If you're trying to steal someone's files from his or her computer, getting past the login screen can be hard, if not impossible. But thanks to a bizarre bug in several distributions of Linux, all you need is to hit the backspace key 28 times.
Two security researchers from the Cybersecurity Group at the Polytechnic University of Valencia (UPV) in Spain found that it's possible to bypass any kind of authentication and take control of a locked-down computer that runs Linux just by hitting the backspace 28 times. The bug is in Grub2, the bootloader used to initialize "most Linux systems," according to the researchers, who published their research on Tuesday.
If the system is vulnerable to this bug, the attacker can access what's called the "Grub rescue shell" and gain access to the computer's data, allowing him or her to install persistent malware, simply steal all the data, or destroy it, according to researchers Hector Marco and Ismael Ripoll.
"The number of backspaces hits was the only input controllable by the user to cause different manifestations of the error."
The researchers found that hitting the backspace 28 times causes an error in the systems' memory that launches the rescue function. The researchers found that hitting the backspace 28 times, and only 28 times, returned the value needed to trigger the error. Marco told Motherboard that they studied the code underlying the bootloader and "concluded the number of backspaces hits was the only input controllable by the user to cause different manifestations of the error."
Other than a weird and somewhat funny bug, this is also something that just should not happen, according to security experts.
"It is irresponsible for grub to lack decades-old exploit mitigations like stack cookies that could have addressed this issue," Dan Guido, the founder of security firm Trail of Bits, told Motherboard.
The researchers speculate that such a bug could be used by spies to install malware on a target's computer to steal his or her files. The spies could install persistent malware on the machine that survives reboots and even new installs.
Luckily, the two also made a patch that prevents the error that triggers the bug from occurring. So if you're worried your Linux system might be vulnerable, you might want to apply this emergency patch. Ubuntu, Red Hat, and Debian all have released fixes too.
While the impact of this bug is limited, given that an attacker needs physical access to the machine, it's a good reminder that computer systems are sometimes vulnerable to silly bugs like this.