[bug #58516] GRUB Local Privileges Escalation

bug-grub

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug #58516] GRUB Local Privileges Escalation

From:	Noam Rathais
Subject:	[bug #58516] GRUB Local Privileges Escalation
Date:	Sun, 7 Jun 2020 01:30:58 -0400 (EDT)
User-agent:	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.30 Safari/537.36

URL:
  <https://savannah.gnu.org/bugs/?58516>

                 Summary: GRUB Local Privileges Escalation
                 Project: GNU GRUB
            Submitted by: nrathaus
            Submitted on: Sun 07 Jun 2020 05:30:56 AM UTC
                Category: Security
                Severity: Major
                Priority: 5 - Normal
              Item Group: Software Error
                  Status: None
                 Privacy: Public
             Assigned to: None
         Originator Name: Noam Rathaus
        Originator Email: noamr@ssd-disclosure.com
             Open/Closed: Open
                 Release: 
                 Release: other
         Discussion Lock: Any
         Reproducibility: Every Time
         Planned Release: None

    _______________________________________________________

Details:

There is a vulnerability that allows for local privilege escalation in GRUB, a
bootloader widely used together with the Linux kernel.

Exploitation scenario #1:

1. The attacker tricks the victim into inserting a removable media device into
the target computer. USB drives, SSD cards, SATA drives, all of them work.

2. The attacker waits until the victim updates the system, namely its kernel
or drivers, and reboots.

3. The system is now fully compromised. If the target uses full-disk
encryption, the attacker gains access **after** the victim has entered the
password.

Exploitation scenario #2:

1. A disk (let's say /dev/sda2) is mounted somewhere (let's say (/mnt/sda2),
and the attacker has write access to that directory (i.e., he can put files
inside /mnt/sda2). If the attacker can only put files inside /mnt/sda2/subdir,
it won't work.

2. The attacker puts certain files there.

3. The rest is as in steps 2 and 3 from exploitation scenario #1.

We have an exploit for this vulnerability. The default payload connects to
localhost on a certain port and executes any commands sent to it. The payload
can be easily changed to connect to a remote host and port, of course.

We have tested it on Ubuntu (Ubuntu 18.04 LTS) , Debian (stretch and testing)
and CentOS. Ubuntu and Debian were vulnerable, while CentOS was not. CentOS
doesn't use the vulnerable part of GRUB by default, even though it ships the
vulnerable part anyway. I want to emphasize that the vulnerability is present
in the upstream GRUB project and is not something added by distro maintainers.
Other distros may be vulnerable as well.

Let me know if you have any questions.

I will attach additional details in a followup comment.




    _______________________________________________________

Reply to this item at:

  <https://savannah.gnu.org/bugs/?58516>

_______________________________________________
  Message sent via Savannah
  https://savannah.gnu.org/

[Prev in Thread]

Current Thread

[Next in Thread]

[bug #58516] GRUB Local Privileges Escalation, Noam Rathais <=
- [bug #58516] GRUB Local Privileges Escalation, Noam Rathais, 2020/06/07
  - [bug #58516] GRUB Local Privileges Escalation, Vladimir Serbinenko, 2020/06/07
    - [bug #58516] GRUB Local Privileges Escalation, Noam Rathaus, 2020/06/08
    - [bug #58516] GRUB Local Privileges Escalation, Daniel Kiper, 2020/06/08

Prev by Date: [bug #58507] Errors in grub man pages
Next by Date: [bug #58516] GRUB Local Privileges Escalation
Previous by thread: [bug #58507] Errors in grub man pages
Next by thread: [bug #58516] GRUB Local Privileges Escalation
Index(es):
- Date
- Thread