21

On a POSIX system, is there a possibility for a file which is non-executable and read-only (aka with a mode 444) to run malicious code on a machine?

If so, can you explain how it would do so?

WhiteWinterWolf
  • 19,142
  • 4
  • 59
  • 107
Idr
  • 321
  • 2
  • 6
  • Please elaborate on the platform. I'm assuming it's a POSIX platform given that you specified 444, but please be explicit. – iAdjunct Dec 30 '15 at 01:22
  • For discussion purposes, let's just say x86_64, and specifically an Apple OSX machine. Does that platform change the answer? – Idr Dec 30 '15 at 01:23
  • 1
    Yes, because it's a POSIX-based system (UNIX and Linux are both POSIX-based systems). The methods by which something is "executable" is different on POSIX-based systems vs. Windoze systems. – iAdjunct Dec 30 '15 at 01:26
  • 2
    Related thread: [How can normal files hide a virus?](http://security.stackexchange.com/q/63845/32746). It is the Windows counter-part if this question, but some answers are OS independent. Of interest is also [How can a font be used for privilege escalation?](http://security.stackexchange.com/q/91347/32746) since fonts are typically read-only files (the only difference is that on Unix system such attack would have to target an X Server vulnerability, which usually runs as root too and suffered from [similar vulnerabilities](https://securityvulns.com/news/X11R72/XFS-IO.html)). – WhiteWinterWolf Dec 30 '15 at 10:46
  • 1
    Yes, on any operating system. All you need is a severe-enough bug in whatever program reads the file in order to have the possibility of malicious code execution. Such vulnerabilities are uncommon, though certainly [not unheard of](http://www.zdnet.com/article/dont-open-that-pdf-theres-an-adobe-reader-zero-day-on-the-loose/). – aroth Dec 31 '15 at 00:34

5 Answers5

43

Yes, something just has to execute it. The X flag hints to the shell that it can be directly executed, but that doesn't stop other programs from executing it if they know how.

For example, if you have a file a.sh which is not executable to the shell, you can execute it by calling bash a.sh (which tells bash explicitly to execute it). If you have a non-executable file a.py, you can execute it by calling python a.py. I'd imagine there's also a way to tell the OS to execute a binary ELF file, but I don't know the command off hand.

There are also a whole class of things which don't require you to do anything in particular to make it execute malicious code. PDFs and Adobe Flash files in particular have had some well-known holes which allowed the simple act of reading a file to execute malicious code. There are also some files which, in specific places, and be auto-executed (especially on Windows). Also, if the file is compressed, it may contain a buffer-overflow virus for the decompressor. The file also may be even more malicious, taking advantage of a yet-unknown bug in the file system or something else really low-level.

Bottom line: the only way to guarantee something won't infect your computer is to never do anything with anything.

Shurmajee
  • 7,335
  • 5
  • 28
  • 59
iAdjunct
  • 1,700
  • 11
  • 15
  • I see. The examples require some other process to execute the file, like `sh` or `python` or some other executable file. So let me add clarity to my question - if you just downloaded some random file to your machine and it's read-only, could it execute, or would it require some other executable to run it as its argument? – Idr Dec 30 '15 at 01:43
  • 12
    It's getting quite a contrived example - yes, you're understanding is largely correct - but how can you be sure that no other program will look and try to interpret it? People some time ago thought it was impossible catching a "virus" by just downloading an email and not opening it. Now this is what IS is about. What if your OS looks at a read-only image, trying to show a thumbnail, and triggers a buffer overflow in the process? What if you try to drop the file to the trashcan, but accidently drop it on a program that misinterprets it? What if a fellow human trusts it for some reason? – chexum Dec 30 '15 at 01:51
  • @chexum has a lot of good points. I'm adding information to my answer. – iAdjunct Dec 30 '15 at 01:53
  • 5
    Not so contrived @chexum - https://en.wikipedia.org/wiki/Stagefright_(bug) is an example – Neil Smithline Dec 30 '15 at 02:49
  • 2
    @NeilSmithline - I was only criticising the notion of "but it will require some other process to execute the file", pointing out that it would not be unexpected for a data file to wreak havoc. The key thing is, a data (not executable) file would not be a reason to worry, if nothing is trying to parse it. But similarly, an executable file *should* not cause problems either. The problem is that we cannot foresee how a file, or any of its properties (name, extension, size) is used, interpreted, or parsed by the environment in an unexpected way. – chexum Dec 30 '15 at 13:22
  • Exactly @chexum. I was providing a real life example of your point. – Neil Smithline Dec 30 '15 at 16:01
  • 2
    You can run an ELF by passing it to ld.so (if I remember correctly) – wb9688 Dec 30 '15 at 18:55
  • 2
    "I'd imagine there's also a way to tell the OS to execute a binary ELF file", Relevant: http://superuser.com/questions/341439/can-i-execute-a-linux-binary-without-the-execute-permission-bit-being-set – AKHolland Dec 30 '15 at 21:11
  • Your last line nailed it: The only really secured computer is unplugged, encased in a few meters of lead, and then dropped somewhere noone will ever find it again. And even then things can happen... – Deduplicator Dec 30 '15 at 22:00
  • 3
    @ldr : Strictly, no. If any process interprets its contents, it can produce malicious results. Virus scanners have been subverted when scanning files. Web browsers and other file downloading software have been subverted by receiving a malformed bitstream claiming to be a file download. Webservers have been subverted by asking them to retrieve malicious uploads. No specific executable receives these files as an argument to execute and yet the hazard exists. Do you *actually* know all the processes that will or may touch a file when you download it? – Eric Towers Dec 30 '15 at 22:42
  • 1
    The `x` flag is a _hint_ to shells, yes; it's often|sometimes used to determine whether to offer the name of a file as a completion in the first position. However, the flag is mostly relevant at the _kernel_ level; `bash`, `dash`, and `zsh` will all happily try to `exec()` files without it, and then spit out the resulting `permission denied` error. – Blacklight Shining Dec 31 '15 at 10:22
  • I'd like to add that file extension doesn't matter. If a file contains python code, it can have any extension or none at all and still be run with `python ` – Ealhad Dec 31 '15 at 11:47
11

Let's say you have the file myscript containing the following:

  #!/bin/bash
  echo "Hello, World!"

If you make this file executable and run it with ./myscript, then the kernel will see that the first two bytes are #!, which means it's a script-file. The kernel will then use the rest of the line as the interpreter, and pass the file as its first argument. So, it runs:

     /bin/bash myscript

and bash reads the file and executes the commands it contains. another way of executing a file without execute bit set is:

   #. myscript

a dot followed by a space and then the name of file.

Thus, for bash (or whatever interpreter your script requires) to "execute" the script, it only needs to be able to read the file.

So, for scripts, the execute bit just makes it a bit more convenient to execute it. As long as bash is executable, you can always run bash with the script file as argument

Ijaz Ahmad
  • 1,602
  • 1
  • 12
  • 21
8

This can be true not only with scripts like the other examples shown on all answers. Basically, if the software that reads a file have a bug, every file is an vector for malicious code execution, using a pretty vast range of techniques(overflow, mem corruption, arbitraty software execution...). Examples:

  • Exploit.Win32.AdobeReader.K - This malicious PDF file takes advantage of a vulnerability (CVE-2007-5020)on the URI handling of PDF files. This vulnerability affects IE7, Adobe Acrobat, and Adobe Reader on some platforms.
  • Zero Day QuickTime mvhd - The specific flaw exists within the 'mvhd' atom. By providing a malformed version and flags, an attacker is able to create controllable memory corruption, and trigger an arbitrary write operation. By exploiting this, an attacker could execute code in the context of the current user. CVE-2014-4979
1

A file itself may not be dangerous just sitting there. But depending on the program the will try to read it, it could cause problems. As well if the file can be read it can be copied. So it could be copied and renamed into a executable file.

So say you are using DOS/Windows and you have a file something.txt and you copy it to a file called something.bat you can now execute it.

If you have say an HTML file (or html content) you can load it in your browser and if your browser has a vulnerability in Javascript that program can cause harm.

In theory if the file is just sitting there it could be still dangerous, if by somehow the file allocation table (FAT) for the file system has some issues, and is executing a program then due to improper fragmentation it could jump to where your malicious file is and run such code. This type of actions on some Operating Systems can be done via a buffer overflow.

Todd
  • 11
  • 1
1

Yes you can. The classic example for binaries is to use the ELF-interpreter as in the example below.

$ cp /bin/ls /tmp/ls
$ chmod a-x /tmp/ls
$ /lib/ld-linux.so.2 /tmp/ls

Or for x86-64 systems:

$ /lib64/ld-linux-x86-64.so.2 /tmp/ls

The same goes for shell scripts.

$ echo "#!/bin/bash" > /tmp/hello
$ echo "echo 'hello world" >> /tmp/hello
$ bash /tmp/hello

These are basic example when we have a new auditor or risk manager or security officer who thinks we need to tidy up things. The resolve this is to go the path of SELinux on Linux systems as it also restricts other escalation paths as others also mentioned.

hspaans
  • 336
  • 1
  • 5