Grub2 Bypassable Without a Password
The Grub system is pretty common on Linux desktops. Grub stands for GRand Unified Bootloader, and Grub2 is a continuation of its development. For a long time, another bootloader was also used by many distributions, called LiLo, which was short for Linux Loader, and while it is still actively developed, most distributions opt for Grub anymore.
Grub2 allows the user a degree of control before full boot, selecting which operating system to use, which kernel to use, and even allows for some security there, placing a password for pre-access. On highly sensitive systems, this can be useful. Grub2 also has a number of recovery options available via a somewhat limited shell that can be accessed.
However, researchers have recently discovered a bug which appears to affect versions of Grub2 as far back as 2009, version 1.98, all the way up to the most recent version, 2.02, released this month. For physically accessible systems, the 0-day exploit documented Hector Marco and Ismael Ripoll of Cybersecurity Group represents a serious potential problem in that an attacker can bypass the password protection of Grub2 altogether. The researchers make no bones about this aspect:
The vulnerability can be exploited under certain circumstances, allowing local attackers to bypass any kind of authentication (plain or hashed passwords). And so, the attacker may take control of the computer.
The researchers were able to track the faulty code back to a commit made in December of 2009, which introduced changes to Grub2’s grub_password_get() function. The fault is identical in the grub_username_get() function. By decrementing the cur_len variable in the function without checking the range, the user is able to get a Grub rescue shell, which is relatively powerful and has a number of useful programs built in. By design, only an authorized user should be able to access the rescue shell. The best part is the way that this decrementation can be achieved: spamming backspace.
To abuse the out of bound overwrite, the attacker can press the backspace key to underflow the cur_len variable, producing a very high value. This value is later used to calculate the starting address to clear. […] At this point, a second overflow occurs because the addition of this big value with the base address where the username buffer resides can not be hold in a 32-bit variable.
Essentially, the method allows the attacker to trick Grub2 into believing it has received valid credentials by overwriting zeros where there should have been credentials. This is done through an error in the way the software is designed, a rather complex one which is better understood through reading the documentation.
By tricking the terminal into rebooting using a certain number of backspaces, the attacker is able to gain a rescue shell. From here, things get more interesting. The attacker can patch the Grub code on the fly, removing one of its checks as shown below, and then always run in normal mode, without need for authentication. Doing so is a change of one line.
The documentation then goes on to explain how an embedded attacker at a sensitive location could garner user data in the extreme using the hack. Certainly a patch for Grub2 will be released soon, but such software can go for years unpatched at the deployment level. Physical security is one of the last things we think of when considering a world of attackers on the other side of the ethernet cable.
Featured image from Shutterstock.