North Koreans Red Star OS can be easily hacked remotely

Pierluigi Paganini December 06, 2016

The North Korean operating system Red Star OS isn’t hacker proof, researchers demonstrated that it can be easily hacked remotely.

Red Star OS is an operating system used by the population in North Korea. According to two German researchers from the IT security company ERNW who analyzed it early this year, it is characterized by a high degree of paranoia and invasive surveilling on users.

Florian Grunow and Niklaus Schiess downloaded the software from a website outside North Korea and explored the code in detail.

Red Star OS computer operating system

North Korea operating system ©Reuters

These are their findings:

  • Latest version is from around 2013.
  • Red Star OS is based on the Fedora Linux distro.
  • It has an Apple OSX look, the country’s leader Kim Jong-un, like his father, has been photographed near Macs.
  • Own version of encryption files, the North Korea wants to avoid the spread of any code that might compromise OS files.

If you believe that the North Korean operating system is hacker proof you are wrong, in fact, it can be easily hacked remotely.

According to the experts at security firm Hacker House, the Red Star OS is affected by a critical vulnerability that could be exploited by remote hackers to access the PC. The attacker just needs to trick a victim into opening a link.

“Hacker House team have previously disclosed a number of local root vulnerabilities [3] & [4] in Red Star OS to show how insecure programming practices are in use by the RedStar OS developers. We are sharing another amusing example of this in the form of a remote client-side command injection vulnerability to mark RedStar’s anniversary leak.” reads a blog post published by the Hacker House.”This exploit is a client-side remote exploit which can be triggered from the Internet/Intranet and used to install malware or exploit computers running RedStar OS just by having a user click a hyperlink.”

The latest version of the Red Star OS ships with the web browser Naenara which is the landing point for a remote attacker that wants to take over the system.

The experts exploited a certain Red Star application, the ‘nnrurlshow’, that handles Uniform Request Identifiers (URI), in particular the “mailto” URI ordinarily used for email could be used to remotely “execute arbitrary commands.” The Naenara web browser doesn’t sanitize the command line when handling URI argument allowing attackers to remote execute arbitrary code.

“Whilst probing for vulnerabilities it was noticed that registered URL handlers were passed to a command line utility “/usr/bin/nnrurlshow”. This application (aside from having null ptr de-refs and other cute bugs) takes URI arguments for registered URI handlers when handling application requests such as “mailto” and “cal”. Naenara doesn’t sanitize the command line when handling these URI argument requests and as such you can trivially obtain code execution by passing malformed links to the nnrurlshow binary.” continues the analysis of the experts.

“An attacker can get a user of RedStar OS 3.0 to execute arbitrary commands by enticing them to click on a link which points to “mailto:`cmd`”. Commands will then be executed as arguments when passed to evolution mail. An example of exploitation can be seen in the image below with the output of the “id” command visibly shown in the evolution-based mail client output.”

red star os

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Red Star OS, North Korea)

you might also like

leave a comment