Just hit the backspace 28 times and you can gain access to data on most Linux …

23 Dec 2015 | Author: | No comments yet »

Exploit Lets You Sneak Into Linux Systems After Hitting Backspace 28 Times.

Though most of you likely don’t run Linux—specifically, one using the Grub2 bootloader—you’ll surely appreciate the unintended humor of a brand-new exploit that was recently found for said bootloader. Pressing the backspace key 28 times can bypass the Grub2 bootloader’s password protection and allow a hacker to install malware on a locked-down Linux system. The exploit is being quickly patched by various major Linux distros, including Ubuntu, Red Hat, and Debian, and it also requires physical access to an unpatched machine to work, so it’s not the worst potential vulnerability, just one of the sillier ones. “To quickly check if your system is vulnerable, when the Grub ask you the username, press the Backspace 28 times.

The computer security researchers discovered the vulnerability that allows unauthorized users to bypass the authentication of locked-down Linux boxes in the bootloader GRUB2 — which is used by, according to the researchers, “most Linux system” to load the operating system. The new Linux bug reported by the researchers — Hector Marco and Ismael Ripoll – unfolds an incredibly easy mechanism for bypassing the authentication process on Linux systems. After you’ve tapped backspace for the 28th time (on an affected system), you’ll gain access to the rescue shell—giving you a lot more power over the system than you previously had. Without these boot options secured, attackers or malicious employees could simply boot from an alternative OS—like a live Linux installation stored on a USB drive or CD/DVD—and access files on a computer’s hard drive. The successful exploitation of the vulnerability has been possible because we made a very deep analysis of all components involved in this bug, wrote the Cyber Security Group in the announcement of the bug.

Marco and Ripoll have further revealed in their paper — titled ‘Back to 28: Grub2 Authentication 0-Day’ — that Grub2 versions affected by the newly-discovered bug include versions 1.98 (December, 2009) to 2.02 (December, 2015). The attacker could then load a modified kernel and do all things to the host computer – such as replicating the contents of its hard drive or implanting host of other software – elusive exploit (such as the rootkit) that could give rise to numerous of issues for a hacked system or, worse, affect other networked systems.

While not all *nix based operating systems use the vulnerable loader, GRand Unified Bootloader (GRUB), it does come pre-installed with some operating systems, such as Red Hat Linux. Of course, it’s also possible for an attacker to remove the drive and place it in another machine that doesn’t have these restrictions, but there can be other physical access controls in place to prevent that. Coded in assembly and C, the bootloader is capable is obviously capable of loading Linux, but it’s also able to load Solaris (x86 port), Apple’s OS X, BSD and even Windows — the latter of which through chainloading. Depending on certain conditions, this can cause the machine to reboot or can put Grub in rescue mode, providing unauthenticated access to a powerful shell. Dan Guido, the founder of Trail of Bits said in an interview with Motherboard, “It is irresponsible for grub to lack decades-old exploit mitigations like stack cookies that could have addressed this issue.”

The attacker can then return Grub to its normal operation mode and have full access to edit the boot entries because the authentication check is no longer performed. At this point multiple attack scenarios are possible, including destroying all data on the disk, but for their proof-of-concept exploit the researchers chose one that’s likely to be preferred by advanced attackers: installing malware that would steal legitimate users’ encrypted home folder data after they log in and unlock it. Computer security nowadays is stronger than ever before, and a majority of the commonly used products and services are almost secure from the computer hackers trying to steal the information and cause loss to the people using those services. Then they used it to replace a Mozilla Firefox library with a malicious one designed to open a reverse shell to a remote server whenever the browser is started by the user. “When any user executes Firefox, a reverse shell will be invoked,” the researchers said in a detailed write-up of their exploit, which they presented last week at the STIC CCN-CERT Conference in Madrid. “At this time all data of the user is deciphered, allowing us to steal any kind of information of the user.” The vulnerability, which is tracked as CVE-2015-8370, affects all versions of Grub2 from 1.98, released in December, 2009, to the current 2.02.

And while the hack is quite a disconcerting new development, it is worth mentioning that hackers would still need to be actually in front of your computer, and that Red Hat, Debian, and Ubuntu have all rolled out patches to take care of the exploit. Linux is tough to be a highly-secure operating system, not to say it is insecure, however, this is just another blunt reminder that no matter how secure a system may seem, they could be susceptible to minute yet critical flaws.

Here you can write a commentary on the recording "Just hit the backspace 28 times and you can gain access to data on most Linux …".

* Required fields
Our partners
Follow us
Contact us
Our contacts


ICQ: 423360519

About this site