A vulnerability in Cryptsetup, concretely in the scripts that unlock the system partition when the partition is ciphered using LUKS (Linux Unified Key Setup). The disclosure of this vulnerability was presented as part of our talk “Abusing LUKS to Hack the System” in the DeepSec 2016 security conference, Vienna.
This vulnerability allows to obtain a root initramfs shell on affected systems. The vulnerability is very reliable because it doesn’t depend on specific systems or configurations. Attackers can copy, modify or destroy the hard disc as well as set up the network to exflitrate data. This vulnerability is specially serious in environments like libraries, ATMs, airport machines, labs, etc, where the whole boot process is protect (password in BIOS and GRUB) and we only have a keyboard or/and a mouse.
Note that in cloud environments it is also possible to remotely exploit this vulnerability without having “physical access.”
If you use Debian or Ubuntu/ (probably many derived distributions are also vulnerable, but we have not tested),and you have encrypted the system partition, then your systems is vulnerable.
Update: We have found that systems that use**<tt>Dracut</tt>instead of initramfs
are also vulnerables (tested onFedora 24** x86_64).
During the installation of Ubuntu, one of the first steps is to prepare the target partition (make partitions if needed, and/or format them). At this stage, the user is asked to “<tt>Encrypt the new (LXK)ubuntu installation for security</tt>”. Nowadays, there is very little performance penalty working with an encrypted disk and it is an effective solution to protect data when the computer is not running. It is advisable to enable this feature.
If you didn’t installed the system, the you can figure out the organization by running the <tt>blkid</tt> command.
<fieldset class=“code”><legend>Checking if the root partition is encrypted</legend>
<pre>$ blkid
/dev/sda1: UUID=“db96cdf9-99c3-4239-95f2-6af2651ef3ac” TYPE=“ext2”
<span>/dev/sda5</span>: UUID=“d491bf52-a9ea-466f-be9b-3a5df954699e” TYPE=“<span>crypto_LUKS</span>”
/dev/mapper/<span>sda5_crypt</span>: UUID=“30xz0y-4LeG-LwuL-QHI9-pWWi-BxHf-F3udoC” TYPE=“<span>LVM2_member</span>”
<span>/dev/mapper/lubuntu–vg-root</span>: UUID=“53f95bd1-9e1c-4e23-9ff3-990d90c5cc92” TYPE=“ext4”
<span>/dev/mapper/lubuntu–vg-swap_1</span>: UUID=“9eac532c-1b54-4cac-9995-b4b921222422” TYPE=“swap”
/dev/zram0: UUID=“c2929c6e-2432-40ee-99a5-deadbeefa53e” TYPE=“swap”
/dev/zram1: UUID=“d1bf1e22-dead-beef-9c49-e6462449d6e2” TYPE=“swap”
/dev/zram2: UUID=“12a9232d-c62e-0df6-93ea-22ac3600bdf0” TYPE=“swap”
/dev/zram3: UUID=“bf777ad3-13fc-4ad5-914b-002e67262939” TYPE=“swap”</pre>
</fieldset>
This is the classic structure where the partition “/dev/sda5
” is encrypted and then used as a physical_volume in the “lubuntu-vg
” volume_group which contains two logical_volumes: lubuntu--vg-root
and lubuntu--vg-swap_1
. As a result, the system and the swap partitions are encrypted by LUKS and protected by a single password. This system is vulnerable.
An attacker with access to the console of the computer and with the ability to reboot the computer can launch a shell (with root permissions) when he/she is prompted for the password to unlock the system partition. The shell is executed in the initrd environment. Obviously, the system partition is encrypted and it is not possible to decrypt it (AFAWK). But other partitions may be not encrypted, and so accessible. Just to mention some exploitation strategies:
The fault is caused by an incorrect handling of the password check in the script file /scripts/local-top/cryptroot
. When the user exceeds the maximum number of password tries (by default 3), then boot sequence continues normally.
initrd.img:/script/local-top/cryptroot
#!/bin/sh
.
setup_mapping()
{
.
# Try to get a satisfactory password $crypttries times
count=0
while [ $crypttries -le 0 ] || [ $count -lt $crypttries ]; do
export CRYPTTAB_TRIED="$count"
count=$(( $count + 1 ))
.
if [ ! -e "$NEWROOT" ]; then
# cryptkeyscript = /lib/cryptsetup/askpass
# cryptopen = /sbin/cryptsetup -T 1
# The user is asked the password and then passed to $cryptopen
if ! crypttarget="$crypttarget" cryptsource="$cryptsource" \
$cryptkeyscript "$cryptkey" | $cryptopen; then
message "cryptsetup: cryptsetup failed, bad password or options?"
continue
fi
fi
.
#if [ -z "$FSTYPE" ] || [ "$FSTYPE" = "unknown" ]; then
if [ -z "$FSTYPE" ]; then
message "cryptsetup: unknown fstype, bad password or options?"
udev_settle
$cryptremove
continue
fi
message "cryptsetup: $crypttarget set up successfully"
break
done
# Always false -> never taken the if
if [ $crypttries -gt 0 ] && [ $count -gt $crypttries ]; then
message "cryptsetup: maximum number of tries exceeded for $crypttarget"
return 1
fi
udev_settle
return 0
}
.
# Do we have any settings from the /conf/conf.d/cryptroot file?
if [ -r /conf/conf.d/cryptroot ]; then
while read mapping <&3; do
setup_mapping "$mapping" 3<&- # Try to unlock each encrypted partition.
done 3< /conf/conf.d/cryptroot
fi
exit 0
The calling script, /scripts/local
, handles the error as if it were caused by a slow device that needs more time to warm-up.
The booting scripts then tries to recover/mount the “failing” device, in the function local_deveice_setup(), multiple times (up to 30 times on an x86 system, and 150 on a powerpc machine). Every time the top level script tries to mount the encrypted partition (line 99 in /script/local), the user is allowed to try 3 more LUKS passwords. This gives a total of 93 password trials (on x86).
local_device_setup()
{
. . .
# If the root device hasn't shown up yet, give it a little while
# to allow for asynchronous device discovery (e.g. USB). We
# also need to keep invoking the local-block scripts in case
# there are devices stacked on top of those.
if ! real_dev=$(resolve_device "${dev_id}") ||
! get_fstype "${real_dev}" >/dev/null; then
log_begin_msg "Waiting for ${name} file system"
# Timeout is max(30, rootdelay) seconds (approximately)
case $DPKG_ARCH in
powerpc|ppc64|ppc64el)
slumber=180
;;
*)
slumber=30
;;
esac
if [ ${ROOTDELAY:-0} -gt $slumber ]; then
slumber=$ROOTDELAY
fi
while true; do
sleep 1
# local_block() calls to setup_mapping() 30 times,
# trying to unlock LUKS root filesystem.
local_block "${dev_id}"
if real_dev=$(resolve_device "${dev_id}") &&
get_fstype "${real_dev}" >/dev/null; then
wait_for_udev 10
log_end_msg 0
break
fi
slumber=$(( ${slumber} - 1 ))
if [ ${slumber} -eq 0 ]; then
log_end_msg 1 || true
break
fi
done
fi
# We've given up, but we'll let the user fix matters if they can
while ! real_dev=$(resolve_device "${dev_id}") ||
! get_fstype "${real_dev}" >/dev/null; do
echo "Gave up waiting for ${name} device. Common problems:"
echo " - Boot args (cat /proc/cmdline)"
echo " - Check rootdelay= (did the system wait long enough?)"
if [ "${name}" = root ]; then
echo " - Check root= (did the system wait for the right device?)"
fi
echo " - Missing modules (cat /proc/modules; ls /dev)"
panic "ALERT! ${dev_id} does not exist. Dropping to a shell!"
done
DEV="${real_dev}"
}
. . .
But the real problem happens when the maximum number of trials for transient hardware faults is reached (30 times for non ppc systems), line 114 at function local_device_setup(). In this case, the top level script is not aware of the root cause of the fault and drops a shell (busybox) to the user, line 124. The panic() function (see below) tries to insert additional drivers and runs a shell.
The attacker just have to press and keep pressing the [Enter] key at the LUKS password prompt until a shell appears, which occurs after 70 seconds approx.
The issue can be easily fixed by stopping the boot sequence when the number of password guesses has been exhausted. The following patch suspends the execution forever. The only way to exit is by rebooting the computer.
cryptsetup_fix_CVE-2016-4484.patch
--- a/scripts/local-top/cryptroot 2016-07-29 10:56:12.299794095 +0200
+++ b/scripts/local-top/cryptroot 2016-07-29 11:00:57.287794370 +0200
@@ -273,6 +273,7 @@
# Try to get a satisfactory password $crypttries times
count=0
+ success=0
while [ $crypttries -le 0 ] || [ $count -lt $crypttries ]; do
export CRYPTTAB_TRIED="$count"
count=$(( $count + 1 ))
@@ -349,12 +350,15 @@
fi
message "cryptsetup: $crypttarget set up successfully"
+ success=1
break
done
- if [ $crypttries -gt 0 ] && [ $count -gt $crypttries ]; then
- message "cryptsetup: maximum number of tries exceeded for $crypttarget"
- return 1
+ if [ $success -eq 0 ]; then
+ message "cryptsetup: Maximum number of tries exceeded. Please reboot."
+ while true; do
+ sleep 100
+ done
fi
udev_settle
The panic function, which is the one that launches the shell, can prevent console access if the kernel is booted with the “panic” parameter.
initram:/scripts/functions
panic()
{
if command -v chvt >/dev/null 2>&1; then
chvt 1
fi
echo "$@"
# Disallow console access
if [ -n "${panic}" ]; then
echo "Rebooting automatically due to panic= boot argument"
sleep ${panic}
reboot
exit # in case reboot fails, force kernel panic
fi
modprobe -v i8042 || true
modprobe -v atkbd || true
modprobe -v ehci-pci || true
modprobe -v ehci-orion || true
modprobe -v ehci-hcd || true
modprobe -v uhci-hcd || true
modprobe -v ohci-hcd || true
modprobe -v usbhid || true
run_scripts /scripts/panic
REASON="$@" PS1='(initramfs) ' /bin/sh -i </dev/console >/dev/console 2>&1
}
Therefore, adding the “panic” parameter to the kernel entry in the grub configuration will prevent a shell.
Adding “panic” to the Linux command line.
# sed -i 's/GRUB_CMDLINE_LINUX_DEFAULT="/GRUB_CMDLINE_LINUX_DEFAULT="panic=5 /' /etc/default/grub
# grub-install
The direct cause of this vulnerability is the improper checking of the maximum number of passwords, but the bug was (probably) introduced by the addition of new features (in this case security features). It is well known that “Complexity is the worst enemy of security”. A system with more features requires more code and has more interactions between sub-systems, which results in harder to test systems and so more bugs.
Security is a non-functional requirement which must be analyzed globally. In this case, the “recovery” actions taken in the case of system errors should be revised and updated to match the security requirements.
It is common to assume that once the attacker has physical access to the computer, the game in over. The attackers can do whatever they want. And although this was true 30 years ago, today it is not.
There are many “levels” of physical access. Just to mention a few:
In order to protect the computer in these scenarios: the BIOS/UEFI has one or two passwords to protect the booting or the configuration menu; the GRUB also has the possibility to use multiple passwords to protect unauthorized operations.
And in the case of an encrypted system , the initrd shall block the maximum number of password trials and prevent the access to the computer in that case.
In general, the GNU/Linux ecosystem (kernel, system apps, distros, …) has been designed by developers for developers. Therefore, in the case of a fault, the recovery action is very “developer friendly”, which is very convenient while developing or in controlled environments. But then Linux is used in more hostile environments, this helpful (but naive) recovery services shall not be the default option.
UEFI and GRUB contain two complete and very powerful shell facilities. Initrd system has powerful busybox with complete access to the network.
May be all this “just in case” functionality shall be remove, or seriously reconsidered, for the sake of security.