Recently discovered exploit makes bypassing bootloader PW in Linux trivial.

[usernamenumber]

Today I learned that for the last six years it's been possible to root just about any Linux box to which you have physical access by pressing the backspace key 28 times at the bootloader password prompt (assuming the box was even protected with one, which a lot of people don't do). Fortunately, (hopefully) nobody else knew about this either until it was discovered and published by a team of security researchers earlier this month.

When I used to teach system admin stuff I always said that once someone has physical access to the box you're probably screwed anyway, but anything that makes it easier is still a pretty big deal. If you're at all familiar with code stuff, or just curious about how the guts of this sort of thing works, it's also a pretty fascinating read, and illustrative of just how damn careful one has to be when working in a language like C.

Question for people more savvy than me: is it the case that this particular issue wouldn't happen in a more modern language, and if so is it because it wouldn't be possible, or just that you'd have to go out of your way to circumvent convention and do weird stuff with memory in a way that exposes you to the risk?

http://hmarco.org/bugs/CVE-2015-8370-Grub2-authentication-bypass.html

Comments

[londo.livejournal.com]

Ok, so the good news is that it's probably not *any* Linux box, because 28x backspace only works on a compiled binary for that particular architecture. The bad news is that there probably is a similar exploit that could be cobbled together with this vulnerability for any compiled grub2 binary. Most of them will require more than 28 backspaces, but that's presumably a thing you could handle with that Teensy thing they linked to at the bottom.

This sort of thing doesn't happen in languages which disallow pointer arithmetic, which at this point is all of them. Pointer arithmetic is like teleportation - it's a very efficient way of getting from place to place, but if you don't check what you're doing *really carefully* you can destroy things and/or bypass all existing security measures.

[laurion]

Ok, the good news is that this is only Grub2. The bad news is that most distros use that out of the box.

The bad news for me is that I don't use a bootloader password. The good news for me is that I use syslinux and and encrypted drives.

The real truth is the one you lead with, that physical access is the riskiest thing someone else can have.

[dot_fennel]

As someone who is technical but has no head for security, this seems approximately as weird as if it turned out I could make my apartment into the Louvre by flicking a lightswitch off and on 28 times in a row.