usernamenumber: (bugman)
[personal profile] usernamenumber
Today I learned that for the last six years it's been possible to root just about any Linux box to which you have physical access by pressing the backspace key 28 times at the bootloader password prompt (assuming the box was even protected with one, which a lot of people don't do). Fortunately, (hopefully) nobody else knew about this either until it was discovered and published by a team of security researchers earlier this month.

When I used to teach system admin stuff I always said that once someone has physical access to the box you're probably screwed anyway, but anything that makes it easier is still a pretty big deal. If you're at all familiar with code stuff, or just curious about how the guts of this sort of thing works, it's also a pretty fascinating read, and illustrative of just how damn careful one has to be when working in a language like C.

Question for people more savvy than me: is it the case that this particular issue wouldn't happen in a more modern language, and if so is it because it wouldn't be possible, or just that you'd have to go out of your way to circumvent convention and do weird stuff with memory in a way that exposes you to the risk?

http://hmarco.org/bugs/CVE-2015-8370-Grub2-authentication-bypass.html
From:
Anonymous( )Anonymous This account has disabled anonymous posting.
OpenID( )OpenID You can comment on this post while signed in with an account from many other sites, once you have confirmed your email address. Sign in using OpenID.
User
Account name:
Password:
If you don't have an account you can create one now.
Subject:
HTML doesn't work in the subject.

Message:

 
Notice: This account is set to log the IP addresses of everyone who comments.
Links will be displayed as unclickable URLs to help prevent spam.

Profile

usernamenumber

October 2016

S M T W T F S
      1
2345678
9101112131415
16171819202122
232425 26272829
3031     

Most Popular Tags

Style Credit

Expand Cut Tags

No cut tags
Page generated Jul. 20th, 2017 04:45 pm
Powered by Dreamwidth Studios