Back to 28: Grub2 Authentication Bypass 0-Day [CVE-2015-8370]
Hi everyone, A vulnerability in Grub2 (Back to 28) has been found. Versions from 1.98 (December, 2009) to 2.02 (December, 2015) are affected. The vulnerability can be exploited under certain circumstances, allowing local attackers to bypass any kind of authentication (plain or hashed passwords). And so, the attacker may take control of the computer. More details at: http://hmarco.org/bugs/CVE-2015-8370-Grub2-authentication-bypass.html Regards, Hector Marco & Ismael Ripoll. -- Dr. Hector Marco-Gisbert @ http://hmarco.org/ Cyber Security Researcher @ http://cybersecurity.upv.es Universitat Politècnica de València (Spain)
AMD Bulldozer Linux ASLR weakness: Reducing entropy by 87.5%
A security issue in Linux ASLR implementation which affects some AMD processors has been found. The issue affects to all Linux process even if they are not using shared libraries (statically compiled). The problem appears because some mmapped objects (VDSO, libraries, etc.) are poorly randomized in an attempt to avoid cache aliasing penalties for AMD Bulldozer (Family 15h) processors. Affected systems have reduced the mmapped files entropy by eight. Grsecurity/PaX is also affected. The total entropy for the VVAR/VDSO, mmapped files and libraries of a processes are reduced by eight. The number of possible locations where the mapped areas can be placed are reduced by 87.5%. On 32-bit systems, for example, the entropy for libraries is reduced from 2^8 to 2^5, which means that libraries only have 32 different places where they can be loaded. Under this scenario, advanced techniques used by PaX to thwart brute force attacks (for example, force a delay on the process creation when a crash occurs) are no longer effective. The attackers need on average only 16 trials. Advisory details at: http://hmarco.org/bugs/AMD-Bulldozer-linux-ASLR-weakness-reducing-mmaped-files-by-eight.html We sent a patch, and Linux 4.1 Will Improve AMD Bulldozer's ASLR Entropy Issue: http://www.spinics.net/lists/linux-tip-commits/msg27373.html -- Hector Marco-Gisbert @ http://hmarco.org/ Cyber Security Researcher @ http://cybersecurity.upv.es Universitat Politècnica de València (Spain)
Linux ASLR mmap weakness: Reducing entropy by half
A bug in Linux ASLR implementation has been found. The issue is that the mmap base address for processes is not properly randomized on some architectures due to an improper bit-mask manipulation. Affected systems have reduced the mmap area entropy of the processes by half. The number of possible locations are reduced by 50%, which for example will reduce the cost of brute force attacks. PowerPC, Sparc64 and ARM have 18 bits of entropy. Non-vulnerable systems have 262144 (2^18) different places to locate the mmap area. On vulnerable systems, this value is reduced to 131072 (2^17). Advisory details at: http://hmarco.org/bugs/linux-ASLR-reducing-mmap-by-half.html -- Hector Marco-Gisbert @ http://hmarco.org/ Cyber Security Researcher @ http://cybersecurity.upv.es Universitat Politècnica de València (Spain)