Hack into a Linux computer just by pressing backspace 28 times!

So what would anyone need to bypass password protection on your computer?

It just needs to hit the backspace key 28 times, for at least the computer running Linux operating system.

Wait, what?

A pair of security researchers from the University of Valencia have uncovered a bizarre bug in several distributions of Linux that could allow anyone to bypass any kind of authentication during boot-up just by pressing backspace key 28 times.


This time, the issue is neither in a kernel nor in an operating system itself, but rather the vulnerability actually resides in Grub2, the popular Grand Unified Bootloader, which is used by most Linux systems to boot the operating system when the PC starts.

Also Read: GPU-based Linux Rootkit and Keylogger.

The source of the vulnerability is nothing but an integer underflow fault that was introduced with single commit in Grub version 1.98 (December 2009) – b391bdb2f2c5ccf29da66cecdbfb7566656a704d – affecting the grub_password_get() function.

Here's How to Exploit the Linux Vulnerability

If your computer system is vulnerable to this bug:

Just hit the backspace key 28 times at the Grub username prompt during power-up. This will open a "Grub rescue shell" under Grub2 versions 1.98 to version 2.02.

This rescue shell allows unauthenticated access to a computer and the ability to load another environment.

From this shell, an attacker could gain access to all the data on your computer, and can misuse it to steal or delete all the data, or install persistent malware or rootkit, according to researchers Ismael Ripoll and Hector Marco, who published their research on Tuesday.

Source

And here I was thinking that Linux was ohh so secure. Well it really is. This "hack" requires physical presence at your computer, and its a bug in the GRUB loader.

Visit the site on how to update and fix this bug.

I can now call myself an L33T Hacker, and this time I can prove it! thank you Linux!

I always wonder how obvious, simplistic, and major issues like this ever originate in the first place?

Theres loads of bugs found in Linux and for exploitation it would of required someone to of set a boot time password which by itself doesn't provide much more security as you can just mount the volume on another system and read away but will stop your younger brother etc but is pretty much meh for anything decent.

that is hilarious!

getting these updated will be no easy task,

but, thinking about it, you would still need some sort of credentials to restart the thing remotly, or physical access to hit the button, either way, there already in

this looks like a backdoor way in that the developers missed taking out

good find though

a reply to: kloejen

If you have physical access to the computer then hacking in is easy (about 99.9% of the time). Just get a bootable DVD from a Linux magazine and boot from that. It will load whatever flavour of Linux is on the disk and it will mount the harddrive as a readable disk. The only thing you can't read is encrypted data.

If the computer has been set to boot from the harddisk as step 1 then modify the boot order! If you don't know which F key to press then just keep re-booting and re-trying. There's usually a hint from a power on boot.

PS. This works for windows PC's as well as Linux.

a reply to: yorkshirelad

Yea, any bootable USB-key would also do the trick. And that goes for every OS out there.

This "security flaw", is not that serious imho, since it requires physical access to the computer. It's merely a weird bug. "Integer underflow" - and its easy to fix

Not unlike the Windows NT login failure back in the days. (Using the tooltip to bypass password)
link to GIF

As mentioned, encrypting your data, will keep it safe.

The historical past w/linux...update ((lack thereof )) 3rd party apps FTP & snmp did they fix that on wireless?

Anyway AT least the user has to be there ... unless of course. ....

Oh NV..

Good find Kloe!!

SF

is this no a bug rather than and true hack?

It is very easy to change the root password during Linux boot up on a RHEL, CentOS or Fedora distros anyway.

If you have an encrypted Linux file system, it does not work and neither does using a USB during boot or placing the HDD in another PC.

Wow. This simple bug has been in the OS since 2009! Open source code is supposed to be more secure because there are more eyes looking at the code. Apparently this one slipped by everybody for quite a while.

WRT booting up a computer with something other than the HDD, boot order can be configured in the BIOS and then the BIOS can be password protected. You can still get passed this however, but you need to get into the case and work the magic BIOS reset procedure. But this is not always obvious.

-dex

originally posted by: OtherSideOfTheCoin
is this no a bug rather than and true hack?

Its more of a bug than anything else, probably no ones bothered to look at the code too hard for ages and as such its not had the same viewover as stuff like the SSL libs etc

The problem is that with open source code there is so much and it changes so often it gets a bit silly and the moment you seem to get two dev's who disagree you get a code forking and it makes it even harder to check the code out.

Let's put this in perspective for a minute...

This has been around since 2009. Most systems that are designed to be more secure typically have Linux at the helm, including cloud providers.

Who is to say that this hack hasn't been known about since 2009 and that a majority of data breaches aren't simply related to this one hack?

For all anyone knows, this may have been hackers' best kept secret. I'm sure there will be a new round of attacks by people just looking to exploit the laziness and lack of information in companies that don't stay up on news like this.

I'd expect this to get worse before it gets better.

~Namaste

a reply to: kloejen

Security is all relative.

if a linux server is in a secure data center. well then this hack would not work.

No system is 100% secure. If an attacker wants to get in. they will get in. It's just a matter of time and effort.

a reply to: SonOfTheLawOfOne

This requires physical access to the machine at boot time so makes it very much a limited opportunity vector, remote control vectors are what they're looking for not something that if you're lucky and they've stuck a password on a system i can boot my own system and grab all your files as its rather as much luck as pushing front doors at night hoping.

and unlike windows now that it has been discovered the problem will be resolved in a timely manner
this is why open source is awesome
millions of prying eyes looking for any tiny little cracks
and millions of hands to fill them in when found

a reply to: Maxatoria

that requires a fairly long time frame of physical access to the device
so somebody is physically in your house or place of business (etc)
youve got bigger fish to fry

If I understand it correctly then attacker need "physical access".
Many HW servers are equipped with KVM/IPMI and this hack may be working this way.
Some VM hostings provides console access, so such machines are probably also vulnerable.
So potential of this exploit is relatively huge, still limited.
Patch for Grub is trivial and maybe is available right now for your distro.

I'm running Ubuntu Gnome 15.10. I tried rebooting and hitting the backspace key 28 times when the login came up. It didn't work, thank goodness for that.

Did you boot into text mode or were you using the GUI login?

It doesn't work on Lubuntu 14.04 either.

Update: it seems like it was patched on 15Dec2015, the day before the THN article was published