The Linux explosion of new vulnerabilities, long-press the ENTER key 7 0 seconds to get root access-vulnerability warning-the black bar safety net

ID MYHACK58:62201681307
Type myhack58
Reporter 佚名
Modified 2016-11-17T00:00:00



Press and hold the Enter 7 0 seconds, a hacker can be in linux system to bypass the authentication, and then obtain root permissions, and can remotely control through encrypted linux system. Vulnerability sources This security comes from the Cryptsetup presence of a vulnerability(CVE-2 0 1 6-4 4 8 4 a). Cryptsetup in Linux Unified key setup(Linux Unified Key Setup, LUKS)to encrypt the disk of the software, while LUKS is the Linux system in the standard disk encryption. !

The vulnerability is actually present in the system after the Cryptsetup password input error, it will allow the user to repeatedly retry to enter a password. And when the user input error 9 3 times, the program will give the user with a root shell(busybox) in. That is, if you repeat the 9 3 times wrong password, or continue to press the ENTER key probably 7 0 seconds, you will be able to get root initramfs (initial RAM filesystem) shell. Get the shell, you can copy, modify or corrupt the entire hard drive, or you can also use the network to transmit data. The vulnerability can be exploited remotely by Spain security researcher, Hector Marco and Ismael Ripoll discovered this vulnerability, the impact of the range cover almost all Linux distributions, including Debian, Ubuntu, Fedora, Red Hat Enterprise Linux (RHEL)and SUSE. !

Researchers this year in Vienna, Austria DeepSec conference staged shows in detail: “The hackers may be from the affected system to obtain root initramfs shell. And the vulnerability of the success rate is very high, because he does not depend on a particular system or a particular configuration...... This vulnerability in the library, ATM Machine, Airport, laboratory, etc. scenarios are especially useful, because in these scenarios, the boot process is(encryption protection, and we have only keyboard/mouse.” See here, you might think that vulnerability only if an attacker has physical contact only in the case likely to occur. But in fact, the vulnerability can be remotely triggered. If you are using a linux-based cloud service, it can be in no physical contact under conditions of use of the vulnerability. Vulnerability in the end how serious It is worth noting that an attacker could exploit this vulnerability to obtain encrypted disk content, but can be performed following these operations: Elevation of Privilege: the Since the boot partition is generally not encrypted, and therefore the use of exploits the hacker can use the SetUID stored in an executable file, and then use the local user identity to perform to provide rights. The attacker can also replace the kernel and the initrd image. Information disclosure: Although the attacker cannot directly read the encrypted disk, but he can do a thing or many. For example, he can get the disk copied to an external device, after the violent crack, the DoS attack: Hackers can delete the on-disk content. This vulnerability range includes Debian, Ubuntu, Fedora and some other Linux distribution version. Arch Linux and Solus user is not affected. Solutions Although the vulnerability can be easily triggered and the scope of impact is large, but its solution is also extremely simple: First, in the LUKS password prompt window pressing the ENTER key 7 0 seconds, check the system whether there is a vulnerability. If there is a vulnerability, Check you're using Linux whether to publish the patch. If the official did not release a patch, you can modify the cryptroot file: sed-i's/GRUB_CMDLINE_LINUX_DEFAULT="/GRUB_CMDLINE_LINUX_DEFAULT="panic=5/' /etc/default/grub grub-install !