28 Clicks To Disaster:
Researchers recently found source code security flaws that allow an attacker to overcome the password security of Grub2 and take control of the computer – just by pressing the backspace key 28 times. This easily preventable defect has existed since 2009. How could this have been detected earlier? Why did this vulnerability that could have been easily prevented or fixed much earlier evade detection?
In late December 2015, , researchers from the Cybersecurity research group at the Polytechnic University of Valencia (PUV) published a detailed report of a serious vulnerability identified in the Grub2 open-source bootloader package. Grub2 (GNU GRand Unified Bootloader) is the most used boot loader for Unix-like operating systems (Solaris, Debian, Ubuntu, RedHat and many others). It is also widely deployed on enterprise servers and end user devices. Grub2 is one of the first programs started by the computer firmware and is responsible for loading the OS during the computer’s boot process.
GRUB2 boot loader
The vulnerability disclosed by the PUV team allows an attacker to overcome the password security of Grub2 and take control of the computer – just by pressing the backspace key 28 times. According to the report, after the 28th key press the dataflow of the program becomes corrupted. As a result, the password security is compromised and an attacker can exploit the vulnerability to gain root access to the computer, whereby they are able to access all the data on the computer, load a customized kernel, install a rootkit, etc.
The problem lies in the functions grub_user_name_get and grub_password_get. Both functions count the number of typed letters and subtract 1 if the backspace key is used. Since there is no check on the variable assignment operation, the variable value can underflow, which produces a very high value and causes an overflow in a subsequent calculation. Consequently, several presses of the backspace key can lead to assignment zeros in the wrong part of memory, leading to corruption of the program control flow. If exactly 28 backspaces are entered, the return value address of function grub_memset() is overwritten with zeros and the function grub_rescue_run() is started, which invokes the rescue command line.
Function listing of grub_password_get (file grub-core/lib/crypto.c)
The vulnerability was present in the source code since version 1.98 from December 2009 and was not fixed until the version 2.02 released in December 2015. Currently, there is a patch for this problem and the majority of the OSs using Grub2 have been patched already. Nevertheless, it is possible that a significant number of computers will remain unpatched, which is a possible threat for the security of any company.
One of the most interesting attributes of this vulnerability is that it could have been easily prevented or fixed much earlier – if the source code had been checked with a static analyzer with dataflow analysis, such as that provided by PRQA . The issues related to integer underflow or overflow and the resulting potential security consequences are well understood and specifically identified in the CWE list and other secure coding standards. In order to enforce checking of these issues using static code analysis, it is necessary to use a toolset that can perform deep-flow analysis to identify critical coding issues related to control-flow, variable state and library usage. By scanning the Grub2 source code with PRQA tools, it was possible to find the vulnerability and the corresponding Dataflow analysis messages specifically identify the flaw as an unsigned integer wraparound/underflow problem.
The Grub2 exploit found by Dataflow analyzer from Programming Research Ltd.
Using static analysis with dataflow, we are able to find problems similar to the Grub2 vulnerability which would be difficult or too time-consuming to find using other methods such as manual code review and dynamic program analysis. Software flaws such as integer wraparound, which may seem minor when considered in isolation, can have serious security consequences for computing systems. An error that causes unexpected behavior in one software component could be propagated through a system and result in a vulnerability that can be exploited by a determined attacker. PRQA static analysis of the Grub2 code highlighted several other issues which could be reviewed further to determine whether they may represent additional vulnerabilities.
Validating and improving the security of open-source and commercial software is a constant challenge and static analysis is a key enabler in verifying the integrity of legacy and new software to prevent cybersecurity problems such as the Grub2 vulnerability uncovered by the PUV team.
This post is possible thanks to the following co-authors: Colin Bigg, Michal Svagerka, Oscar Forner Martinez.To learn more about how CWE weaknesses can be detected using static analysis download