Hacker-Powered Security for Startups » Get the Free E-Book from HackerOne!
Welcome Guest | Sign In

Backspace Flaw Enables Linux Zero-Day Attack

By Richard Adhikari
Dec 28, 2015 11:20 AM PT

Researchers last week revealed a zero-day flaw that lets attackers take over a Linux system by pressing the backspace key repeatedly.

Pressing backspace 17 to 20 times will overwrite the highest byte of the return address of the grub_memset() function, ultimately causing a reboot by redirecting control flow to the 0x00eb53e8 address, according to the Cybersecurity Group at the Universitat Politecnica de Valencia.

The flaw is in Grub v 1.98 and later. Grub is the bootloader used by most Linux systems, including some embedded systems.

Why the Attack Works

The processor's interrupt vector table, or IVT, resides at address 0x0.

At this stage of the boot sequence, the processor is in protected mode, which Grub2 enables from the start.

Virtual memory is not enabled; there is no memory protection and the memory is readable, writable and executable; the processor executes the 32-bit instruction set even in 64-bit architectures; the processor automatically handles self-modifying code; and there is no stack smashing protector or address space layout randomization.

In other words, the system is naked.

The integer underflow fault impacts both the grub_password_get() function and the grub_username_get() function.

Pressing the Backspace key 28 times when Grub asks for the username will show whether a system is at risk.

If the machine reboots or a rescue shell is displayed, it is.

The Danger of the Flaw

Attackers can access the Grub2 rescue function without authentication. Then they can deploy malware into a system through various means, including running a BASH shell, or they can patch the code of Grub2 in RAM to be always authenticated and then return to normal mode.

They can elevate privileges to whatever extent they desire or copy the entire disk; destroy any data, including the Grub; or overwrite ciphered disks, causing a denial-of-service attack.

The bug can be fixed by preventing cur_len overflows. Major Linux vendors -- Red Hat, Ubuntu and Debian -- have fixed the flaw, and the researchers have created an emergency patch.

Much has been made of the relative security of Linux systems compared to Microsoft PCs, but this flaw shows Linux users "have to be at least as observant and reactive as everyone else," observed Rob Enderle, principal analyst at the Enderle Group.

Easier Said Than Done

Exploiting the flaw is not as easy as it might sound.

"The ability to PWN a Grub2-based system is based on the version of Grub2, the version of the system BIOS, and physical access to a system console or network access to a virtual console," pointed out Bill Weinberg, principal analyst at Linux Pundit.

Further, its impact on embedded devices and the Internet of Things is "questionable" because it's "very much constrained to Intel architectures," he told LinuxInsider. Embedded systems are more likely to use "ARM and other non-x86 silicon, each with its own different IVT layout and, equally important, a non-Grub bootloader, such as U-Boot or RedBoot."

Still, the process the researchers described "is likely only one of several paths to exploit this zero-day vulnerability, so patching ASAP is highly advisable," Weinberg said.

Who's Gonna Get Hurt

The vulnerability will be a real problem in libraries and schools that provide access to Linux desktops with limited accounts, remarked Tripwire researcher Tyler Reguly.

"Since both Ubuntu and Red Hat -- the two most likely distributions in these environments -- have already issued updates, this is simply a matter of updating these systems," he told LinuxInsider.

Sysadmins concerned a breach has occurred should reimage the system and then apply the update.

Government installations also may be at risk, Enderle told LinuxInsider, as "governments have been attracted to the cost of Linux front ends for cost savings and they aren't well staffed to address problems like this. Cheap has its downsides."

Richard Adhikari has written about high-tech for leading industry publications since the 1990s and wonders where it's all leading to. Will implanted RFID chips in humans be the Mark of the Beast? Will nanotech solve our coming food crisis? Does Sturgeon's Law still hold true? You can connect with Richard on Google+.

Facebook Twitter LinkedIn Google+ RSS
salesforce commerce cloud
Does it matter to you if products you purchase are manufactured in another country?
Yes, and I will pay more for a domestically produced product.
Yes, but my shopping decisions won't change anything, so I do what's best for me.
I care, but it's impossible to keep track of where everything is made.
I want the best quality and price, regardless of country of origin.
It depends on the country. Some are OK, some aren't.
It depends on the company. I'll buy from a reputable non-domestic brand.