Cracking Linux with the backspace key?

Benefits for LWN subscribers The primary benefit from subscribing to LWN is helping to keep us publishing, but, beyond that, subscribers get immediate access to all site content and access to a number of extra site features. Please sign up today!

Anybody who has been paying attention to the net over the last week or so will certainly have noticed an abundance of articles with titles like " How to hack any Linux machine just using backspace ". All this press does indeed highlight an important vulnerability, but it may not be the one that they think they are talking about.

The source of these reports is a mildly hype-ridden disclosure of a vulnerability in the GRUB2 bootloader by Hector Marco and Ismael Ripoll. It seems that hitting the backspace character at the GRUB2 username prompt enough times will trigger an integer underflow, allowing a bypass of GRUB2's authentication stage. According to the authors, this vulnerability, exploitable for denial-of-service, information-disclosure, and code-execution attacks, "results in an incalculable number of affected devices." It is indeed a serious vulnerability in some settings and it needs to be fixed. Unfortunately, some of the most severely affected systems may also be the hardest to patch. But language like the above leads reporters to write that any Linux system can be broken into using the backspace key, which stretches the truth somewhat.

It is worth looking at what is required to actually exploit this vulnerability. The conditions are:

An attacker must have physical access to the system's console to be able to type the famous backspaces. In general, once an attacker can actually put hands onto a target system, the game is already lost. That is no excuse for a trivially exploited vulnerability in the bootloader's authentication code, but it does add a bit of perspective. Note that you may have physical access to the Linux-based entertainment system in your airplane seat, but you almost certainly lack access to the console.

The attacker must be able to reach the bootloader's authentication prompt. That generally means being able to force a running Linux system to reboot so that the bootloader actually runs. If the system is configured to allow unprivileged users to cause a reboot, then complaints of "denial of service" are already moot; service can be denied at any time. Of course, that can also be done by pulling the plug since, as has already been noted, the attacker has physical access to the system.

The system must be running the GRUB2 bootloader. If it's an x86 system, chances are that it is indeed GRUB2 that is installed there. Other architectures tend to use other bootloaders, though. Many of the embedded systems that might be most at risk from this type of vulnerability will thus not be running the vulnerable software.

The bootloader must actually be configured for password-based access. While lacking hard data, your editor would guess that a small minority of systems booting with GRUB2 have passwords set on them. In most cases, simply rebooting allows full access to the bootloader and its capabilities — no exploit required.

The system must be running an exploitable version of GRUB2. This part is relatively easy — the vulnerability has been present since version 1.98, released in late 2009.

Given the above, it seems unlikely that this vulnerability has exposed "any Linux system" to attack. Instead, it has exposed a small number of systems that are configured with bootloader security, but that also allow physical access to a console keyboard. For some of those systems, this vulnerability constitutes a true emergency. For most of us, though, there is no particular need to go into red alert.

There is a different vulnerability that has been exposed here, though, that is somewhat more severe. Anybody who reads the mainstream technical press now "knows" that any Linux system can be broken into by pressing a single key a few times. Linux security has been exposed as a laughable joke; how can anybody take such a system seriously?

In other words, all it takes is a couple of researchers who are able to turn up a bug, create a logo and a cute name ("Back to 28" in this case) for it, and post it as a "zero-day vulnerability" to create a storm of mocking bad publicity for Linux. Relative to, say, the Juniper firewall backdoor, disclosed at about the same time, the GRUB2 issue is minor indeed. But "28 backspaces" makes for good headlines, so it may well be that more people know about the GRUB2 vulnerability than the "unauthorized code" in security-critical Juniper products. It's bad enough when, as happens all too often, we are justly lambasted for security problems affecting large numbers of users; to be taken to task for this one is just kind of sad.

Arguably, we have just seen an exploit of a vulnerability in our public-relations system: any attacker with a "zero-day" bug and some minimal marketing skills can cause untold damage to the image of Linux as a whole. Companies deal with such issues by firing up their own PR machines, but Linux does not really have any such thing. So we are stuck trying to patch up our reputation after the fact, hoping that at least some members of the press will eventually figure out that, in fact, you really can't hack into any Linux system by hitting the backspace key.

