Press Backspace 28 times to own unlucky Grub-by Linux boxes
Integer underflow fault means you can get into rescue mode and rummage around
A pair of researchers from the University of Valencia's Cybersecurity research group have found that if you press backspace 28 times, it's possible to bypass authentication during boot-up on some Linux machines.
The problem's not a kernel nor an operating system problem, but rather one in the very popular bootloader Grub2, which is used to boot an awful lot of flavours of Linux.
Essentially, if you enable Grub2's password protection during system startup, it won't do you much good – it can be easily defeated. (Luckily, the vast majority of distributions of Linux do not enable this by default.)
As Hector Marco and Ismael Ripoll explain in an advisory, hitting the backspace key 28 times at the Grub username prompt during power-up will produce a “rescue shell” under Grub2 versions 1.98 (December, 2009) to 2.02 (December, 2015).
The rescue shell offers all manner of opportunities for fun, as it allows unauthenticated access to a machine and the ability to load another environment. Once your preferred environment is running, you can install a rootkit, browse local storage resources and launch many forms of attack.
The source of the bug is an integer underflow fault that the researchers pin onto a single commit in 2009, in case it was you, that affects the grub_password_get() function.
The researchers prepared a proof-of-concept attack exploiting the flaw to hide a backdoor on a computer, and – oh unhappy day – found that 55 virus-fighting tools could not detect the infection.
The duo claim “Grub2 is the bootloader used by most Linux systems including some embedded systems. This results in an incalculable number of affected devices.”
The good news is the researchers have also cooked up a fix, available here. ®