bugbot adjusting priority

An update workflow for this issue was started.

This issue was rated as "moderate".
Please submit fixed packages until "Dec. 15, 2015".

When done, reassign the bug to "security-team@suse.de".
/update/121066/.

just posted to oss-sec, is public

http://hmarco.org/bugs/CVE-2015-8370-Grub2-authentication-bypass.html

Back to 28: Grub2 Authentication 0-Day
Authors:	Hector Marco & Ismael Ripoll  --  Cybersecurity Group
CVE:	CVE-2015-8370
Comment:	Grub2 Authentication Bypass 0-Day
Dates: 	December 10th, 2015 - Disclosed at IX Jornadas STIC CCN-CERT.
December 14th, 2015 - Published in the web.

Back to 28 GRUB2 vulnerability

Contents

    Description.
    Impact.
    The Vulnerability.
    The Exploit (PoC).
    How an APT could use this 0-Day.
    The Fix.
    Discussion.

Description

A vulnerability in Grub2 has been found. Versions from 1.98 (December, 2009) to 2.02 (December, 2015) are affected. The vulnerability can be exploited under certain circumstances, allowing local attackers to bypass any kind of authentication (plain or hashed passwords). And so, the attacker may take control of the computer.

Grub2 is the bootloader used by most Linux systems including some embedded systems. This results in an incalculable number of affected devices.

As shown in the picture, we successfully exploited this vulnerability in a Debian 7.5 under Qemu getting a Grub rescue shell.
Am I vulnerable ?

To quickly check if your system is vulnerable, when the Grub ask you the username, press the keyspace 28 times. If your machine reboots or you get a rescue shell then your Grub is affected.
Impact
An attacker which successfully exploits this vulnerability will obtain a Grub rescue shell. Grub rescue is a very powerful shell allowing to:

    Elevation of privilege: The attacker is authenticated without knowing a valid username nor the password. The attacker has full access to the grub's console (grub rescue).
    Information disclosure: The attacker can load a customized kernel and initramfs (for example from a USB) and then from a more comfortable environment, copy the full disk or install a rootkit.
    Denial of service: The attacker is able to destroy any data including the grub itself. Even in the case that the disk is ciphered the attacker can overwrite it, causing a DoS.
The Vulnerability

The fault (bug) is in the code of Grub since version 1.98 (December, 2009). The commit which introduced the fault was b391bdb2f2c5ccf29da66cecdbfb7566656a704d, affecting the grub_password_get() function.

There are two functions which suffer the same integer underflow fault. The grub_username_get() and grub_password_get() located in grub-core/normal/auth.c and lib/crypto.c respectively. Both functions are equal except for a call to printf() in the get_username_get(). The PoC described here is based only on exploiting the grub_username_get() to obtain a Grub rescue shell.

Below is the vulnerable grub_username_get() function: 

(see page)


The fault is caused by decrementing the cur_len variable without checking the range.

The Exploit (PoC)

Exploiting the integer underflow can be used to cause an Off-by-two or an Out of bounds overwrite memory errors. The former error, overwrites up to two bytes right under the username buffer (local variable called login at function grub_auth_check_authentication()), but this area does not contain any usable information to build an attack; actually, it is padding.

The latter error, the Out of bounds overwrite, is more interesting because it allows to overwrite with zeros the zone below to the username buffer. This is because the grub_memset() function tries to set to zero all unused bytes of the username buffer. To do that, the code calculates the address of the first unused byte and how many bytes have to be zeroed in the buffer. The results of these calculations are passed as arguments to the grub_memset() function:

    grub_memset (buf + cur_len, 0, buf_size - cur_len);

For example, typing "root" as usermane, cur_len is 5, and the grub_memset() function will clear (set to zero) bytes form 5 to 1024-5 (the username and password buffers are 1024 bytes) of the username buffer. This way of programming is quite robust. For example, if the typed username is stored in a clean 1024-byte array, then we can compare the whole 1024-bytes with the valid username, rather than comparing both strings. This protects against some short of side-channels attacks, like timing attacks.

To abuse the out of bound overwrite, the attacker can press the backspace key to underflow the cur_len variable, producing a very high value. This value is later used to calculate the starting address to clear.

    memset destination address = buf + cur_len
At this point, a second overflow occurs because the addition of this big value with the base address where the username buffer resides can not be hold in a 32-bit variable. Hence, we need to manage the first underflow and this second overflow to calculate the destination address where the grub_memset() function will start to set to zeros the buffer:

    cur_len--; // Integer Underflow
    grub_memset (buf + cur_len, 0, buf_size - cur_len); // Integer Overflow

The following example helps to understand how we can exploit this. Assuming that the username buffer resides in the address 0x7f674 and the attacker press the backspace key only once (producing an underflow to 0xFFFFFFFF) the resulting memset will be:

    grub_memset (0x7f673, 0, 1025);

The first argument is: (buf+cur_len) = (0x7f674+0xFFFFFFFF) = (0x7f674-1) = 0x7f673, the second argument: is the constant value used to overwrite the area, in this case 0, and the third argument is the number of bytes to overwrite: (buf_size-cur_len) = (1024-(-1)) = 1025. Therefore, the whole username buffer (1024) plus the very first byte under the buffer will be set to zero.

Therefore, the number backspace keystrokes (without introducing any username), is the number of bytes below the username that are zeroed.

Now, we are able to overwrite an arbitrary number of bytes below the username, we need to find out an interesting memory address that we can overwrite with zeros. A quick look to the current stack frame reveals that we were able to overwrite the return address of the grub_memset() function. The following picture sketches the stack memory layout: 

... see page for mpore details

Created attachment 659424 [details]
0001-Fix-CVE-2015-8370-Grub2-user-pass-vulnerability.patch

0001-Fix-CVE-2015-8370-Grub2-user-pass-vulnerability.patch

opensuse submits could be done. leap 42.1 gets it from sles12 sp1, so only 13.1, 13.2 and factory needed

FYI slashdot article ..

http://linux.slashdot.org/story/15/12/16/040223/0-day-grub2-authentication-bypass-hits-linux

(In reply to Marcus Meissner from comment #12)
> opensuse submits could be done. leap 42.1 gets it from sles12 sp1, so only
> 13.1, 13.2 and factory needed

Do I have to work on the maintenance update to 13.1 and 13.2 or maintenace/security team will do that ?

Thanks.

(In reply to Michael Chang from comment #14)
> (In reply to Marcus Meissner from comment #12)
> > opensuse submits could be done. leap 42.1 gets it from sles12 sp1, so only
> > 13.1, 13.2 and factory needed

Factory: https://build.opensuse.org/request/show/349270
missed : https://build.opensuse.org/request/show/349296

> Do I have to work on the maintenance update to 13.1 and 13.2 or
> maintenace/security team will do that ?

Please submit a maintenance update for openSUSE 13.1 and 13.2, we will then process.

Michael, the security team only coordinates security incidents. We help with creating patches if necessary and with questions, but we do not do package submissions ourselves, we rely on the packagers to do so.

Thanks for explanation.

I had created maintenance update request for openSUSE 13.1 and 13.2.

srid#349304 for openSUSE 13.1
srid#349307 for openSUSE 13.2

Please have a look.

(In reply to Andreas Stieger from comment #15)
> (In reply to Michael Chang from comment #14)

> missed : https://build.opensuse.org/request/show/349296

Accepted. Thank you.

Added language to https://www.suse.com/security/cve/CVE-2015-8370.html

NOTE: The attack vector of this vulnerability is local, meaning that it will be mitigated in typical data centers and other settings with controlled physical access.

openSUSE-SU-2015:2375-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 956631
CVE References: CVE-2015-8370
Sources used:
openSUSE 13.2 (src):    grub2-2.02~beta2-20.13.1
openSUSE 13.1 (src):    grub2-2.00-39.11.1

This is an autogenerated message for OBS integration:
This bug (956631) was mentioned in
https://build.opensuse.org/request/show/350996 Evergreen:11.4 / grub2.openSUSE_Evergreen_11.4

SUSE-SU-2015:2385-1: An update that solves one vulnerability and has 5 fixes is now available.

Category: security (important)
Bug References: 884828,884830,946148,952539,954592,956631
CVE References: CVE-2015-8370
Sources used:
SUSE Linux Enterprise Server 11-SP4 (src):    grub2-2.00-0.54.2
SUSE Linux Enterprise Desktop 11-SP4 (src):    grub2-2.00-0.54.2
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    grub2-2.00-0.54.2

SUSE-SU-2015:2386-1: An update that solves one vulnerability and has 5 fixes is now available.

Category: security (important)
Bug References: 884828,884830,946148,952539,954592,956631
CVE References: CVE-2015-8370
Sources used:
SUSE Linux Enterprise Server for VMWare 11-SP3 (src):    grub2-2.00-0.49.2
SUSE Linux Enterprise Server 11-SP3 (src):    grub2-2.00-0.49.2
SUSE Linux Enterprise Desktop 11-SP3 (src):    grub2-2.00-0.49.2
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    grub2-2.00-0.49.2

SUSE-SU-2015:2387-1: An update that solves one vulnerability and has 8 fixes is now available.

Category: security (important)
Bug References: 774666,917427,946148,952539,954126,954519,955493,955609,956631
CVE References: CVE-2015-8370
Sources used:
SUSE Linux Enterprise Server 12-SP1 (src):    grub2-2.02~beta2-73.3
SUSE Linux Enterprise Desktop 12-SP1 (src):    grub2-2.02~beta2-73.3

openSUSE-SU-2015:2392-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 956631
CVE References: CVE-2015-8370
Sources used:
openSUSE Evergreen 11.4 (src):    grub2-1.98-14.1

SUSE-SU-2015:2399-1: An update that solves one vulnerability and has four fixes is now available.

Category: security (important)
Bug References: 928131,943380,946148,952539,956631
CVE References: CVE-2015-8370
Sources used:
SUSE Linux Enterprise Server 12 (src):    grub2-2.02~beta2-56.9.4
SUSE Linux Enterprise Desktop 12 (src):    grub2-2.02~beta2-56.9.4

openSUSE-SU-2016:0036-1: An update that solves one vulnerability and has 8 fixes is now available.

Category: security (important)
Bug References: 774666,917427,946148,952539,954126,954519,955493,955609,956631
CVE References: CVE-2015-8370
Sources used:
openSUSE Leap 42.1 (src):    grub2-2.02~beta2-76.1

I think we can close the ticket as the CVE fix has released. Thanks.