Menu
Vulnerability in popular bootloader puts locked-down Linux computers at risk

Vulnerability in popular bootloader puts locked-down Linux computers at risk

The flaw can allow attackers to modify password-protected boot entries and deploy malware

Pressing the backspace key 28 times can bypass the Grub2 bootloader's password protection and allow a hacker to install malware on a locked-down Linux system.

GRUB, which stands for the Grand Unified Bootloader, is used by most Linux distributions to initialize the operating system when the computer starts. It has a password feature that can restrict access to boot entries, for example on computers with multiple operating systems installed.

This protection is particularly important within organizations, where it is also common to disable CD-ROM, USB and network boot options and to set a password for the BIOS/UEFI firmware in order to secure computers from attackers who might gain physical access to the machines.

Without these boot options secured, attackers or malicious employees could simply boot from an alternative OS -- like a live Linux installation stored on a USB drive or CD/DVD -- and access files on a computer's hard drive.

Of course, it's also possible for an attacker to remove the drive and place it in another machine that doesn't have these restrictions, but there can be other physical access controls in place to prevent that.

Hector Marco and Ismael Ripoll, two researchers from the Cybersecurity Group at Universitat Politècnica de València, found an integer underflow vulnerability in Grub2 that can be triggered by pressing the backspace key 28 times when the bootloader asks for the username.

Depending on certain conditions, this can cause the machine to reboot or can put Grub in rescue mode, providing unauthenticated access to a powerful shell. Using this shell's commands, an attacker can rewrite the Grub2 code loaded in RAM to completely bypass the authentication check.

The attacker can then return Grub to its normal operation mode and have full access to edit the boot entries because the authentication check is no longer performed.

At this point multiple attack scenarios are possible, including destroying all data on the disk, but for their proof-of-concept exploit the researchers chose one that's likely to be preferred by advanced attackers: installing malware that would steal legitimate users' encrypted home folder data after they log in and unlock it.

To do this, the researchers first modified an existing boot entry to load the Linux kernel and initialize a root shell. Then they used it to replace a Mozilla Firefox library with a malicious one designed to open a reverse shell to a remote server whenever the browser is started by the user.

"When any user executes Firefox, a reverse shell will be invoked," the researchers said in a detailed write-up of their exploit, which they presented last week at the STIC CCN-CERT Conference in Madrid. "At this time all data of the user is deciphered, allowing us to steal any kind of information of the user."

Modifying the kernel to deploy a more persistent malware program is also possible, the researchers said. "The imagination is the limit."

The vulnerability, which is tracked as CVE-2015-8370, affects all versions of Grub2 from 1.98, released in December, 2009, to the current 2.02. Ubuntu, Red Hat, Debian and probably other distributions too, have released fixes for this flaw. Users are advised to install any updates they receive for the grub2 package as soon as possible.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Featured

Slideshows

Meet the leading female front runners of the Kiwi channel

Meet the leading female front runners of the Kiwi channel

Reseller News honoured the leading female front runners of the New Zealand channel at the 2018 Women in ICT Awards (WIICTA) in Auckland. The awards honoured standout individuals across seven categories, spanning Entrepreneur; Innovation; Rising Star; Shining Star; Community; Technical and Achievement.

Meet the leading female front runners of the Kiwi channel
Meet the top performing customer-centric Microsoft channel partners

Meet the top performing customer-centric Microsoft channel partners

Microsoft honoured leading partners across the channel following a year of customer innovation and market growth in New Zealand. The 2018 Microsoft Partner Awards recognised excellence within the context of the end-user, spanning a host of emerging and established providers.

Meet the top performing customer-centric Microsoft channel partners
Reseller News launches new-look Awards at 2018 Judges’ Lunch

Reseller News launches new-look Awards at 2018 Judges’ Lunch

Introducing the Reseller News Innovation Awards, launched to the channel at the 2018 Judges’ Lunch in Auckland. With more than 70 judges now part of the voting panel, the new-look awards will reflect the changing dynamics of the channel, recognising excellence across customer value and innovation - spanning start-ups, partners, distributors and vendors.

Reseller News launches new-look Awards at 2018 Judges’ Lunch
Show Comments