Exploit Logs You Into Linux Systems After Hitting Backspace 28 Times

Though most of you likely don't run Linux—specifically, one
using the Grub2 bootloader—you'll surely appreciate the
unintended humor of a brand-new exploit that was recently found
for said bootloader. The exploit is being quickly patched by
various major Linux distros, including Ubuntu, Red Hat, and
Debian, and it also requires physical access to an unpatched
machine to work, so it's not the worst potential vulnerability,
just one of the sillier ones.

As Hector Marco and Ismael Ripoll explained in a Dec. 14
security report, "To quickly check if your system is vulnerable,
when the Grub ask[s] you the username, press the Backspace 28
times. If your machine reboots or you get a rescue shell then
your Grub is affected."

Yes, it's that easy. After you've tapped backspace for the 28th
time (on an affected system), you'll gain access to the rescue
shell—giving you a lot more power over the system than you
previously had. An attacker would be able to have full access to
the console without needing to enter any user name or password
whatsoever. Said person could then load a customized kernel and
do all sorts of things to the host computer—including copying
the contents of its hard drive or installing some other, harder-
to-find exploit (like a rootkit) that could cause all sorts of
issues for a compromised system (or, worse, other networked
systems).

"The attacker is able to destroy any data including the grub
itself. Even in the case that the disk is ciphered the attacker
can overwrite it, causing a [denial of service]," the report
reads.

If your Linux distro of choice doesn't happen to have a patch
ready just yet, you can grab the emergency patch that Marco and
Ripoll have created to fix the isssue—all stemming from a simple
integer underflow fault that was introduced to Grub2 in December
2009.

"It is irresponsible for grub to lack decades-old exploit
mitigations like stack cookies that could have addressed this
issue," said Dan Guido, Trail of Bits founder, in an interview
with Motherboard.

http://www.pcmag.com/article2/0,2817,2496870,00.asp

On Sun, 20 Dec 2015 21:28:59 +0100, Anonymous
wrote:

Though most of you likely don't run Linux—specifically, one
using the Grub2 bootloader—you'll surely appreciate the
unintended humor of a brand-new exploit that was recently found
for said bootloader. The exploit is being quickly patched by
various major Linux distros, including Ubuntu, Red Hat, and
Debian, and it also requires physical access to an unpatched
machine to work, so it's not the worst potential vulnerability,
just one of the sillier ones.

As Hector Marco and Ismael Ripoll explained in a Dec. 14
security report, "To quickly check if your system is vulnerable,
when the Grub ask[s] you the username, press the Backspace 28
times. If your machine reboots or you get a rescue shell then
your Grub is affected."

Yes, it's that easy. After you've tapped backspace for the 28th
time (on an affected system), you'll gain access to the rescue
shell—giving you a lot more power over the system than you
previously had. An attacker would be able to have full access to
the console without needing to enter any user name or password
whatsoever. Said person could then load a customized kernel and
do all sorts of things to the host computer—including copying
the contents of its hard drive or installing some other, harder-
to-find exploit (like a rootkit) that could cause all sorts of
issues for a compromised system (or, worse, other networked
systems).

"The attacker is able to destroy any data including the grub
itself. Even in the case that the disk is ciphered the attacker
can overwrite it, causing a [denial of service]," the report
reads.

I could do all that by booting from a Linux live CD. If you
have physical access to the machine (Linux or any other OS, assuming
it's not "Truly enCrypted") you have root, or admin, or whatever your
OS calls it.
[]'s

If your Linux distro of choice doesn't happen to have a patch
ready just yet, you can grab the emergency patch that Marco and
Ripoll have created to fix the isssue—all stemming from a simple
integer underflow fault that was introduced to Grub2 in December
2009.

"It is irresponsible for grub to lack decades-old exploit
mitigations like stack cookies that could have addressed this
issue," said Dan Guido, Trail of Bits founder, in an interview
with Motherboard.

http://www.pcmag.com/article2/0,2817,2496870,00.asp
--
Don't be evil - Google 2004
We have a new policy - Google 2012

Anonymous wrote this copyrighted missive and expects royalties:

Though most of you likely don't run Linux—specifically, one
using the Grub2 bootloader—you'll surely appreciate the
unintended humor of a brand-new exploit that was recently found
for said bootloader.

http://www.pcmag.com/article2/0,2817,2496870,00.asp

What took you so long to post this? It's been bandied about
for many days now.

Already fixed, by the way.

Pretty stupid bug, though. Should never have happened.

--
You will win success in whatever calling you adopt.

On 12/20/15 16:38, Chris Ahlstrom so wittily quipped:
Anonymous wrote this copyrighted missive and expects royalties:

Though most of you likely don't run Linux—specifically, one
using the Grub2 bootloader—you'll surely appreciate the
unintended humor of a brand-new exploit that was recently found
for said bootloader.

http://www.pcmag.com/article2/0,2817,2496870,00.asp

What took you so long to post this? It's been bandied about
for many days now.

Already fixed, by the way.

Pretty stupid bug, though. Should never have happened.


with physical access to the machine, there's nothing stopping anyone
from removing the hard drive, plugging in a USB hard drive adaptor
thingy, and then reading it directly with another computer.

so the bug is funnier than it is dangerous.

On 21/12/2015 18:06, Big Bad Bob wrote:
On 12/20/15 16:38, Chris Ahlstrom so wittily quipped:
Anonymous wrote this copyrighted missive and expects royalties:

Though most of you likely don't run Linux—specifically, one
using the Grub2 bootloader—you'll surely appreciate the
unintended humor of a brand-new exploit that was recently found
for said bootloader.

http://www.pcmag.com/article2/0,2817,2496870,00.asp

What took you so long to post this? It's been bandied about
for many days now.

Already fixed, by the way.

Pretty stupid bug, though. Should never have happened.


with physical access to the machine, there's nothing stopping anyone
from removing the hard drive, plugging in a USB hard drive adaptor
thingy, and then reading it directly with another computer.

so the bug is funnier than it is dangerous.

Unless data is encrypted. If you remove the hard drive and plug it
somewhere, you are still left with ciphered data.

On the contrary, if you read Hector Marco and Ismael Ripoll's original
article, you'll find out how they used the GRUB2 vulnerability to access
the GRUB rescue shell and deploy a malware from there.

"Since the data is ciphered, the strategy we will use is to infect the
system and wait until the user decrypts the data (by login into the
system) and then access to the information in plain."

http://hmarco.org/bugs/CVE-2015-8370...on-bypass.html

edevils wrote:

On 21/12/2015 18:06, Big Bad Bob wrote:
On 12/20/15 16:38, Chris Ahlstrom so wittily quipped:
Anonymous wrote this copyrighted missive and expects royalties:

Though most of you likely don't run Linux—specifically, one
using the Grub2 bootloader—you'll surely appreciate the
unintended humor of a brand-new exploit that was recently found
for said bootloader.

http://www.pcmag.com/article2/0,2817,2496870,00.asp

What took you so long to post this? It's been bandied about
for many days now.

Already fixed, by the way.

Pretty stupid bug, though. Should never have happened.


with physical access to the machine, there's nothing stopping anyone
from removing the hard drive, plugging in a USB hard drive adaptor
thingy, and then reading it directly with another computer.

so the bug is funnier than it is dangerous.

Unless data is encrypted. If you remove the hard drive and plug it
somewhere, you are still left with ciphered data.

On the contrary, if you read Hector Marco and Ismael Ripoll's original
article, you'll find out how they used the GRUB2 vulnerability to access
the GRUB rescue shell and deploy a malware from there.

"Since the data is ciphered, the strategy we will use is to infect the
system and wait until the user decrypts the data (by login into the
system) and then access to the information in plain."

http://hmarco.org/bugs/CVE-2015-8370...on-bypass.html

With physical access to the machine they could just as well install the
logging software the standard way. No need for a Grub exploit

Physical access means all bounds are off. You can not secure such a system
in any meaningful way, encrypted or not

On 21/12/2015 19:01, Peter Köhlmann wrote:
edevils wrote:

On 21/12/2015 18:06, Big Bad Bob wrote:
On 12/20/15 16:38, Chris Ahlstrom so wittily quipped:
Anonymous wrote this copyrighted missive and expects royalties:

Though most of you likely don't run Linux—specifically, one
using the Grub2 bootloader—you'll surely appreciate the
unintended humor of a brand-new exploit that was recently found
for said bootloader.

http://www.pcmag.com/article2/0,2817,2496870,00.asp

What took you so long to post this? It's been bandied about
for many days now.

Already fixed, by the way.

Pretty stupid bug, though. Should never have happened.


with physical access to the machine, there's nothing stopping anyone
from removing the hard drive, plugging in a USB hard drive adaptor
thingy, and then reading it directly with another computer.

so the bug is funnier than it is dangerous.

Unless data is encrypted. If you remove the hard drive and plug it
somewhere, you are still left with ciphered data.

On the contrary, if you read Hector Marco and Ismael Ripoll's original
article, you'll find out how they used the GRUB2 vulnerability to access
the GRUB rescue shell and deploy a malware from there.

"Since the data is ciphered, the strategy we will use is to infect the
system and wait until the user decrypts the data (by login into the
system) and then access to the information in plain."

http://hmarco.org/bugs/CVE-2015-8370...on-bypass.html

With physical access to the machine they could just as well install the
logging software the standard way.

Could they, if GRUB is password protected?


No need for a Grub exploit

Physical access means all bounds are off. You can not secure such a system
in any meaningful way, encrypted or not

However, removing a hard drive is not as easy as using a keyboard. If
you remove a hard drive in an office, you might be be noticed.
Some hard drives are even stored in a secure vault, while you can still
access the keyboard.

With physical access to the machine they could just as well install the
logging software the standard way.

Could they, if GRUB is password protected?


No need for a Grub exploit

Physical access means all bounds are off. You can not secure such a
system in any meaningful way, encrypted or not

However, removing a hard drive is not as easy as using a keyboard. If
you remove a hard drive in an office, you might be be noticed.
Some hard drives are even stored in a secure vault, while you can still
access the keyboard.

physical access == total access

On Mon, 21 Dec 2015 09:06:22 -0800, Big Bad Bob
wrote:

On 12/20/15 16:38, Chris Ahlstrom so wittily quipped:
Anonymous wrote this copyrighted missive and expects royalties:

Though most of you likely don't run Linux?specifically, one
using the Grub2 bootloader?you'll surely appreciate the
unintended humor of a brand-new exploit that was recently found
for said bootloader.

http://www.pcmag.com/article2/0,2817,2496870,00.asp

What took you so long to post this? It's been bandied about
for many days now.

Already fixed, by the way.

Pretty stupid bug, though. Should never have happened.


with physical access to the machine, there's nothing stopping anyone
from removing the hard drive, plugging in a USB hard drive adaptor
thingy, and then reading it directly with another computer.

And you remove the hard drive because .... ?
[]'s
--
Don't be evil - Google 2004
We have a new policy - Google 2012

edevils wrote:

On 21/12/2015 19:01, Peter Köhlmann wrote:
edevils wrote:

On 21/12/2015 18:06, Big Bad Bob wrote:
On 12/20/15 16:38, Chris Ahlstrom so wittily quipped:
Anonymous wrote this copyrighted missive and expects royalties:

Though most of you likely don't run Linux—specifically, one
using the Grub2 bootloader—you'll surely appreciate the
unintended humor of a brand-new exploit that was recently found
for said bootloader.

http://www.pcmag.com/article2/0,2817,2496870,00.asp

What took you so long to post this? It's been bandied about
for many days now.

Already fixed, by the way.

Pretty stupid bug, though. Should never have happened.


with physical access to the machine, there's nothing stopping anyone
from removing the hard drive, plugging in a USB hard drive adaptor
thingy, and then reading it directly with another computer.

so the bug is funnier than it is dangerous.

Unless data is encrypted. If you remove the hard drive and plug it
somewhere, you are still left with ciphered data.

On the contrary, if you read Hector Marco and Ismael Ripoll's original
article, you'll find out how they used the GRUB2 vulnerability to access
the GRUB rescue shell and deploy a malware from there.

"Since the data is ciphered, the strategy we will use is to infect the
system and wait until the user decrypts the data (by login into the
system) and then access to the information in plain."

http://hmarco.org/bugs/CVE-2015-8370...on-bypass.html

With physical access to the machine they could just as well install the
logging software the standard way.

Could they, if GRUB is password protected?


Yes

In article ,
Shadow wrote:
On Sun, 20 Dec 2015 21:28:59 +0100, Anonymous
wrote:

Though most of you likely don't run Linux—specifically, one
using the Grub2 bootloader—you'll surely appreciate the
unintended humor of a brand-new exploit that was recently found
for said bootloader. The exploit is being quickly patched by
various major Linux distros, including Ubuntu, Red Hat, and
Debian, and it also requires physical access to an unpatched
machine to work, so it's not the worst potential vulnerability,
just one of the sillier ones.
OS calls it.

[ ... ]

Given physical access to a system, an attacker of even modest skills can
get any and everything off a system. If the sole objective is denial of
service, I don't know of any hard drve that can survive a hammer or
drill (particularly both) attack.

Without physical security, nothing else matters.


Gary

In article
Peter =?UTF-8?B?S8O2aGxtYW5u?=
wrote:

edevils wrote:

On 21/12/2015 18:06, Big Bad Bob wrote:
On 12/20/15 16:38, Chris Ahlstrom so wittily quipped:
Anonymous wrote this copyrighted missive and expects royalties:

Though most of you likely don't run Linux—specifically, one
using the Grub2 bootloader—you'll surely appreciate the
unintended humor of a brand-new exploit that was recently found
for said bootloader.

http://www.pcmag.com/article2/0,2817,2496870,00.asp

What took you so long to post this? It's been bandied about
for many days now.

Already fixed, by the way.

Pretty stupid bug, though. Should never have happened.


with physical access to the machine, there's nothing stopping anyone
from removing the hard drive, plugging in a USB hard drive adaptor
thingy, and then reading it directly with another computer.

so the bug is funnier than it is dangerous.

Unless data is encrypted. If you remove the hard drive and plug it
somewhere, you are still left with ciphered data.

On the contrary, if you read Hector Marco and Ismael Ripoll's original
article, you'll find out how they used the GRUB2 vulnerability to access
the GRUB rescue shell and deploy a malware from there.

"Since the data is ciphered, the strategy we will use is to infect the
system and wait until the user decrypts the data (by login into the
system) and then access to the information in plain."

http://hmarco.org/bugs/CVE-2015-8370...on-bypass.html

With physical access to the machine they could just as well install the
logging software the standard way. No need for a Grub exploit

Physical access means all bounds are off. You can not secure such a system
in any meaningful way, encrypted or not

Bottom line, someone would have to have be present with access
to the equipment to accomplish this correct?

That would narrow down the scope of possible suspects
considerably.

On 12/22/2015 1:18 AM, Peter Köhlmann wrote:
edevils wrote:

On 21/12/2015 19:01, Peter Köhlmann wrote:
edevils wrote:

On 21/12/2015 18:06, Big Bad Bob wrote:
On 12/20/15 16:38, Chris Ahlstrom so wittily quipped:
Anonymous wrote this copyrighted missive and expects royalties:

Though most of you likely don't run Linux—specifically, one
using the Grub2 bootloader—you'll surely appreciate the
unintended humor of a brand-new exploit that was recently found
for said bootloader.

http://www.pcmag.com/article2/0,2817,2496870,00.asp

What took you so long to post this? It's been bandied about
for many days now.

Already fixed, by the way.

Pretty stupid bug, though. Should never have happened.


with physical access to the machine, there's nothing stopping anyone
from removing the hard drive, plugging in a USB hard drive adaptor
thingy, and then reading it directly with another computer.

so the bug is funnier than it is dangerous.

Unless data is encrypted. If you remove the hard drive and plug it
somewhere, you are still left with ciphered data.

On the contrary, if you read Hector Marco and Ismael Ripoll's original
article, you'll find out how they used the GRUB2 vulnerability to access
the GRUB rescue shell and deploy a malware from there.

"Since the data is ciphered, the strategy we will use is to infect the
system and wait until the user decrypts the data (by login into the
system) and then access to the information in plain."

http://hmarco.org/bugs/CVE-2015-8370...on-bypass.html

With physical access to the machine they could just as well install the
logging software the standard way.

Could they, if GRUB is password protected?


Yes


1. USB and DVD etc. access would locked be in BIOS settings, of course.
2. Are you talking of keyboard access, or using hammer and screwdriver?
That wouldn't go unnoticed.

On 12/21/2015 10:28 PM, ray carter wrote:

With physical access to the machine they could just as well install the
logging software the standard way.

Could they, if GRUB is password protected?


No need for a Grub exploit

Physical access means all bounds are off. You can not secure such a
system in any meaningful way, encrypted or not

However, removing a hard drive is not as easy as using a keyboard. If
you remove a hard drive in an office, you might be be noticed.
Some hard drives are even stored in a secure vault, while you can still
access the keyboard.

physical access == total access

If a bad guy has UNRESTRICTED physical access, then he will be able to
do anything.
But another scenario is "restricted" physical access, meaning: KEYBOARD
access only!

In article
Peter =?UTF-8?B?S8O2aGxtYW5u?=
wrote:

edevils wrote:

On 21/12/2015 18:06, Big Bad Bob wrote:
On 12/20/15 16:38, Chris Ahlstrom so wittily quipped:
Anonymous wrote this copyrighted missive and expects royalties:

Though most of you likely don't run Linux—specifically, one
using the Grub2 bootloader—you'll surely appreciate the
unintended humor of a brand-new exploit that was recently found
for said bootloader.

http://www.pcmag.com/article2/0,2817,2496870,00.asp

What took you so long to post this? It's been bandied about
for many days now.

Already fixed, by the way.

Pretty stupid bug, though. Should never have happened.


with physical access to the machine, there's nothing stopping anyone
from removing the hard drive, plugging in a USB hard drive adaptor
thingy, and then reading it directly with another computer.

so the bug is funnier than it is dangerous.

Unless data is encrypted. If you remove the hard drive and plug it
somewhere, you are still left with ciphered data.

On the contrary, if you read Hector Marco and Ismael Ripoll's original
article, you'll find out how they used the GRUB2 vulnerability to access
the GRUB rescue shell and deploy a malware from there.

"Since the data is ciphered, the strategy we will use is to infect the
system and wait until the user decrypts the data (by login into the
system) and then access to the information in plain."

http://hmarco.org/bugs/CVE-2015-8370...on-bypass.html

With physical access to the machine they could just as well install the
logging software the standard way. No need for a Grub exploit

Physical access means all bounds are off. You can not secure such a system
in any meaningful way, encrypted or not

Bottom line, someone would have to have be present with access
to the equipment to accomplish this correct?

That would narrow down the scope of possible suspects
considerably.