from the OOPS!-didn't-mean-to-leave-that-in-there dept.
El Reg reports
A pair of researchers from the University of Valencia's Cybersecurity research group have found that if you press backspace 28 times, it's possible to bypass authentication during boot-up on some Linux machines.
The problem's not a kernel nor an operating system problem, but rather one in the very popular bootloader Grub2, which is used to boot an awful lot of flavours of Linux.
Essentially, if you enable Grub2's password protection during system startup, it won't do you much good--it can be easily defeated. (Luckily, the vast majority of distributions of Linux do not enable this by default.)
As Hector Marco and Ismael Ripoll explain in an advisory, hitting the backspace key 28 times at the [username prompt of the GRand Unified Bootloader] during power-up will produce a "rescue shell" under Grub2 versions 1.98 (December, 2009) to 2.02 (December, 2015).
[...] The researchers have also cooked up a fix, available here.
Related Stories
Softpedia News reports that version 2.02 of the GRUB boot loader has been released. Among the many new features are support for LZ4 compression on ZFS, 64-bit ext2, XFS v5, Morse code output and a modem-like output through the PC speaker, Xen paravirtualisation, TrueCrypt ISOs, Apple fat binaries on non-Apple hardware, and 16-bit mode on non-x86 hardware.
Further information:
NEWS file
Related stories:
Windows 8 Update Erases Grub, Enables Secure Boot
Press Backspace 28 times: Pwn Unlucky Linux Systems Running GRUB
(Score: 2) by q.kontinuum on Saturday December 19 2015, @12:49PM
AFAIK, most BIOS password protections have some reset mechanisms anyway, which means it is nearly always possible to enable booting from USB and own the system that way. Only for e.g. Kiosk-systems, where a physical keyboard is available but access to the main board is seriously secured, this might be a problem. Since most security critical systems (ATMs etc.) have on-screen-display or a very limited key-pad, even there this is not a serious issue. If a keyboard is attached, you'd probably still cause a power-outage or similar to force a reboot.
It's good the issue was found and fixed, but I'd think this is really a low impact thing. If you want to secure your laptop , you won't get around encrypting your home folder.
Registered IRC nick on chat.soylentnews.org: qkontinuum
(Score: 2) by Runaway1956 on Saturday December 19 2015, @01:31PM
That seems to summarize things nicely. I've been accessing hard drives of various OS's for years already. If the hard drive is encrypted, my "access" is worthless. If the drive is not encrypted, gaining access to the hard drive gives me everything except plain text passwords. If I make a disk image of the drive, I can take it home to my own machine, and spend days, weeks, or months trying to brute force the password.
“Take me to the Brig. I want to see the “real Marines”. – Major General Chesty Puller, USMC
(Score: 1, Insightful) by Anonymous Coward on Saturday December 19 2015, @01:47PM
It's really not a spectacular vulnerability. If somebody has that kind of access they can use their own damn bootloader. Or just remove the drive.
(Score: 1, Funny) by Anonymous Coward on Saturday December 19 2015, @01:15PM
^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H
root@fluorine:~$ service slashd stop
(Score: 3, Touché) by fliptop on Saturday December 19 2015, @03:50PM
root@fluorine:~$ systemctl stop slashd
FTFY</ducks>
Our Constitution was made only for a moral and religious people. It is wholly inadequate to the government of any other.
(Score: 2) by VanessaE on Sunday December 20 2015, @02:25AM
Damn upstarts putting their excess system daemons into the question.. Show SysV some love. ;-)
/etc/init.d/slashd stop
(Score: 0) by Anonymous Coward on Saturday December 19 2015, @01:17PM
"Popular" is rather a strong word to describe grub2. Still, it's not forced down your neck like the systemd disease.
(Score: 3, Insightful) by Anonymous Coward on Saturday December 19 2015, @01:29PM
Not forced down your neck yet.
How long until systemd-bootloaderd?
(Score: 5, Insightful) by wisnoskij on Saturday December 19 2015, @01:31PM
This, grub2 is really horrible. It turns a system that just worked, that you could configure by hand without looking up any details into a system that can quadruple your boot time and for which you need to download separate programs to modify its configuration.
(Score: 3, Insightful) by hemocyanin on Saturday December 19 2015, @02:57PM
It sounds like more of a hassle than inserting a live CD or live USB, booting up from that, and mounting the HD, but less of a hassle than removing the HD. Besides, if you're doing things right, the very next thing to do after GRUB initializes, is to enter the password to decrypt the drive so the system can actually boot. Without that password, the GRUB2 issue, a live CD, or full on HD removal is pretty pointless.
(Score: 2) by PinkyGigglebrain on Saturday December 19 2015, @09:43PM
This, grub2 is really horrible. It turns a system that just worked, that you could configure by hand without looking up any details into a system that can quadruple your boot time and for which you need to download separate programs to modify its configuration.
Amen to that.
One of the first things I do when I'm setting up a new Linux system is replace GRUB2 with GRUB1.
The "features" of GRUB2 do not justify the added complexity of it's configuration. Who the Hells thought it would be a good idea to make it so you needed 20+ configlet files to sort through and then run 2 separate programs just to update a kernel argument?
Can anyone suggest a good bootloader that is as easy to tweak as GRUB 1 but also has support for newer files systems?
"Beware those who would deny you Knowledge, For in their hearts they dream themselves your Master."
(Score: 0) by Anonymous Coward on Sunday December 20 2015, @12:11AM
Personally I just get rid of all the crapfiles in grub2 and go change grub.cfg directly instead for an easier configuration (and remove lots of the crap in it too of course).
But I thinking about maybe replace the whole thing with grub4dos instead, how do it differ from what I use now?
(Score: 3, Interesting) by Subsentient on Sunday December 20 2015, @07:25AM
syslinux all the way bud. Supports ext2/3/4/btrfs, vfat, etc. extlinux is what it's called for ext2/3/4/btrfs.
"It is no measure of health to be well adjusted to a profoundly sick society." -Jiddu Krishnamurti
(Score: 0) by Anonymous Coward on Sunday December 20 2015, @12:50AM
grub2's configuration format is not much different from grub 1 (yes, it is incompatible, but conversion of a grub 1 config file to grub 2 is pretty straightforward), except it has way more features and generally works much better.
It *also* ships with a tool called grub-mkconfig, which is horrible. But you don't need to use it to configure grub.
(Score: 4, Informative) by digitalaudiorock on Saturday December 19 2015, @03:06PM
Absolutely. After I upgraded to grub2 on my Gentoo machines and experiencing that horrific script-to-create-your-config bullshit I immediately started looking into replacements. I've moved to Syslinux [syslinux.org] (EXTLINUX in my case), with it's nice simple config file as God intended, and never looked back.
I've about had it with the trend these days (which I really think comes from a Windows mindset), where it's assumes that nothing simple can ever be good.
(Score: 2) by Subsentient on Saturday December 19 2015, @03:42PM
I am so glad to see a fellow syslinux user. GRUB 2 is a steaming pile of shit.
"It is no measure of health to be well adjusted to a profoundly sick society." -Jiddu Krishnamurti
(Score: 0) by Anonymous Coward on Saturday December 19 2015, @04:24PM
I just plain eufi boot the kernel since most of my machines are not dual booting so i have no need for a bootloader anymore.
(Score: 3, Insightful) by Justin Case on Saturday December 19 2015, @01:59PM
if you enable Grub2's password protection during system startup
Which accomplishes what, exactly? Seriously, I've been using *nix since the 1980s and I never heard of this. Is it possible grub suffers from the "inner platform effect"? (trying to recreate an OS in a browser, a browser in a BIOS, a BIOS in a compiler...)
Logging in should be handled by the logging in thingy. If you don't have a password there, please reformat your hard disk now. Or, if that's too hard, I'll do it for you.
If you do have a password there, additional passwords fall into the category of bank website "security" AKA "wish it was two-factor".
(Score: 5, Interesting) by iwoloschin on Saturday December 19 2015, @02:16PM
The only thing the GRUB password does is prevent someone from changing boot parameters. It's quite useful for keeping your hands and eyes honest, and preventing a bumbling idiot from mucking with your boot options. I've never really considered it a method to stop a hacker, just a way to keep your servers from "accidentally" getting stuck in a broken pre-boot environment.
(Score: 3, Insightful) by Justin Case on Saturday December 19 2015, @02:33PM
GRUB password ... prevent[s] someone from changing boot parameters
Ahh, I see. So "pwn" in the headline is a wee bit of exaggeration, perhaps?
(Score: 3, Informative) by maxwell demon on Saturday December 19 2015, @03:52PM
Are you sure? [kernel.org]
The Tao of math: The numbers you can count are not the real numbers.
(Score: 3, Informative) by sjames on Saturday December 19 2015, @10:24PM
It's a fairly minor security feature. It can prevent someone from adding init=/bin/bash to the kernel parameters to bypass the root password, but only actually helps if the attacker has limited access to the server such as remote serial console or they need to change the root password quickly before security walks by. If they gain full possession of the machine, a bootloader password is a minor inconvenience at best.
Of course, they shouldn't be able to access serial over lan anyway in a secure setup.
If security is THAT important, you need to encrypt the drive, which renders the bootloader password moot.
(Score: 2, Informative) by Anonymous Coward on Saturday December 19 2015, @02:03PM
Grub was updated 2 days ago to fix this.
(Score: 0) by Anonymous Coward on Saturday December 19 2015, @03:06PM
Yeah kind of a dumb vuln thats been fixed but the security press industry and other anti Linux peopl e need something to keep their narrative alive.
(Score: 4, Interesting) by darkfeline on Saturday December 19 2015, @03:45PM
This only matters if someone has physical access (or the virtual equivalent of physical access), and if someone has physical access, you're screwed anyway.
(At least, that's what I think. Can you come up with a situation where this is the sole exploit that can be used for compromising a system?)
Join the SDF Public Access UNIX System today!
(Score: 2, Informative) by Anonymous Coward on Saturday December 19 2015, @06:29PM
Yes, but the whole point of password-protecting the bootloader was to prevent tampering on a disk where full-disk encryption was enabled. Remember that unlike OpenBSD, Linux still requires an unencrypted /boot partition to know how to deal with an encrypted volume. So on a laptop, where physical keyloggers might be noticed, or at a console far removed from the physical disk, the "evil-maid" scenario would allow the attacker to drop to a grub shell and then inject the software keylogger. Password-protecting grub prevented that.
It wasn't full-proof (and anybody who physically removes the drive can still read/write /boot), but it made tampering with an encrypted laptop a hell of a lot harder when grub (and the UEFI BIOS) were password-protecting and booting from external devices was disabled.
(Score: 0) by Anonymous Coward on Saturday December 19 2015, @04:23PM
If I have keyboard access I got root anyway.
(Score: 0) by Anonymous Coward on Saturday December 19 2015, @11:28PM
Oh really?
Everyone seems to think this.
It's tragic to me how even people like Theo De Radtt have given up on the idea that a system can be bulletproof even with physical access. Wasn't FDE supposed to solve that?
I have FDE except for the boot partition, but if my boot partition becomes compromised I WILL KNOW IT.
Tell me gain how you have root if you have my keyboard?