Vulnerability In Popular Bootloader Puts Locked-Down Linux Computers At Risk

December 17, 2015
No Comments

The flaw can allow attackers to modify password-protected boot entries and deploy malware

Pressing the backspace key 28 times can bypass the Grub2 bootloader’s password protection and allow a hacker to install malware on a locked-down Linux system.
GRUB, which stands for the Grand Unified Bootloader, is used by most Linux distributions to initialize the operating system when the computer starts. It has a password feature that can restrict access to boot entries, for example on computers with multiple operating systems installed.
This protection is particularly important within organizations, where it is also common to disable CD-ROM, USB and network boot options and to set a password for the BIOS/UEFI firmware in order to secure computers from attackers who might gain physical access to the machines.
Without these boot options secured, attackers or malicious employees could simply boot from an alternative OS – like a live Linux installation stored on a USB drive or CD/DVD — and access files on a computer’s hard drive.
Depending on certain conditions, this can cause the machine to reboot or can put Grub in rescue mode, providing unauthenticated access to a powerful shell. Using this shell’s commands, an attacker can rewrite the Grub2 code loaded in RAM to completely bypass the authentication check.
The attacker can then return Grub to its normal operation mode and have full access to edit the boot entries because the authentication check is no longer performed.
At this point multiple attack scenarios are possible, including destroying all data on the disk, but for their proof-of-concept exploit the researchers chose one that’s likely to be preferred by advanced attackers: installing malware that would steal legitimate users’ encrypted home folder data after they log in and unlock it.
To do this, the researchers first modified an existing boot entry to load the Linux kernel and initialize a root shell. Then they used it to replace a Mozilla Firefox library with a malicious one designed to open a reverse shell to a remote server whenever the browser is started by the user.

ABOUT THE AUTHOR

Techrish