Backspace Flaw Enables Linux Zero-Day Attack

Share this…

Researchers last week revealed a zero-day flaw that lets attackers take over a Linux system by pressing the backspace key repeatedly.

Pressing backspace 17 to 20 times will overwrite the highest byte of the return address of the grub_memset() function, ultimately causing a reboot by redirecting control flow to the 0x00eb53e8 address, according to the Cybersecurity Group at the Universitat Politecnica de Valencia.

The flaw is in Grub v 1.98 and later. Grub is the bootloader used by most Linux systems, including some embedded systems.

Backspace Flaw Enables Linux Zero-Day Attack

Why the Attack Works

The processor’s interrupt vector table, or IVT, resides at address 0x0.

At this stage of the boot sequence, the processor is in protected mode, which Grub2 enables from the start.

Virtual memory is not enabled; there is no memory protection and the memory is readable, writable and executable; the processor executes the 32-bit instruction set even in 64-bit architectures; the processor automatically handles self-modifying code; and there is no stack smashing protector or address space layout randomization.

In other words, the system is naked.

The integer underflow fault impacts both the grub_password_get() function and the grub_username_get() function.

Pressing the Backspace key 28 times when Grub asks for the username will show whether a system is at risk.

If the machine reboots or a rescue shell is displayed, it is.

The Danger of the Flaw

Attackers can access the Grub2 rescue function without authentication. Then they can deploy malware into a system through various means, including running a BASH shell, or they can patch the code of Grub2 in RAM to be always authenticated and then return to normal mode.

They can elevate privileges to whatever extent they desire or copy the entire disk; destroy any data, including the Grub; or overwrite ciphered disks, causing a denial-of-service attack.

The bug can be fixed by preventing cur_len overflows. Major Linux vendors — Red Hat, Ubuntu and Debian — have fixed the flaw, and the researchers have created an emergency patch.

Much has been made of the relative security of Linux systems compared to Microsoft PCs, but this flaw shows Linux users “have to be at least as observant and reactive as everyone else,” observed Rob Enderle, principal analyst at the Enderle Group.

Easier Said Than Done

Exploiting the flaw is not as easy as it might sound.

“The ability to PWN a Grub2-based system is based on the version of Grub2, the version of the system BIOS, and physical access to a system console or network access to a virtual console,” pointed out Bill Weinberg, principal analyst at Linux Pundit.

Further, its impact on embedded devices and the Internet of Things is “questionable” because it’s “very much constrained to Intel architectures,” he told LinuxInsider. Embedded systems are more likely to use “ARM and other non-x86 silicon, each with its own different IVT layout and, equally important, a non-Grub bootloader, such as U-Boot or RedBoot.”

Still, the process the researchers described “is likely only one of several paths to exploit this zero-day vulnerability, so patching ASAP is highly advisable,” Weinberg said.

Who’s Gonna Get Hurt

The vulnerability will be a real problem in libraries and schools that provide access to Linux desktops with limited accounts, remarked Tripwire researcher Tyler Reguly.

“Since both Ubuntu and Red Hat — the two most likely distributions in these environments — have already issued updates, this is simply a matter of updating these systems,” he told LinuxInsider.

Sysadmins concerned a breach has occurred should reimage the system and then apply the update.

Government installations also may be at risk, Enderle told LinuxInsider, as “governments have been attracted to the cost of Linux front ends for cost savings and they aren’t well staffed to address problems like this. Cheap has its downsides.”