Grinch Bug Could be worse than Shellshock, Says Experts

Pierluigi Paganini December 17, 2014

Researchers discover a vulnerability in Linux operating systems dubbed Grinch Bug, which is exploited to give malicious hackers Root access to a computer system. The flaw resides in the authorization system in Linux which allows privilege escalation through the wheel.

A new privilege escalation bug similar to shellshock is giving Linux administrators sleepless nights just days after the Poodle, another deadly bug of 2014 resurfaced. The Grinch vulnerability, affecting all Linux based operating system potentially gives an attacker root access to a system according to Alert Logic who announced the Bug on Tuesday.

Grinch could be worse than ShellShock which plagued the tech world earlier in September. Shellshock is a coding mistake in Bash which affected all UNIX based operating system, including Linux and Mac. Like shellshock, Grinch potentially gives an attacker root access to a system without a password or Encryption keys.

Apparently, the problem lies with Linux authorization systems which allow for privilege escalation through the wheel, ultimately granting root access. Basically, a wheel is user account with special administrative rights in a UNIX system and controls the SU command, which allows the elevation of the current user to a super user.

A hacker could exploit the Grinch vulnerability by either modifying the registered user accounts in a wheel or by manipulating the Policy Kit (Polkit), a graphical User interface for managing privileged operations for ordinary users. “

“Polkit can be used by privileged processes to decide if it should execute privileged operations on behalf of the requesting user. For directly executed tools, Polkit provides a setuid-root helper program called ‘’pkexec.’’ The hooks to ask the user for authorizations are well integrated into text environments and native in all major graphical environments” notes Alert Logic in a blog.

Whichever method the attacker uses, the goal is to gain root access to the system. With root access, the attacker has full administrative control and can install, modify programs or access files in any directory. The attacker is also able to remotely control the system implying they can create a replicating worm which can be spread to other systems in a blink of an eye.

Bash related vulnerabilities like the Grinch, are primarily a problem to retailers and e-commerce platforms like Amazon, who tend to favor Unix/Linus based operating systems. W3Tech estimate that 65% of web servers on the internet use Unix/Linux based operating systems.  Some smartphone running on Linux related OS could also be vulnerable to the Grinch bug.

Alert Logic is yet to witness the vulnerability begin exploited in the wild, nor is the flaw listed on the database of Community Emergency Response Team (CERT), according to Stephen Coty, Alert Logic’s director of threat research. However, that does not imply exploiting the Grinch vulnerability is not practical in real life. The bug is easy to execute and manipulate.

Grinch Bug 2

Linux is yet to make an official statement about the vulnerability nor issue a patch, but since the Grinch is a flaw in Linux Kernel Architecture, Coy believes Linux Kernel development team is working on a solution. Meanwhile, users can mitigate against Grinch by using a logging software that flags off any unusual behavior in the system.

“We find that possession of user logs and knowledge of your own environment are the best security content to help you navigate away from a bug like grinch. Know how your Linux administrator is installing packages and managing updates—do they use Yum to install packages? Firing on any of the newer methods like PKCon will be an immediate trigger of the exploit in use.” contines the post.

More importantly, understanding how your Linux system work will go a long way in tackling a bug like Grinch.

“Possession of user logs and knowledge of your own environment are the best security content to help you navigate away from a bug like Grinch. Know how your Linux administrator is installing packages and managing updates—do they use Yum to install packages?” says Alert Logic.


Written by: Ali Qamar, Founder/Chief Editor at SecurityGladiators.com

Author Bio:
Ali Qamar is an Internet security research enthusiast who enjoys “deep” research to dig out modern discoveries in the security industry. He is the founder and chief editor at Security Gladiators, an ultimate source for cyber security. To be frank and honest, Ali started working online as a freelancer and still shares the knowledge for a living. He is passionate about sharing the knowledge with people, and always try to give only the best. Follow Ali on Twitter @AliQammar57

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs –  Grinch Bug, Linux)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment