Major Flaw in GRUB 2.0 Addressed
By on November 10th, 2009

GRUB 2.0, GRUB version 1.97 had a major security issue which allowed users to login by entering only a few characters of the password correctly. Only the sequence of characters had to be correct and for that matter, even one of the characters entered as password worked.

A recent bug-report from debian.org says:

GRUB accepts user input as valid password as long as user enters some first
characters of password correctly.

I.e. if /boot/grub/grub.cfg reads:

set superusers=”user1″
password user1 password1

Then user can enter “p”, “pa”, “pas” etc, and GRUB will ‘eat it’ as correct
password.

Given this, the GRUB team addressed the flaw with the release of GRUB 1.97.1 which has a fix to the problem. Apart from this, the new version of GRUB also addresses a build problem with the Mac OS X kernel, support for which was added only in the latest GRUB 2.0.

Given the hype GRUB 2.0 had created with its rewritten code, object-oriented model and support for multiple kernels, security issues like these, makes it look like a hoopla to the Linux beginners. We should know, Linux beginners are simply more interested in no-one entering their computer by typing just anything at the password prompt, than all the developments of extended file system support and kernel support.

Author: Chinmoy Kanjilal Google Profile for Chinmoy Kanjilal
Chinmoy Kanjilal is a FOSS enthusiast and evangelist. He is passionate about Android. Security exploits turn him on and he loves to tinker with computer networks. He rants occasionally at Techarraz.com. You can connect with him on Twitter @ckandroid.

Chinmoy Kanjilal has written and can be contacted at chinmoy@techie-buzz.com.
 
Copyright 2006-2012 Techie Buzz. All Rights Reserved. Our content may not be reproduced on other websites. Content Delivery by MaxCDN