Let me begin by saying I'm not a kernel expert. I was not expecting to (with Marc Newlin’s help) stumble onto a way for a low privileged user to leak root memory on a Raspberry Pi. Exploiting a Raspberry Pi, has relatively low stakes given the device is mostly used by hobbyists. This technique also sort of works on other distros too, which we’ll get into below.
You might be wondering, what button on the keyboard could possibly leak root memory? Well, there's this button to the right of the backspace button, above the insert button, which I, and probably you too, had literally never pressed (until recently). It's labeled "SysRq,".
What's SysRq even for? It turns out the System Request (SysRq) key is packed with enough functionality to fill an entire Wikipedia page.
The SysRq key is a feature supported in Linux systems and is a holdover from older computer systems When pressed, instead of sending a key to the keyboard buffer, the SysRq key directly triggers an interrupt and makes the kernel do *things*, bypassing the regular user interface.
In practice, the SysRq key can be used for various low-level commands that are crucial for troubleshooting and managing system emergencies, like turning the computer off, or safely syncing the filesystem. You read that correctly, your keyboard has an advanced power button on it. Here’s the full list of all the functionality it has packed into it:
Take note of the sysrq+p action, which displays the state of the CPU registers. On a Raspberry Pi (and other distros), using this command causes the raw values of the CPU register to be immediately dumped to the screen, and outputted to a system log file. The default PI user can access those system logs. Interestingly, the screen output cannot be accessed by the “linux user” (of course your eyeballs can access the values), but the syslogs can be programmatically accessed by the default pi user.
A brief note on CPU registers: all processes stage memory in registers to do most computing operations. For example, in order to compare two strings, those strings will be read into registers, and compared against one another in the CPU.
So for example, when a user logs in, the password they type gets hashed and then compared to the actual password hash. The CPU registers receive this data one character at a time.
If you recall, sysrq interrupts absolutely everything to run. That means it will even interrupt the login prompt asking for your password.
Let's say you find a Raspberry Pi that’s encrypted with LUKS and password protected. You walk up to it with a keyboard, try a password, and then spam sysrq+p. There’s a decent chance the correct hashed password is flashed on the screen, 64 8 bit registers at a time.
Of course this exact attack doesn’t seem super practical, because you’d have to press the button lightning quick, and keep entering passwords to slowly leak the entire hash.
That’s where Marc Newlin’s recent Bluez authentication-less bluetooth keyboard exploit comes in. Prior to patches being released, Marc shared a copy of his exploit with me, and together, we discovered you could programmatically spam sysrq+p every 50ms near a raspberry pi you wanted to target, and all that register data would get dumped to syslog.
From syslog, we were then able to reconstruct sensitive, root-only file contents with the pi user. It was fun, but when we explored other distros we found the attack was limited to Raspberian. Here’s why:
(I got lazy with the syslogs when sysrq was disabled)
So we informed Raspberian of these findings, and somewhat unsurprisingly, the value of having syslogs and sysrq for pi users outweighed the risks this attack posed (i.e. you can still do it today, minus the unauthenticated bluez part).
One important thing to note though, is these are just the system defaults, and they can (and often are) changed by system administrators.
Anyway… it took me a few decades to learn what that button on the keyboard did, so I figured at the very least I’d pay it forward to the security community and inform you; in linux, there is in fact a button on the keyboard that dumps root memory.
Update: after reaching out to the raspberry pi foundation, they’ve informed us they plan to change this behavior in the future to implement similar masking as Debian
