Grub2 Bypassable Without a Password | Hacked: Hacking Finance
user

Grub2 Bypassable Without a Password

Introduction

P. H. Madore

P. H. Madore

P. H. Madore has covered the cryptocurrency beat over the course of hundreds of articles for Hacked's sister site, CryptoCoinsNews, as well as some of her competitors. He is a major contributing developer to the Woodcoin project, and has made technical contributions on a number of other cryptocurrency projects. In spare time, he recently began a more personalized, weekly newsletter at http://ico.phm.link


LATEST POSTS

ICO Analysis: ICON (ICX) 17th September, 2017

Observations from a Post-Bubble(?) World 16th September, 2017

Cybersecurity

Grub2 Bypassable Without a Password

Posted on .
This article was posted on Wednesday, 20:35, UTC.

The Grub system is pretty common on Linux desktops. Grub stands for GRand Unified Bootloader, and Grub2 is a continuation of its development. For a long time, another bootloader was also used by many distributions, called LiLo, which was short for Linux Loader, and while it is still actively developed, most distributions opt for Grub anymore.

// -- Discuss and ask questions in our community on Workplace. Don't have an account? Send Jonas Borchgrevink an email -- //

Grub2 allows the user a degree of control before full boot, selecting which operating system to use, which kernel to use, and even allows for some security there, placing a password for pre-access. On highly sensitive systems, this can be useful. Grub2 also has a number of recovery options available via a somewhat limited shell that can be accessed.

However, researchers have recently discovered a bug which appears to affect versions of Grub2 as far back as 2009, version 1.98, all the way up to the most recent version, 2.02, released this month. For physically accessible systems, the 0-day exploit documented Hector Marco and Ismael Ripoll of Cybersecurity Group represents a serious potential problem in that an attacker can bypass the password protection of Grub2 altogether. The researchers make no bones about this aspect:

The vulnerability can be exploited under certain circumstances, allowing local attackers to bypass any kind of authentication (plain or hashed passwords). And so, the attacker may take control of the computer.

The researchers were able to track the faulty code back to a commit made in December of 2009, which introduced changes to Grub2’s grub_password_get() function. The fault is identical in the grub_username_get() function. By decrementing the cur_len variable in the function without checking the range, the user is able to get a Grub rescue shell, which is relatively powerful and has a number of useful programs built in. By design, only an authorized user should be able to access the rescue shell. The best part is the way that this decrementation can be achieved: spamming backspace.

// -- Become a yearly Platinum Member and save 69 USD and get access to our secret group on Workplace. Click here to change your current membership -- //

To abuse the out of bound overwrite, the attacker can press the backspace key to underflow the cur_len variable, producing a very high value. This value is later used to calculate the starting address to clear. […] At this point, a second overflow occurs because the addition of this big value with the base address where the username buffer resides can not be hold in a 32-bit variable.

Essentially, the method allows the attacker to trick Grub2 into believing it has received valid credentials by overwriting zeros where there should have been credentials. This is done through an error in the way the software is designed, a rather complex one which is better understood through reading the documentation.

Also read: Linux.Wifatch: Vigilante Hacker Infects Routers with Malware to Fight Bad Malware

By tricking the terminal into rebooting using a certain number of backspaces, the attacker is able to gain a rescue shell. From here, things get more interesting. The attacker can patch the Grub code on the fly, removing one of its checks as shown below, and then always run in normal mode, without need for authentication. Doing so is a change of one line.

7-authenticated

Courtesy of Hector Marcos and Ismael Ripoll

The documentation then goes on to explain how an embedded attacker at a sensitive location could garner user data in the extreme using the hack. Certainly a patch for Grub2 will be released soon, but such software can go for years unpatched at the deployment level. Physical security is one of the last things we think of when considering a world of attackers on the other side of the ethernet cable.

Featured image from Shutterstock.

Important: Never invest money you can't afford to lose. Always do your own research and due diligence before placing a trade. Read our Terms & Conditions here.



Feedback or Requests?

P. H. Madore

P. H. Madore

http://phm.link

P. H. Madore has covered the cryptocurrency beat over the course of hundreds of articles for Hacked's sister site, CryptoCoinsNews, as well as some of her competitors. He is a major contributing developer to the Woodcoin project, and has made technical contributions on a number of other cryptocurrency projects. In spare time, he recently began a more personalized, weekly newsletter at http://ico.phm.link

There are no comments.

View Comments (0) ...
Navigation
The team:
Dmitriy Lavrov
Analyst
Dmitriy Lavrov is a professional trader, technical analyst and money manager with 10 years of trading experience. He covers Forex, Commodities and Cryptocurrencies. He is among the top 10 most Read More
Jonas Borchgrevink
Founder
Jonas Borchgrevink is the founder of Hacked.com and CryptoCoinsNews.com. He is a serial entrepreneur, trader and investor. He shares his own personal journey on Hacked.com. // -- Discuss and ask Read More
Mate Csar
Analyst
Trader and financial analyst, with 10 years of experience in the field. An expert in technical analysis and risk management, but also an avid practitioner of value investment and passive Read More
Mati Greenspan
Analyst
Senior Market Analyst at Etoro.com. // -- Discuss and ask questions in our community on Workplace. Don't have an account? Send Jonas Borchgrevink an email -- // Important: Never invest Read More
Rakesh Upadhyay
Analyst
Rakesh Upadhyay is a Technical Analyst and Portfolio Consultant for The Summit Group. He has more than a decade of experience as a private trader. His philosophy is to use Read More
Pamela Meropiali
Account Manager
Pamela Meropiali is responsible for users on Hacked.com. // -- Discuss and ask questions in our community on Workplace. Don't have an account? Send Jonas Borchgrevink an email -- // Read More
Joseph Young
Journalist
Joseph Young is a finance and tech journalist & analyst based in Hong Kong. He has worked with leading media and news agencies in the technology and finance industries, offering Read More
 In a series of tweets posted today on Twitter, a…