If you press the backspace key 28 times on a locked-down Linux machine you want to access, a Grub2 bootloader flaw will allow you to break through password protection and wreck havoc in the system.
Researchers Hector Marco and Ismael Ripoll from the Cybersecurity Group at Universitat Politècnica de València recently discovered the vulnerability within GRUB, the bootloader used by most Linux distros.
As reported by PC World, the bootloader is used to initialize a Linux system at start and uses a password management system to protect boot entries -- which not only prevents tampering but also can be used to disable peripheries such as CD-ROMs and USB ports.
Without GRUB password protection, an attacker could also boot a system from a live USB key, switching the operating system in order to access files stored on the machine's hard drives.
The researchers discovered the flaw within GRUB2, of which versions 1.98 to 2.02 are affected. These versions were released between 2009 and today, which makes the vulnerability a long-standing and serious problem.
In a security advisory, Marco and Ripoli said the bootloader is used by most Linux distributions, resulting in an "incalculable number of affected devices."
Exploiting the flaw -- and checking if you are vulnerable -- is simple. When the bootloader asks for a username, simply press the backspace button 28 times. If vulnerable, the machine will reboot or you will encounter a Grub rescue shell.
The shell grants a user a full set of admin privileges -- within the rescue function only -- to load customised kernels and operating systems, install rootkits, download the full disc or destroy all data on a machine.
The researchers say the fault lies within two functions; the grub_password_get() function and the andgrub_password_get() script which suffer integer overflow problems. Exploiting the flaw causes out of bounds overwrite memory errors. When a user presses backspace, the bootloader is erasing characters which do not exist -- damaging its memory enough to trigger an exception in authentication protocols.
Not only does the vulnerability give attackers the chance to steal data and tamper with peripherals and passwords, but Linux entries can be modified to deploy malware.
While there is an emergency patch available on Github for Linux users, the main vendors have been made aware of this security flaw. It is recommended that users update their machines as soon as patches have been deployed, but it is worth noting an attacker needs physical access to the machine to exploit the flaw.
