I just don't see how this attack is worth anything.

It requires a shit ton of work to get it working on the correct distribution, you need specific software installed, maybe to a specific version (he didn't test this), and that software wouldn't be installed on anything outside a home users workstation for the most part.

He seems super proud of something that he can attack a few ten thousand people with in the grand scheme of things.

Yeah the guy has an agenda, that's all lol.

He actually writes that it's unbelievable that SELinux does not stop the automatic opening of a file that triggers a packages that has an overrun. Yeah, of course not, because no actual access violations were made, because his so-called PoC does not contain any payload. He says himself that he has yet to figure out what kind of payload could be used. That means that SELinux has not failed yet, there is no access violation yet. If you follow the logic of his argument, you shouldn't be using computers, because actually functional operating system subsystems, just by the fact that they CAN be executed, are an unacceptable security risk lol... nobody should fart because it might smell bad kinda deal lol...

I don't get it.
So, he "exploits" a gstreamer plugin, which allows him to invoke a system() call for something that should already be installed in the system, and it happens under current user's privileges? He can't install backdoor this way, can't elevate privilege level, but he can start a calculator.
Is this what's going on there?