Backspace Flaw Enables Linux Zero-Day Attack

Researchers last week revealed a zero-day flaw that lets attackers take over a Linux system by pressing the backspace key repeatedly.

Pressing backspace 17 to 20 times will overwrite the highest byte of the return address of the grub_memset() function, ultimately causing a reboot by redirecting control flow to the 0x00eb53e8 address, according to theCybersecurity Group at the Universitat Politecnica de Valencia.

The flaw is in Grub v 1.98 and later. Grub is the bootloader used by most Linux systems, including some embedded systems

Why the Attack Works

The processor's interrupt vector table, or IVT, resides at address 0x0.

At this stage of the boot sequence, the processor is in protected mode, which Grub2 enables from the start.

Virtual memory is not enabled; there is no memory protection and the memory is readable, writable and executable; the processor executes the 32-bit instruction set even in 64-bit architectures; the processor automatically handles self-modifying code; and there is no stack smashing protector or address space layout randomization.

In other words, the system is naked.

The integer underflow fault impacts both the grub_password_get() function and the grub_username_get() function.

Pressing the Backspace key 28 times when Grub asks for the username will show whether a system is at risk.

If the machine reboots or a rescue shell is displayed, it is.


The Danger of the Flaw

Attackers can access the Grub2 rescue function without authentication. Then they can deploy malware into a system through various means, including running a BASH shell, or they can patch the code of Grub2 in RAM to be always authenticated and then return to normal mode.

They can elevate privileges to whatever extent they desire or copy the entire disk; destroy any data, including the Grub; or overwrite ciphered disks, causing a denial-of-service attack.

The bug can be fixed by preventing cur_len overflows. Major Linux vendors -- Red Hat, Ubuntu and Debian -- have fixed the flaw, and the researchers have created an emergency patch.

Much has been made of the relative security of Linux systems compared to Microsoft PCs, but this flaw shows Linux users "have to be at least as observant and reactive as everyone else," observed Rob Enderle, principal analyst at the