Goatse Security

Gaping Holes Exposed

Compiz vulnerability

33 Comments »

Goatse Security has had a lot of fun pointing out the devastating flaws in Apple’s shit-tastic software, but now it’s time to turn to the beloved mascot of the sweaty man-child open source community: Linux.

Linux weenies will often brag about how insecure Windows is compared to Linux. They’ll also argue that Linux is hard to take down with any sort of exploit. Well, it turns out that’s not quite true. Here’s a simple, step-by-step guide to owning the most popular Linux distribution out there today:

  1. Open a long URL beginning with “apt://” in a browser that handles the apt:// protocol.
  2. Er…
  3. That’s it.

Hope you weren’t doing anything important with that X session.

This bug is delightfully trivial to deploy. Just write a normal HTML page containing an iframe that takes a 10000 character apt:// URL as its source. Trick a Debian dickhead into opening it and the bug will take out Compiz, crashing your X session with a cryptic “Unexpected X error: BadAlloc (insufficient resources for operation) serial 1779 error_code 11 request_code 53 minor_code 0)” error. And at no extra cost, we’re also throwing in GNOME theme rendering breakage, which forces you to logout and log back in to get your buttons back!

The following Linux distributions are affected by this vulnerability:

  • Alinex
  • BLAG Linux and GNU
  • CentOS
  • ClearOS
  • Debian
  • DeMuDi
  • Feather Linux
  • Fedora
  • Foresight Linux
  • gnuLinEx
  • gNewSense
  • Kaella
  • Knoppix
  • Linspire
  • Linux Mint
  • Musix GNU/Linux
  • Parsix
  • Red Hat Enterprise Linux
  • Scientific Linux
  • SUSE Linux Enterprise Desktop
  • Ubuntu
  • Ututo

This exploit could never have been uncovered without the help of many highly skilled greyhats. I’d like to give shoutouts to incog, Murdox, sloth, vxp, mith, lulzsec, arab, Leon Kaiser, afed, GNAA, jax, Bantown, Sam Hovercar, 37signals, afed_, The Greater Association of PHP Programmers, goudatr0n, Rufas the earthworm, hepkitten, Girlvinyl, D8, EFNet #politics, DJ FUCK DA PARENTZ, Tory Jarmain, djb, my cat, my other cat, mao & amat, jwz, esr (but not rms), #stress, Lee Vartron, kayla, trelane, krashed, bikcmp, David J. Moore, Justin D. May, bittwist, DolemitE, Craig G. Mueller, sam, Christian Schlore, mith, 808chan, xyz, LeeB, Alex Pilosov, lec, Randi Harper and her aborted baby, Shaniqua, acidburn, Lord Nikon, Mikey Mattice, The Cereal Killer, The Phantom Phreak, DiKKy Heartiez, Adrian Lamo, BLACK_MAN, lysol, wispurs, vap0r, LiteralKa, #arab, Matthew Gore (str8sucker704), Richard Johannes III, and the good people at paedophilewatch.org who work tirelessly to keep our children safe online. Many eyes make even the deepest bug shallow!

33 Responses

Mmmmm this can’t be more of a lie. Tried and only thing I get is a simple stupid “invalud url” alert… I really wanted my compiz to die!!!!

VULNERABILITY FAIL!

    • `dpkg -l apturl`

      • I did the following:
        echo “apt://<snip>” > apturl
        dpkg -l `cat apturl`

        Didn’t crash compiz.

        I also did `dpkg -l ` and all I got was the shell bitching at me to escape the s. Was even too lazy to sed all that after all the time it took for that to be pasted into the terminal

  • Congratulations, you browser-DoS’ed a window manager that is not enabled by default on most distributions!
    On a related note, I recently found a XSS. Which means that I owned most OS for which browsers have been developed!
    Should I go ahead and find a cross-platform browser bug and call it “I OWNED NEARLY ALL OS’S”?

    I’m not saying it’s not a real vuln, but it’s run-of-the-mill, low-impact and you’re trying to hype it as OMG PWNAGE!!11one

    • Compiz is used by a lot of people, enough people to make this a vulnerability worthy of notice. If merely visiting a web page can crash your X session, that’s a pretty serious problem.
      Additionally, you fail to take notice of the rather obvious hyperbole in the post.

  • i’m not sure.

  • Not working on Ubuntu 11,04 64-bit. It only opens up “open program” window. http://imgur.com/HouFE

  • “Here’s a simple, step-by-step guide to owning the most popular Linux distribution out there today:”

    This is just DoS, you can’t own anything with it.

  • ..And when opening Ubuntu Software center nothing happens.

  • I would just like to clarify a few things.

    As you all probably know, Linux is merely the kernel in GNU/Linux distributions like Red Hat Enterprise Linux, Ubuntu, OpenSuSe etc. As such, it is quite misleading to call this a security vulnerability in “Linux”, as it has nothing to do with Linux at all (except being the kernel in the mentioned distributions).

    Apt is a package manager found mainly on GNU/Linux distributions that are based on Debian, and the vulnerability in question exploits a problem in apturl, which is a method for installing packages using a web browser.

    Kind Regards,
    Vegard Haugland

    • When someone finds an exploit in Microsoft Office, it’s called a “Windows” exploit, despite technically having nothing to do with the OS. Same applies here.

  • This wont work on several different unpatched Linux distributions.. Tried Zenwalk, Ubuntu, Suse and some custom based..
    WHat am i doing wroong?

  • Steps 1 to 3 didn’t work for me:
    1) Opera
    2) Konqueror
    3) Iceweasel (=FF clone)
    So, what browser should be used to get this trick work for me?

    • We have found that:
      1) Opera does not support apt:// URLs.
      2) Chrome does not display a window containing the full URL, so the vulnerability does not appear.
      3) Firefox has been shown to work, given that several conditions are met, we are still working out the details on this one.
      4) Internet Explorer, obviously, does not work.

      We have not tested Konqueror yet.

      • Is this issue related to COMPIZ only?

        I just read the header of this article again saying:
        “Compiz Denial of Service vulnerability”
        If this is Compiz related stuff so I am sorry, my mistake… ( I don’t have Compiz installed :)

        • [...] the bug will take out Compiz, crashing your X session with a cryptic “Unexpected X error: BadAlloc (insufficient resources for operation) serial 1779 error_code 11 request_code 53 minor_code 0)” error.

  • This vuln kicks ass! I love watching Linux fags get raged over Open Sores.

  • I just did some testing using my Windows 7 installation under Virtualbox on an Ubuntu Server deployed with Compiz. I can confirm that Internet Explorer DOES IN FACT replicate this issue, as after encountering the DoS no X session can be found running in the VM.

    This is an extremely dangerous cross-platform vulnerability which could result in privilege escalation from guest VMs. If it’s even killing the Windows X session then there’s a much bigger problem than anyone here has reported so far.

  • It is not working fo me.. why?
    It just whines about invalid characters found from apt:// url.

  • So only person who managed to make this work is running Windows 7?

  • Mitigation? don’t run compiz.

  • 1) compiz sucks
    2) who the fuck uses apt package manager in browsers anyways?
    3) apparently before ripping a DoS exploit from exploits-db you should test it on all browsers
    4) if you had physical access to the box and you wanted to “own” it, grab a fucking sledgehammer, dont be a pussy

    • 1) I concur.
      2) It’s not like they have a choice if they have `apturl’ installed.
      3) “Apparently” leads me to believe that you pulled this rumor from parts unknown. (And apparently you don’t read things before commenting on them.)
      4) I see you’ve picked up upon the art of hyperbole. Bravo.

  • yeah, i have compiz and nothing happened… (although my system has frozen for no reason many times)

  • It did absolutely nothing to my system.

  • [...] now, i have no clue what type of changes are going into Ubuntu but just getting a patch for the apt exploit 2 months late doesn’t sound good to me & one of my desktops were affected by it(no need [...]

  • Leave a Reply

    Switch to our mobile site