Suramya's Blog : Welcome to my crazy life…

When folks think about hacking and people bypassing secure systems they have this mental image of folks writing complex code or physically reading the data byte by byte but that is not always true. Sometimes, it is as simple as just keeping the enter key pressed while the system is booting up. Yes, you read that right. A few days ago a vulnerability was found in a TPM-protected system that is configured to implement unattended unlocking for LUKS full disk encryption using RedHat’s Clevis and dracut software along with systemd.

Generally, a Linux computer using TPM-protected unattended disk encryption will still allow a user to view the output of the boot process and optionally manually enter a decryption password with the keyboard. This allows for situations where the computer fails to boot and needs someone to troubleshoot the startup process. While the unattended TPM unlocking is taking place, the user is still presented with the password prompt and an opportunity to enter input.

There’s a limited window of time before the TPM will unlock the disk and the boot process will proceed automatically to the login prompt, so how can we effectively fuzz this input opportunity? What if we could type faster than a human being? Using an Atmel ATMEGA32U4 microcontroller (such as you’d find in an Arduino Leonardo development board) we can emulate a keyboard that sends virtual keypresses at essentially the maximum rate that the computer will accept. The following short Arduino program sets up a Leonardo as a keyboard emulator:

#include "Keyboard.h"
void setup() {
delay(1000);
Keyboard.begin();
}
void loop() {
Keyboard.press(KEY_RETURN);
delay(10);
Keyboard.releaseAll();
delay(10);
}

One second after being plugged in this program begins to simulate pressing the Enter key on a virtual keyboard every 10 milliseconds. This is about 10x faster than the usual keyboard repeat rate you’d get simply holding down a key, and Linux seems to recognise around 70 characters per second using this method, or one keypress approximately every 15 milliseconds.

Sending keypresses this fast quickly hits the maximum number of password entry retries, while keeping the system from unlocking the disk automatically due to password guess rate limiting, and systemd eventually gives up trying to unlock the disk. It takes a minute or two but the recovery action in this failure scenario is to give us a root shell in the early boot environment

The simplest way to address the most immediate problem: Add rd.shell=0 and rd.emergency=reboot to the kernel command line. This ensures that if anything fails during the early boot process the computer will reboot immediately rather than dropping into a root shell.

However, this goes to show us that the old statement about security is still absolutely valid: “Physical access is root access. You can’t spend thousands on protecting the cyber threat landscape and ignore physical security such that people can just walk up to your computer and stick things inside. That being said, having a physical security program doesn’t necessarily protect your from an insider threat so that is also something to keep in mind.

Source: Pulsesecurity: Mashing Enter to bypass full disk encryption with TPM, Clevis, dracut and systemd

– Suramya