Posted on 12/17/2015 11:05:35 AM PST by ShadowAce
Pressing the backspace key 28 times can bypass the Grub2 bootloader's password protection and allow a hacker to install malware on a locked-down Linux system.
GRUB, which stands for the Grand Unified Bootloader, is used by most Linux distributions to initialize the operating system when the computer starts. It has a password feature that can restrict access to boot entries, for example on computers with multiple operating systems installed.
This protection is particularly important within organizations, where it is also common to disable CD-ROM, USB and network boot options and to set a password for the BIOS/UEFI firmware in order to secure computers from attackers who might gain physical access to the machines.
Without these boot options secured, attackers or malicious employees could simply boot from an alternative OS -- like a live Linux installation stored on a USB drive or CD/DVD -- and access files on a computer's hard drive.
Of course, it's also possible for an attacker to remove the drive and place it in another machine that doesn't have these restrictions, but there can be other physical access controls in place to prevent that.
Hector Marco and Ismael Ripoll, two researchers from the Cybersecurity Group at Universitat Politècnica de València, found an integer underflow vulnerability in Grub2 that can be triggered by pressing the backspace key 28 times when the bootloader asks for the username.
Depending on certain conditions, this can cause the machine to reboot or can put Grub in rescue mode, providing unauthenticated access to a powerful shell. Using this shell's commands, an attacker can rewrite the Grub2 code loaded in RAM to completely bypass the authentication check.
The attacker can then return Grub to its normal operation mode and have full access to edit the boot entries because the authentication check is no longer performed.
At this point multiple attack scenarios are possible, including destroying all data on the disk, but for their proof-of-concept exploit the researchers chose one that's likely to be preferred by advanced attackers: installing malware that would steal legitimate users' encrypted home folder data after they log in and unlock it.
To do this, the researchers first modified an existing boot entry to load the Linux kernel and initialize a root shell. Then they used it to replace a Mozilla Firefox library with a malicious one designed to open a reverse shell to a remote server whenever the browser is started by the user.
"When any user executes Firefox, a reverse shell will be invoked," the researchers said in a detailed write-up of their exploit, which they presented last week at the STIC CCN-CERT Conference in Madrid. "At this time all data of the user is deciphered, allowing us to steal any kind of information of the user."
Modifying the kernel to deploy a more persistent malware program is also possible, the researchers said. "The imagination is the limit."
The vulnerability, which is tracked as CVE-2015-8370, affects all versions of Grub2 from 1.98, released in December, 2009, to the current 2.02. Ubuntu, Red Hat, Debian and probably other distributions too, have released fixes for this flaw. Users are advised to install any updates they receive for the grub2 package as soon as possible.
Having to input a GRUB password was considered a way around the "physical access means single user mode" exploit. This vulnerability puts the lie to that concept.
However, there is already a fix for this. We don't have to wait forever, or the next service pack, for a fix to be available.
Doesn’t this exploit require physical access to the hardware?
See.
Don’t be scared, but be vigilant.
Fortunately, my cats can only count to 3.
There was a Dilbert episode where they had a monkey ‘coding’, and other employees complained he could use his tail.
Dilbert says: “You should see him do Ctl-Alt-Del”
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.