Taking over a Linux machine that has been locked with a password can be as easy as pressing the backspace key 28 times, two researchers from the Cyber Security Research Group with the Technical University of Valencia have discovered.
An integer underflow vulnerability found in Grub2, a bootloader used by most Linux and some embedded systems, can be easily triggered and exploited to bypass any kind of authentication set up on the device.
Granted, the attacker must have physical access to the target machine, but other than that, the key pressing is enough to get access to a Grub rescue shell, from which he can gain elevated privileges on the system; load a customized kernel and initramfs (for example from a USB) and then from a more comfortable environment, copy the full disk or install a rootkit”; or destroy data (e.g. by overwriting the device’s disk).
The bug was introduced in Grub in version 1.98 (December, 2009). It is still present in v2.02 (pushed out in December 2015).
“The bug can be easily fixed just by preventing that cur_len overflows,” researchers Hector Marco and Ismael Ripoll noted, adding that the main vendors are already aware of this vulnerability. The have also created an emergency patch.
“The successfully exploitation of the vulnerability has been possible because we made a very deep analysis of all components involved in this bug,” they added. “As can be seen, the successful exploitation depends on many things: the BIOS version, the GRUB version, the amount of RAM, and whatever that modifies the memory layout. And each system requires a deep analysis to build the specific exploit.”
The researcher shared more technical details about the bug and how the exploit works, as well as how an APT could use this 0-day, in a security advisory published on Monday.