Attacks You Might Not Expect Part 1 - Boot Loaders

I had the opportunity to attend Linux World this year. I attended a security discussion that was presented by Jay Beale of Intelguardians. It was a multi-part presentation and discussion of all things Linux. I took away a number of ideas that I think anyone who is providing Linux services to any company should take into account.

This overview is about the various techniques a hacker might use to gain access to your system via physical means. In other words, you get up from your desk at work for a meeting, you leave a laptop lying in a “safe” place, your ambitious child wants to get into your computer for whatever reason. There are various ways the attacker will try to gain access, and there are various ways you can slow their progress. Let’s take a look at a few of them.

Personal Workstation

So, let’s say you are responsible for the workstations in your company. You are running Linux. Whether you run LILO or GRUB, this is an attack that can cause a lot of issues for your user. Suppose a person walks up to a Linux workstation that is not his own, and reboots the system. When the bootloader comes up, the person enters commands that take him into single user mode. How does this happen?

LILO

Just type “linux single” at the LILO prompt.

GRUB

Edit the boot configuration by typing ‘e’ at the GRUB menu

Use the arrow keys to select the kernel line to edit

Hit ‘e’ again to edit the kernel line

Append “single” to the end of the line

Hit enter, then ‘b’ to boot

What happens when the system is rebooted? Why, the user is granted “single user” mode, no password is required, and it’s root! That person now has access to everything on that workstation. And it didn’t take much effort. What are things they could do?

Let’s say the person doesn’t have a lot of time, but they know how to edit things quickly! Good skill to have, right? They edit the shadow file and they add a new account with root access. Then, they can come back to do damage at a later time.

Why Does This Work?

Jay gave an excellent overview - and for some, this may be review. However, that is what is needed - a review of the boot process!

Simplified boot process

BIOS/EEPROM/NVRAM <- This is responsible for finding something to do

Bootloader (LILO/GRUB) <- Starts the kernel

init <- started by kernel

rc-scripts <- started by init

Given this flow, here’s what happens in Single User Mode:

Single-User Boot

BIOS/EEPROM/NVRAM

LILO/GRUB -> kernel single user mode

init 1 <- changes from above

runs S00single from the rc1.d scripts

That’s it, but there is a way to defend against this attack. You can force the user to provide the root password when they log in to single user mode. To do this, we will add a line to the inittab to run sulogin. Type in “man sulogin” to get a full description.

We want to add this process to the inittab. The inittab is an initialization table, or a table that specifies the processes that should be started at bootup and during normal operation. Use the “man inittab” command to get a full description of the table layout, and the various options available.

~~:S:respawn:/sbin/sulogin

By inserting this into your inittab, whenever the single user mode is attempted, the sulogin process will run forcing the user to enter the super user (root) password. Test it on your own system!

Another Approach to the Boot Loader

What if the hacker knows you might try this, and has another option to the boot loader scenario? What if they specify a program to run - like bash? It is possible to edit the boot loaders and specify an init option to run bash. Try it…

LILO

init=/bin/bash

and

GRUB

Do the earlier example to edit, and append “init=/bin/bash”

Pretty simple - nowthe kernel is going to run init as root, init will not need any other privileges, and so will run an interactive shell as root! This simple addition changes what init should do. We need to password protect the boot loader prompt.

Password Protecting the Boot Loader

For these example, lilo.conf and grub.conf live in etc.

LILO

You will edit the lilo.conf file and add the following lines:

restricted

password=SOME_REALLY_GOOD_PASSWORD

You then need to save and set permissions:

chmod 600 lilo.conf

Then, run lilo to implement the change. Pretty simple.

GRUB

For GRUB, we can create an md5 password. Here’s how:

# echo “SomePassword” > clear

# md5sum clear > crypt

# echo password -md5 ‘cat crypt’ > grub.conf.new

# cat grub.conf >> grub.conf.new

# mv /grub.conf.new grub.conf

Next, set the permission on the file:

chmod 600 grub.conf

That’s it! You need to test your new protection to make sure that the attack fails.

Still Trying to get at Root

So, we’ve password protected the boot loaders, what else might happen? What if the attacker has his own boot device - say floppy or cd-rom? If they boot your system with their boot media, they start out as root! They can then mount your systems main drive and modify it at will. How about modifying the passwd file and adding a new account with root privileges? It’s pretty easy to do. How do we protect this?

Go into the BIOS and turn off booting off of any devices other than the main drive. That will prevent them from gaining access through this type of physical attack. But this just slows them down…

What if they boot, change your BIOS to boot off the devices…all you have done is slow them down. You could approach defending the BIOS by password protecting it.

Vicious Cycle

The main point is, you don’t really win against someone that really wants access to your system. The idea here is to slow them down. Safes are measure in “time to open.” A safe that is a “30 minute safe” means that it will take a skilled robber 30 minutes to get in. Use this approach on your physical security. Make your computer “30 minutes safe,” or better.

So, the point of the exercise is several-fold.