A couple of researchers from the University of Valencia’s Cybersecurity research group, Hector Marco and Ismael Ripoll, have found that the Grub2 bootloader is plagued by a serious vulnerability that can be exploited by hackers to bypass password protection and compromise the targeted computer.
Nothing of complex, the researcher discovered that by pressing backspace 28 times, it’s possible to bypass authentication during boot-up on some Linux systems.
The duo explained that the flaw affects the Grub2 bootloader which is currently used by a large number of Linux machines, including some embedded systems, for the boot loading at system startup.
The researchers explained in the advisory that hitting the backspace key 28 times at the Grub username prompt during power-up will defeat the authentication mechanism, the action triggers a “rescue shell” under Grub2 versions 1.98 (December, 2009) to 2.02 (December, 2015).
“Exploiting the integer underflow can be used to cause an Off-by-two or an Out of bounds overwrite memory errors.” states the advisory. “An attacker which successfully exploits this vulnerability will obtain a Grub rescue shell. Grub rescue is a very powerful shell allowing to:
An attacker can exploit the rescue shell to load another environment that allows him to fully compromise the machine, for example by installing a rootkit.
The integer underflow vulnerability affects Grub2 since 2009 and resides in the grub_password_get() function.
“The fault (bug) is in the code of Grub since version 1.98 (December, 2009). The commit which introduced the fault was b391bdb2f2c5ccf29da66cecdbfb7566656a704d, affecting the grub_password_get() function.” continues the advisory.
The duo also presented a proof-of-concept attack exploiting the flaw to inject a backdoor on the target system, fortunately, they have also released a fix that is available here.
(Security Affairs – Grub2 , hacking)