Exploit Logs You Into Linux Systems After Hitting Backspace 28 Times

23 Dec 2015 | Author: | No comments yet »

Even a child could hack into a Linux computer: report.

Though most of you likely don’t run Linux—specifically, one using the Grub2 bootloader—you’ll surely appreciate the unintended humor of a brand-new exploit that was recently found for said bootloader. Pressing the backspace key 28 times can bypass the Grub2 bootloader’s password protection and allow a hacker to install malware on a locked-down Linux system. The exploit is being quickly patched by various major Linux distros, including Ubuntu, Red Hat, and Debian, and it also requires physical access to an unpatched machine to work, so it’s not the worst potential vulnerability, just one of the sillier ones. “To quickly check if your system is vulnerable, when the Grub ask you the username, press the Backspace 28 times. The computer security researchers discovered the vulnerability that allows unauthorized users to bypass the authentication of locked-down Linux boxes in the bootloader GRUB2 — which is used by, according to the researchers, “most Linux system” to load the operating system. The team stumbled across this strange backdoor measure while testing the security of the Grub2 bootloader, which is commonly found in a large majority of Linux based operating systems.

After you’ve tapped backspace for the 28th time (on an affected system), you’ll gain access to the rescue shell—giving you a lot more power over the system than you previously had. Without these boot options secured, attackers or malicious employees could simply boot from an alternative OS—like a live Linux installation stored on a USB drive or CD/DVD—and access files on a computer’s hard drive.

Of course, it’s also possible for an attacker to remove the drive and place it in another machine that doesn’t have these restrictions, but there can be other physical access controls in place to prevent that. So basically, with this bug, even a 10-year old can hack into your Linux system. “The vulnerability, known as CVE-2015-8370, is present in all versions of Grub2 from 1.98, which was released in December 2009, to the current 2.02 version.” How this works, you might ask. Said person could then load a customized kernel and do all sorts of things to the host computer—including copying the contents of its hard drive or installing some other, harder-to-find exploit (like a rootkit) that could cause all sorts of issues for a compromised system (or, worse, other networked systems). “The attacker is able to destroy any data including the grub itself. Coded in assembly and C, the bootloader is capable is obviously capable of loading Linux, but it’s also able to load Solaris (x86 port), Apple’s OS X, BSD and even Windows — the latter of which through chainloading.

Depending on certain conditions, this can cause the machine to reboot or can put Grub in rescue mode, providing unauthenticated access to a powerful shell. If your Linux distro of choice doesn’t happen to have a patch ready just yet, you can grab the emergency patch that Marco and Ripoll have created to fix the isssue—all stemming from a simple integer underflow fault that was introduced to Grub2 back in December of 2009. “It is irresponsible for grub to lack decades-old exploit mitigations like stack cookies that could have addressed this issue,” said Dan Guido, Trail of Bits founder, in an interview with Motherboard. The attacker can then return Grub to its normal operation mode and have full access to edit the boot entries because the authentication check is no longer performed.

At this point multiple attack scenarios are possible, including destroying all data on the disk, but for their proof-of-concept exploit the researchers chose one that’s likely to be preferred by advanced attackers: installing malware that would steal legitimate users’ encrypted home folder data after they log in and unlock it.

Here you can write a commentary on the recording "Exploit Logs You Into Linux Systems After Hitting Backspace 28 Times".

* Required fields
Twitter-news
Our partners
Follow us
Contact us
Our contacts

dima911@gmail.com

ICQ: 423360519

About this site