A vulnerability in Grub2 has been found. Versions from 1.98 (December, 2009) to 2.02 (December, 2015) are affected. The vulnerability can be exploited under certain circumstances, allowing local attackers to bypass any kind of authentication (plain or hashed passwords). And so, the attacker may take control of the computer. Grub2 is the bootloader used by most Linux systems including some embedded systems. This results in an incalculable number of affected devices. Am I vulnerable ? To quickly check if your system is vulnerable, when the Grub ask you the username, press the keyspace 28 times. If your machine reboots or you get a rescue shell then your Grub is affected. Impact An attacker which successfully exploits this vulnerability will obtain a Grub rescue shell. Grub rescue is a very powerful shell allowing to: Elevation of privilege: The attacker is authenticated without knowing a valid username nor the password. The attacker has full access to the grub's console (grub rescue). Information disclosure: The attacker can load a customized kernel and initramfs (for example from a USB) and then from a more comfortable environment, copy the full disk or install a rootkit. Denial of service: The attacker is able to destroy any data including the grub itself. Even in the case that the disk is ciphered the attacker can overwrite it, causing a DoS. The Vulnerability The fault (bug) is in the code of Grub since version 1.98 (December, 2009). The commit which introduced the fault was b391bdb2f2c5ccf29da66cecdbfb7566656a704d, affecting the grub_password_get() function. There are two functions which suffer the same integer underflow fault. The grub_username_get() and grub_password_get() located in grub-core/normal/auth.c and lib/crypto.c respectively. Both functions are equal except for a call to printf() in the get_username_get(). The PoC described here is based only on exploiting the grub_username_get() to obtain a Grub rescue shell. Below is the vulnerable grub_username_get() function: static int grub_username_get (char buf[], unsigned buf_size) { unsigned cur_len = 0; int key; while (1) { key = grub_getkey (); if (key == '\n' || key == '\r') break; if (key == 'e') { cur_len = 0; break; } if (key == 'b') // Does not checks underflows !! { cur_len--; // Integer underflow !! grub_printf ("b"); continue; } if (!grub_isprint (key)) continue; if (cur_len + 2 < buf_size) { buf[cur_len++] = key; // Off-by-two !! grub_printf ("%c", key); } } grub_memset( buf + cur_len, 0, buf_size - cur_len); // Out of bounds overwrite grub_xputs ("\n"); grub_refresh (); return (key != 'e'); } Function grub_username_get() at grub-core/normal/auth.c The fault is caused by decrementing the cur_len variable without checking the range. FiX: http://hmarco.org/bugs/patches/0001-Fix-CVE-2015-8370-Grub2-user-pass-vulnerability.patch From 88c9657960a6c5d3673a25c266781e876c181add Mon Sep 17 00:00:00 2001 From: Hector Marco-Gisbert <hecmargi@upv.es> Date: Fri, 13 Nov 2015 16:21:09 +0100 Subject: [PATCH] Fix security issue when reading username and password This patch fixes two integer underflows at: * grub-core/lib/crypto.c * grub-core/normal/auth.c Signed-off-by: Hector Marco-Gisbert <hecmargi@upv.es> Signed-off-by: Ismael Ripoll-Ripoll <iripoll@disca.upv.es> --- grub-core/lib/crypto.c | 2 +- grub-core/normal/auth.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/grub-core/lib/crypto.c b/grub-core/lib/crypto.c index 010e550..524a3d8 100644 --- a/grub-core/lib/crypto.c +++ b/grub-core/lib/crypto.c @@ -468,7 +468,7 @@ grub_password_get (char buf[], unsigned buf_size) break; } - if (key == 'b') + if (key == 'b' && cur_len) { cur_len--; continue; diff --git a/grub-core/normal/auth.c b/grub-core/normal/auth.c index c6bd96e..5782ec5 100644 --- a/grub-core/normal/auth.c +++ b/grub-core/normal/auth.c @@ -172,7 +172,7 @@ grub_username_get (char buf[], unsigned buf_size) break; } - if (key == 'b') + if (key == 'b' && cur_len) { cur_len--; grub_printf ("b"); -- 1.9.1