back to article Press Backspace 28 times to own unlucky Grub-by Linux boxes

A pair of researchers from the University of Valencia's Cybersecurity research group have found that if you press backspace 28 times, it's possible to bypass authentication during boot-up on some Linux machines. The problem's not a kernel nor an operating system problem, but rather one in the very popular bootloader Grub2, …

  1. Picky
    Unhappy

    Back to the Future?

    Do you have to do it at 88 MPH?

    1. wolfetone Silver badge

      Re: Back to the Future?

      Nope, only 28 presses of a backspace key.

      Where we're going, we don't need DeLoreans.

      1. Tom 7 Silver badge

        Re: Back to the Future?

        No - we have hoverboards with wheels that turn into rockets or other flame producing devices.

  2. thames

    I Don't Think This Feature is Used Much

    I've never seen anyone use the password feature in Grub2, normally it just boots the OS directly. If you do a standard install of something like Ubuntu, you don't even see a Grub menu.

    This is for when you have multiple operating systems installed, and you want to let the user pick which OS to boot, but you also want to make sure they can't edit the menu to add or remove items (operating systems). However, not many people are doing multi-boot these days. They tend to just run guest OSes in a VM instead.

    Of course if you are using this feature and someone is sitting at the keyboard picking which OS to boot, it also means in most cases that they can do pretty much anything they want with the hardware anyway.

    1. Anonymous Coward
      Anonymous Coward

      Re: I Don't Think This Feature is Used Much

      I guess it's more of a "keeping honest people honest" level of security.

    2. asdf Silver badge

      Re: I Don't Think This Feature is Used Much

      Wait people go looking for the grub rescue prompt on purpose? Fsck that prompt and the bag of hurt it often represents. On Linux its not as bad but on BSD it can be a real PITA if you FUBAR a major upgrade.

    3. s2bu

      Re: I Don't Think This Feature is Used Much

      It's mainly used on "appliances" (along with a BIOS password) as an attempt to keep people from easily getting root on the machine and poking around (eg by adding "init=/bin/sh" to the command line).

      1. PNGuinn
        Joke

        Re: I Don't Think This Feature is Used Much

        Ah, appliances, now I understand. Where the password is always something like passw0rd?

        Naughty boys really do need a simpler way to gain root access.....

    4. John Brown (no body) Silver badge

      Re: I Don't Think This Feature is Used Much

      "Of course if you are using this feature and someone is sitting at the keyboard picking which OS to boot, it also means in most cases that they can do pretty much anything they want with the hardware anyway."

      Exactly this. If the blackhat has physical access then all bets are off.

    5. NullReference Exception

      Re: I Don't Think This Feature is Used Much

      It could be an issue for kiosk setups, where the computer itself is locked up in a cabinet (so the ports are inaccessible) but people can get to the keyboard. It could also be an issue in schools. I used to volunteer at a school where they would set BIOS passwords to lock the boot order and then put a padlock on the case to make it more difficult to get to the clear-CMOS jumper. Sure, you could break the dinky little padlock, but that attracts attention. Hitting backspace at the boot prompt doesn't.

  3. DainB Bronze badge

    Erm...

    "The rescue shell offers all manner of opportunities for fun, as it allows unauthenticated access to a machine and the ability to load another environment."

    Orly ? Unauthenticated access ? How so ?

    Sorry, but if I can see grub prompt that means that server was down, I have full access to either serial or graphical console and at that stage perfectly capable of booting server from USB stick or image redirection. Why would I care about password on something that can be easily bypassed ?

    1. Flocke Kroes Silver badge

      Almost possible to use grub password

      Some cases have intrusion detection switches. I can wire that to the erase CMOS nvram pin. Now I can close the case, configure the BIOS to boot, but only allow changes to the boot order with a password. Next up, enable grub's password feature so the boot options can only be changed with a password. Now encrypt the server's secret key and store the password for it in CMOS nvram.

      The server's certificate is now more difficult to get at if the attacker has physical access. There are two more things you need to sort out: all USB ports should be disconnected (and wired to the mains). Also, add an X-ray detector and use it to trigger some thermite. (The police will first attempt access with a USB device, then take an X-ray to cut into the box without triggering the intrusion detection switch).

      Now to actually use that grub password, you need a USB to PS2 converter inside the box, and use a bulkhead mounting PS2 connector to get the signals out.

      1. Danny 14 Silver badge

        Re: Almost possible to use grub password

        that's an awful lot of paranoia for some pr0n.

        1. Anonymous Coward
          Black Helicopters

          Re: Almost possible to use grub password

          Sounds like he's keeping some dick pics in there too...

      2. Linker3000
        Pint

        Re: Almost possible to use grub password

        Um..OK...you carry on there. We all went down the pub about 3 hours ago.

        Cheers!

      3. Anonymous Coward
        Anonymous Coward

        Re: Almost possible to use grub password

        You missed off the pressure and laser sensors in the room and the trained fire breathing dragon in the hallway, can't be too careful these days.

        1. PNGuinn
          FAIL

          Re: Almost possible to use grub password

          OK, wise guys.

          How would you fit the shark with frikkin lasers then?

      4. Anonymous Coward
        Anonymous Coward

        Re: Almost possible to use grub password

        Or you could just use a TPM / Secure Boot / Bitlocker and secure it properly.

        1. Flocke Kroes Silver badge

          Secure Boot

          Secure boot throws away any hope of security. Old style BIOS is sufficiently small and stupid that it cannot do much more than read and execute a boot sector. Secure boot is huge. The chances are that the copy you have is based source code released by Intel, with whatever additions the manufacturer's government insisted on plus two huge binary blobs from Intel big enough to hide something that can man-in-the-middle an ethernet port and provide remote exfiltration invisible from inside the computer.

          Bit locker keys can be read by an external device via a 1394 or thunderbolt DMA channel. If all else fails, reset the machine and boot from an external device. The keys can often be found in memory left over from the previous boot.

          Securing a computer against physical access by a rich and determined attacker is really difficult. Grub's password feature is only a significant barrier if you have covered all the other bases.

          1. This post has been deleted by its author

            1. Anonymous Coward
              Windows

              Re: Secure Boot

              Oh, piss off RICHTO. You're not fooling anyone.

          2. Anonymous Coward
            Anonymous Coward

            Re: Secure Boot

            "Secure boot throws away any hope of security."

            Using a TPM / PIN with Secure Boot and Bit Locker is as secure as it gets on standard hardware. It's one of the best practical options there currently is, and certainly doesn't make things worse for security.

            "Old style BIOS is sufficiently small and stupid that it cannot do much more than read and execute a boot sector. "

            That's all it needs to do - the TPM won't allow release of the keys to allow execution of the boot sector if it has changed.

            "hide something that can man-in-the-middle an ethernet port and provide remote exfiltration invisible from inside the computer."

            All encryption solutions require the device to be in a secure state at point of installation. Once Bitlocker / Secure Boot is applied with a BIOS password, PIN, TPM lockdown, etc, such changes become much harder to achieve.

            "Bit locker keys can be read by an external device via a 1394 or thunderbolt DMA channel."

            Not without physical access to a powered on and authenticated machine. In which case they might as well just grab it from you while unlocked.

            "The keys can often be found in memory left over from the previous boot."

            RAM content degrades rapidly after power down. The window for such an exploit is seconds, and it's therefore not a practical attack if due care is taken.

      5. BobRocket

        Re: Almost possible to use grub password

        If you negotiate the minefield in the drive

        And beat the dogs and cheat the cold electronic eyes

        And if you make it past the shotguns in the hall,

        Dial the combination, open the priesthole

        And if Grubs in, It'll tell you what's behind the wall.

      6. NeonTeepee

        Re: Almost possible to use grub password

        Ummmmmm Thermite. Fireworks are pretty. Wheres my lighter, the special one the voices tell me to use?

  4. Flocke Kroes Silver badge

    Embedded system ...

    ... with a backspace key?

    The whole idea of an embedded system is that it works without the assistance of a user. If grub is set to require a password on boot then after every power cut, some poor techie is going to have to trudge out to darkest nowhere, dismantle the box and solder in a keyboard before typing a password.

    1. Vic

      Re: Embedded system ...

      If grub is set to require a password on boot then after every power cut

      Grub only requires a password if you wish to change the settings it's configured to use. If you don't give it a password, it waits for the configured amount of time, then boots whatever it's been set to boot.

      Vic.

  5. frank ly Silver badge

    This explains why ....

    .... my Mint installation offered an update to Grub2 yesterday. It was marked as an important security update but was also maked as a 'level 5' update: "Dangerous updates. Known to affect the stabilty of he systems depending on certain specs or hardware."

    Because of this confusion, I blocked the update. I think I'll keep it blocked.

    1. CAPS LOCK Silver badge

      I don't know why you got some down votes for that...

      ... it seems like common sense to me. Have an up vote...

    2. Paul Crawford Silver badge

      Re: This explains why ....

      Grub updates are usually OK so long as you don't have a "custom" boot arrangement which you don't really understand.

      That usually shows up as a prompt about what do you want the update to do, usually in terms of using the default package maintainer's config or your own (own! own!) and/or which drives to install the boot loader (MBR) on (almost a trick question as it often offers logical drives like /dev/sda1 in the list but you should only ever install on physical drives such as /dev/sda).

      Also, and this is the bummer for some, most grub updates don't need a reboot. But unless you reboot there and then to test it, some weeks/months later if something is screwed up you will be forced in to booting and it borks, and you have forgotten all about this update.

      So my advices is install it, if prompted keep current settings (and/or install MBR on the /dev/sda) and then do a proper clean reboot just to be sure.

    3. itzman

      Re: This explains why ....

      Dont worry. I installed it an everything is just fine (Mint 17.3)

    4. a_yank_lurker Silver badge

      Re: This explains why ....

      It will probably be upgraded after more testing. Mint is cautious about these kinds of updates.

  6. Anonymous Coward
    Anonymous Coward

    rEFInd...

    Been a while since I tried to use grub2. I was having trouble swapping an older machine to EFI booting., and in the end I gave up, installed rEFInd, and it "just worked". I'm at a bit of a loss as to why it isn't; A: better known and B: More popular.

    1. Anonymous Coward
      Anonymous Coward

      Re: rEFInd...

      What he (presumably) said. Have an upvote...

  7. Graham Bartlett

    Embedded systems?

    "“Grub2 is the bootloader used by most Linux systems including some embedded systems. This results in an incalculable number of affected devices."

    Actually most embedded systems are going to be using U-Boot or something similar.

    And as someone using Linux on an embedded system, I'm in a pretty good position to tell you that the only way to affect boot-up with a keyboard is to beat the box to death with the aforesaid keyboard. It doesn't have a PS/2 connector. It's a USB slave so you can't connect a keyboard that way. And RS-232 is strictly debug-output-only unless you do some jiggery-pokery inside the box. This isn't frigging rocket science, people.

  8. Dr Paul Taylor

    Scare story?

    Is this a scare story put out by M$ to frighten people into not disabling "secure boot" and so not installing Linux?

    If the Linux installation in question is being used for some industrial purpose then there will be physical ways of preventing access to it.

    If it's a laptop then for someone to be able to do this they have probably stolen the machine first. In this case the owner has bigger things to worry about, the thief will probably give up once he sees that it doesn't run M$ and the operating system is not going to be able to defend itself anyway.

    So the protection is (1) only buy a laptop that is only as powerful (expensive) as you actually need, (2) encrypt your private data and (3) keep it backed up elsewhere.

    1. Anonymous Coward
      Anonymous Coward

      Re: Scare story?

      Don't think it is a scare story.

      The patch wouldn't of been mentioned if it was.

      Also, it's the first Linux vulnerability in a while that has not required prior knowledge of the root passw0rd.

      Don't get me wrong, I'm sure M$ will nudge their media outlets into turning this into a scare story within a day or so.

      1. Anonymous Coward
        Anonymous Coward

        Re: Scare story?

        "it's the first Linux vulnerability in a while that has not required prior knowledge of the root passw0rd."

        For small values of "in a while":

        https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8457

        https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7613

        https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5950

        etc.

        1. oldcoder

          Re: Scare story?

          The first and third are not Linux software... And the first is not a root compromise.

          The second one is, and has already been patched.

          1. sisk Silver badge

            Re: Scare story?

            The second one is, and has already been patched.

            Like most Linux vulns, that one was patched before it hit the news.

            Note that whenever there's a Windows hole in the news it usually says "Microsoft will start pushing out an update..." and when there's a Linux hole in the news it usually says "A patch is available". That's because Linux security holes usually get patched quicker than reporters can write about them while Windows security holes get patched on Tuesday.

            1. Michael Habel Silver badge

              Re: Scare story?

              Windows security holes get patched on Tuesday

              That was once upon a time, and not that long ago. When MicroSoft were willing to let you dig up (at you own leisure), some information, other then "Fixes a critical flaw in Windows" about, any given Update. Now a days they come whenever, and unannounced.

            2. Anonymous Coward
              Anonymous Coward

              Re: Scare story?

              "Note that whenever there's a Windows hole in the news it usually says "

              Note that the vast majority of Windows holes have patches released before anyone knows about them!

              The reality is that Windows has had a faster average time to fix (fewer days at risk) every year for the last decade compared to SUSE and Redhat Linux.

    2. a_yank_lurker Silver badge

      Re: Scare story?

      It is a legitimate concern since grub2 is used by many distros for multi-boot configurations. Just how critical it is depends on the distro and how it is configured. I will be watching for a some updates in the next couple of days and installing them.

      Also, the bypass appears to require physical access to the box to hit enter 28 times in a row.

      1. Vic

        Re: Scare story?

        Also, the bypass appears to require physical access to the box to hit enter 28 times in a row.

        Pretty much. You can probably do the same with a DRAC card or similar.

        Noetheless, this can only occur at boot time, and the majority of systems I've seen have no grub password to be overcome anyway. While this is a somewhat embarassing bug, it's not something I'm going to lose any sleep over...

        Vic.

  9. J J Carter Silver badge
    FAIL

    Many eyes off the ball.

    Linux can be rooted by pounding the keyboard? In 2015?

    1. AdamWill

      Re: Many eyes off the ball.

      No, not really. grub is a generic bootloader, you can use it to boot anything. And this doesn't exactly root anything, it bypasses a very specific form of protection - as discussed upthread, the grub password really only protects the grub configuration, and is only useful at all in extremely limited circumstances. Drive encryption and firmware-level passwords are much more generally useful for limiting access to a system.

  10. Anonymous Coward
    Anonymous Coward

    time to upgrade to windows 10 :D

  11. BinkyTheMagicPaperclip Silver badge

    Machine exploitable from console access shocker..

    Can't say I'm too worried. Still using LILO though, as Salix is currently my distribution of choice.

  12. mstargard

    Pointless

    This is a pointless feature. If you don't have physical security then you don't have any security. The only way to keep folks out of the hard drive is to encrypt it.

  13. Anonymous Coward
    Anonymous Coward

    Cat already found this?

    Did someone's cat not do this a while back?

    1. Disko

      Re: Cat already found this?

      a feline icon would be nice

    2. Manolo
      Linux

      Re: Cat already found this?

      No, that involved the Gnome lockscreen if I recall correctly.

      And we need a cat icon.

      1. PNGuinn
        Linux

        Re: Cat icon

        I'd prefer a dog icon.

        or a wabbit icon.

        ---->> Nearest we have to a Twweety Pie icon.

        Mneah...what's up doc?

        1. Havin_it
          Joke

          Re: Cat icon

          Well we do have a user here called asdf, whom I suspect to actually be a cat*, so I'm sure the cat icon lobby will find support ;)

          * Based on the name, not the content particularly. Then again... <reviews> ... maybe ;)

  14. sisk Silver badge

    Bah, non-issue

    If someone can exploit this vulnerability they can also boot from a USB drive or a CD and have the same access. Vulnerabilities that require physical access to the machine, while important to fix, aren't actually worth getting worked up about. An attacker with physical access to a machine usually equates "Game over, man, game over" anyway.

    And then there's the fact that in somewhere between 10 and 15 years of using Linux I've never seen a system with the vulnerable feature turned on.

    1. Boothy

      Re: Bah, non-issue

      Is that you Hudson?

  15. Alistair Silver badge
    Windows

    Full disk encryption

    For my personal systems and work laptop?

    Change all the damned boot options you want. Boot off anything you'd like. My data is encrypted. Sure, you can nuke my drive and install windows if you want. I have backups.

    On the servers? -- boot into SUM, change the root password. Reboot.

    By the time you have a console login, my config management tools have already applied the correct one. Ta. You're in SUM? you can't get at the volume that has those tools.

    Yes, this is an issue for specific edge cases (we don't use this as we physically control access) but there are some unique edge cases that need it.

  16. theOtherJT

    If an attacker has physical access to your machine...

    ...it's their machine.

    Not going to get too excited about this one.

  17. Anonymous Coward
    Anonymous Coward

    ...Linux isn't a real operating system. It's just a command shell for Grub...

  18. Grikath Silver badge

    I amazed..

    The sheer level of OCD to figure this one out must be...crippling.. in real life.

    1. Manolo
      Linux

      Re: I amazed..

      ... or a cat discovered it ;-)

      We still need a cat icon. Can be Cat from Red Dwarf.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019