How I used eog utility to pull off a small Linux exploit

By | 03/06/2013

Back in 2012, after my article on Linux ELF Virus was published in Linux Journal, I was curious to come up with a trigger point for this virus. I mean what would compel a Linux user to execute it for the very first time? I thought about it many times but could not come up with something in a working state.

Cut to the present times – Last Friday, when I was coming back from my office through office bus, I was indulged in some technical talk with a guy who works on encoders and decoders for various media file formats. Suddenly the same thought struck in my mind and I asked him whether it is possible for him to come up with a situation where a Linux user clicks on an image file, the image gets displayed but a notorious code gets executed in the back end?

Initially both of us were thinking on how an executable can be run from an image displaying program. After a while, an idea struck my mind. I said how about reversing the approach, ie, can we display an image (using an image display program) from within an executable? Well, the answer was YES. All we need is a command line utility for displaying images that can be run from within the code.

I sat down today to find such a command line utility. Since I was aiming a proof of concept so I was looking forward to any decent command line utility that can do the trick. Soon, I found out a utility named eye of gnome or eog. As I already use gnome desktop environment so I though of giving it a try.

Here is what I did in first go :

$ eog https://upload.wikimedia.org/wikipedia/commons/thumb/0/01/Ubuntu_logo_copyleft_1.svg/200px-Ubuntu_logo_copyleft_1.svg.png

and here is what I got :

eog1

(Click to Enlarge)

So we see that Linux eog command line utility displayed the image from that particular URL.

Next I tried using path of an image kept on my local system :

$ eog /home/mylinuxbook/Downloads/flyover.png

and this what I got :

eog2

(Click to Enlarge)

So it was pretty clear that this command will do the trick for me.

Now, as a next step, I had to write a code from which this command can be used. Here is the piece of C code that I wrote:

#include<stdio.h>
#include<stdlib.h>
#include<unistd.h>

// The complete HTML buffer
char htmlContent[] = "<html><h1>YOU HAVE GOT TRICKED!!!!!!!!!!!!!!!!!!!!!!!!!!!!! :-)</h1></html>";

// The complete image buffer
char buff[] = {0x89, 0x50, 0x4E, 0x47, 0x0D, 0x0A, 0x1A, 0x0A, 0x00, 0x00, 0x00, 0x0D, 0x49, 0x48, 0x44, 0x52, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x0A, 0x08, 0x02, 0x00, 0x00, 0x00, 0x06, 0xA5, 0x88, 0xD7, 0x00, 0x00, 0x00, 0x04, 0x67, 0x41, 0x4D, 0x41, 0x00, 0x00, 0xB1, 0x8F, 0x0B, 0xFC, 0x61, 0x05, 0x00, 0x00, 0x00, 0x4D, 0x49, 0x44, 0x41, 0x54, 0x18, 0x57, 0x8D, 0x4E, 0xC1, 0x11, 0x00, 0x20, 0x08, 0xB2, 0x09, 0x73, 0xBA, 0xE6, 0x70, 0x43, 0xC3, 0xE8, 0xCC, 0xAB, 0x4F, 0x3C, 0x88, 0x42, 0xC8, 0xE6, 0xEE, 0x22, 0xA2, 0xAA, 0x60, 0xC0, 0xCC, 0x28, 0x04, 0x46, 0x5F, 0xA8, 0x22, 0xA6, 0x79, 0x07, 0x8F, 0x05, 0x68, 0x70, 0x18, 0x1C, 0xBF, 0xB0, 0x0D, 0x1C, 0x15, 0x0C, 0x45, 0x82, 0xAF, 0x6C, 0x60, 0xF3, 0x9F, 0x91, 0x6D, 0x27, 0xF1, 0x7E, 0x1E, 0x55, 0xB9, 0x28, 0xD7, 0x4D, 0x4C, 0x6F, 0x92, 0x8E, 0x7C, 0x62, 0x1D, 0xDD, 0x4A, 0x00, 0x00, 0x00, 0x00, 0x49, 0x45, 0x4E, 0x44, 0xAE, 0x42, 0x60, 0x82}; 

// Pointer to temporary image file name
char *tmpImagePath = "/tmp/tmpImage";

// Pointer to temporary HTML file name
char *tmpHtmlPath = "/tmp/tmpHtml";

// Buffer for complete eog command 
char completeCommand[50];

int main(void)
{ 
    int i = 0;
    /* This portion of the code displays a small
     * lock image through Linux eog command.
     */

    // Open a temporary file
    FILE *fd = fopen(tmpImagePath, "w+");
    // Write the image buffer to it
    fwrite(buff, sizeof(buff), 1, fd);
    // Now close it
    fclose(fd);

    // Prepare the complete eog command along with arguments
    snprintf(completeCommand, sizeof(completeCommand), "eog %s >/dev/null 2>&1", tmpImagePath); 

    // Execute the eog command.
    // This will display the image.
    system(completeCommand);

    // Delete the temporary file ;-)
    unlink(tmpImagePath);

    /* Once the image is displayed,
     * anything can be done within
     * the sphere of current user's
     * privelages.
     */

    // For example, let's launch firefox
    // 5 times without the knowledge of
    // current user.

    // Open the temporary HTML file
    fd = fopen(tmpHtmlPath, "w+");
    // Write the HTML buffer to it
    fwrite(htmlContent, sizeof(htmlContent), 1, fd);
    // Now close it
    fclose(fd);

    // Prepare the complete Firefox command along with arguments
    snprintf(completeCommand, sizeof(completeCommand), "firefox %s >/dev/null 2>&1", tmpHtmlPath);

    // Execute the Firefox command.
    // This will open 5 tabs.
    for(;i<5;i++)
        system(completeCommand);

    unlink(tmpHtmlPath);

    return 0;
}

With all the comments, I think the code is self explanatory. But, for the records, here is what this code intends to do :

  • Use eog utility to display a small icon image for a lock.
  • The code itself contains the buffer of image so it does not depend on any external image.
  • After the user closes the window of image displayer program, a small notorious piece of code is executed.
  • This code opens 5 back to back separate Firefox tabs with a message –  YOU GOT TRICKED!!!!!!!!!!!!!!!!!!!!!!!!!!!!! :-).
  • Just like image buffer, the HTML buffer is also contained within the program so it does not have any dependency on any external HTML page.

Further, what I did is, I compiled this code and named the output binary as lockImage.

$ gcc -Wall image.c -o lockImage

Now, when I ran this binary, here is what I saw :

eog3

(Click to Enlarge)

So we can see that the small icon image was displayed. Now, when I closed this image display window, this is what happened :

eog4

(Click to Enlarge)

Back to back 5 tabs of Firefox were opened with the HTML page saying that YOU HAVE GOT TRICKED!!!!!!!!!!!!!!!!!!!!!!! :-).

I know most of you will say stuff like :

  • What if eog is not present on a Linux system?
  • What if Firefox is not present on a Linux system?
  • …..All sorts of failure scenarios….
  • etc

Well, all I can say is that its just a proof of concept and nothing more than that, but all major things start with proof of concepts correct? I am not saying that this THE solution but at least this is what I think can lead to something meaningful which can be integrated with the actual code written in this article.

There are a couple of real improvements that I have to think about it as of now. These are :

  • Instead of naming it to something like lockImage, I would like to rename it to lockImage.png. Reason being, the name lockImage.png produces a file icon that can make anyone believe that it is a PNG file. But, when I rename it as .png, it’s mime type gets changed and hence a double click on this file triggers the default Image displayer program of your desktop environment. Which obviously fails to display it as it is an executable file. So, a name ending with .png coupled with the fact that a mouse click on file executes it, is what I desire.
  • Then comes the second problem,. This is more of a generic problem, whenever I’ll send this file to someone over e-mail and the other person downloads it, the file will not have execute permissions by default. Achieving this is really desirable.

I know that this is a kiddish start but I would really appreciate if you can provide your inputs to make it a better solution.

 

NOTE – For those who think that I am encouraging virus development, I would like to argue that I have not given any destructive code neither in this article, nor in my article on Linux Journal. My motive is to explore more about Linux and stuff related to it and if in the process I can bring up a loop hole then it would be great for Linux community as it can be corrected without any delay.

 

 

3 thoughts on “How I used eog utility to pull off a small Linux exploit

  1. Amit Agarwal

    I am confused, you are just creating an executable which opens an image and then opens 5 firefox windows with html content. Why did you not do it in shell script, 2 mins you would be done.

    Now, for executable I would need to execute it whereas for image, I need to display it. So, unless you have something that can execute out of image display utility, I think you cannot call it a Proof of Concept.

    Reply
    1. Himanshu Post author

      Thanks for sharing your opinion Amit. Doing it with shell script was a definite possiblity but I wanted the file to be in form of machine code (executable) rather than plain text (shell script) which anybody can see.

      On the other part, you are absolutely correct. What I was really looking forward to was something that can execute out of image display utility. But I could not find anything like that. If you read my article, I said exactly the same at the beginnning.

      Whether it’s a proof of concept or not, its your own opinion. I believe if the shortcomings that I have listed towards the end can be addressed, it would become exactly what I want. :-)

      Reply
  2. hojjat

    It’s rather an old post, But I think I’ll leave my opinion just in case you know sth new and want to share.
    I remember a virus in “windows”, It was an”executable file” with “exe” extension and it had the icon that is used for pictures in windows by default.
    By default windows doesn’t show the extension, so you didn’t know that this is executable, you just double click that file and windows shows you a picture, but in the background the virus is spreading…
    This is the same thing that you’ve done here. BUT…
    In linux, there is “executable permission”! which makes it impossible for a virus to spread using internet or flash drives! (Fat file system doesn’t support file permissions).
    In linux, By default you are a USER, and you don’t have SU permissions, so the virus can do no harm to your system.
    And I’ve studied some of “media formats” like “mpeg, jpeg, h264,…” and they can not run any harmful code!
    Permissions in linux is the most important feature that makes linux a SAFE OS.
    The only way to make a user run your code is packaging it in a zip file and send the user the instruction to run the virus. And believe me, there are people who would just do as they’re told by strangers no matter what…

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *