An attacker can abuse a vulnerability to launch a shell with root privileges on most Linux machines just by holding the ‘Enter’ key for 70 seconds.
Researchers Hector Marco & Ismael Ripoll unveiled the bug (CVE-2016-4484) in their presentation “Abusing LUKS to Hack the System” at the DeepSec 2016 security conference.
The flaw is no laughing matter, as Marco notes in a blog post:
“This vulnerability allows to obtain a root initramfs shell on affected systems. The vulnerability is very reliable because it doesn’t depend on specific systems or configurations. Attackers can copy, modify or destroy the hard disc as well as set up the network to exflitrate data. This vulnerability is specially serious in environments like libraries, ATMs, airport machines, labs, etc, where the whole boot process is protect (password in BIOS and GRUB) and we only have a keyboard or/and a mouse.”
CVE-2016-4484 resides in Cryptsetup, a utility which is responsible for implementing disk encryption. More specifically, it’s found in a script that unlocks the system partition when the partition is ciphered using LUKS (Linux Unified Key Setup). The vulnerable script file is responsible for a password check.
Here’s how it works. When you install a Linux OS like Debian or Ubuntu, you are prompted to encrypt the installation.
For security purposes, you should encrypt the disk. But there’s a problem: the script file /scripts/local-top/cryptroot doesn’t handle the check for a single password that protects the system and swap partitions.
The booting scripts in essence tries to mount the “failing” device a total of 30 times. Each time boot fails, a user is given three additional chances to supply a password. That means they have a total of 93 password guesses to get it right.
Or not. Marco explains:
“But the real problem happens when the maximum number of trials for transient hardware faults is reached (30 times for non ppc systems), line 114 at function local_device_setup(). In this case, the top level script is not aware of the root cause of the fault and drops a shell (busybox) to the user, line 124. The panic() function (see below) tries to insert additional drivers and runs a shell…
“The attacker just have to press and keep pressing the [Enter] key at the LUKS password prompt until a shell appears, which occurs after 70 seconds approx.”
So what does that root shell? On its own, it doesn’t allow an attacker to decrypt the disk. But an attacker could copy the disk to an external drive and brute-force it there.
They could also simply delete all of the disk’s information or abuse the unencrypted boot partition to store an executable that they could leverage to escalate privileges at a later time.
In most cases, an attacker would need the ability to access the console and to initiate a reboot on the target machine in order to exploit this vulnerability, though there are some situations (i.e. cloud environments) where remote exploitation could be possible.
With that being said, it’s important that users plug their vulnerable machines by applying a fix or workaround.
For more information, please be sure to read Hector Marco’s blog post.