Hacking the Linux operating system locally is as easy as hitting the backspace key on the keyboard 28 times, according to a couple of security researchers with the Polytechnic University of Valencia’s Cybersecurity Group.
The computer security researchers discovered the vulnerability that allows unauthorized users to bypass the authentication of locked-down Linux boxes in the bootloader GRUB2 — which is used by, according to the researchers, “most Linux system” to load the operating system.
When a computer is turned on, the bootloader loads first and then the operating system. In scenarios in which multiple operating systems are installed, the bootloader allows users to select which OS to load.
While not all *nix based operating systems use the vulnerable loader, GRand Unified Bootloader (GRUB), it does come pre-installed with some operating systems, such as Red Hat Linux.
GRUB version 2’s last stable release arrived December 24, 2013. Coded in assembly and C, the bootloader is capable is obviously capable of loading Linux, but it’s also able to load Solaris (x86 port), Apple’s OS X, BSD and even Windows — the latter of which through chainloading.
According to the researchers in Spain, Ismael Ripoll and Hector Marco, vulnerable GRUB installations allow unauthorized attackers to gain access to what is known as the “GRUB rescue shell,” which allows them to siphon and destroy data as well as to install persistent malware in the boot sector – arbitrary of the OS.
While the rescue shell is an intended function coded into the loader, the ability to access it by merely hitting the backspace key numerous times is not intentional. Doing so, pressing the key 28 times, triggers an error which brings up the shell.
The researchers told Motherboard that after studying the underlying code of the bootloader, they found that “the number of backspaces hits” to be the “only input controllable by the user to cause different manifestations of the error.”
As for the notion of persistent malware, the idea is that attackers could install malware that survives reboots and reinstallations of the operating system.
Vulnerable versions of the Grub2 loader date back as far as 2009 until present.
The researchers, who published their findings online in a blog post, developed a patch to prevent the rather simple local attack.
Debian, Red Hat and Ubuntu have all released emergency patches to repair the easily exploited vulnerability.