How to hack any Linux machine using Grub2

Pressing the backspace key 28 times will let you circumvent a locked-down Linux machine researchers at Universitat Politechnica de Valencia recently discovered.

The GRUB bootloader used by most Linux distributions has the option to password protect boot entries. Not only will this prevent tampering but allows you to prevent peripherals such as CDs and USB ports from booting an OS. Without this protection an attacker could boot a system from a live USB key or CD, switching into their preferred operating system to download or access files stored on the machine’s hard drive.

This flaw with Grub2, of which versions 1.98 and 2.02 are affected, means a simple tap of the backspace key 28 times will bring up the prompt usually hidden behind the password screen.

In a security advisory, Marco and Ripoli said the bootloader is used by most Linux distributions, resulting in an “incalculable number of affected devices.” (available here)

An attacker which successfully exploits this vulnerability will obtain a Grub rescue shell. Grub rescue is a very powerful shell allowing to:

  • Elevation of privilege: The attacker is authenticated without knowing a valid username nor the password. The attacker has full access to the grub’s console (grub rescue).
  • Information disclosure: The attacker can load a customized kernel and initramfs (for example from a USB) and then from a more comfortable environment, copy the full disk or install a rootkit.
  • Denial of service: The attacker is able to destroy any data including the grub itself. Even in the case that the disk is ciphered the attacker can overwrite it, causing a DoS.

To quickly check if your system is vulnerable, when the Grub ask you the username, press the Backspace 28 times. If your machine reboots or you get a rescue shell then your Grub is affected.