[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Fwd: Vulnerabilities in Lilo 22.6.1 and previous versions]
From: |
Jonathan Brossard |
Subject: |
Re: [Fwd: Vulnerabilities in Lilo 22.6.1 and previous versions] |
Date: |
Tue, 29 Jul 2008 18:15:36 +0530 |
User-agent: |
Thunderbird 2.0.0.14 (X11/20080502) |
Dear Pierre Yves,
(Cher Pierre Yves, meme ;),
Thanks for the information, I'm forwarding your e-mail to the vendor-sec
mailing list (in CC) since other linux distros could be interested,
Thanks for relying the information, I really didn't know who to ping
since the main author's email is erroneous...
although nowadays most of us use GRUB as the default bootloader :)
Actually, the same vulnerability also affects Grub...
Let me reproduce the mail I sent to the Grub team
a few hours back (see below...)
Best regards,
Jonathan-
---------------------------- Original Grub Advisory
-----------------------------------------
Dear Grub team,
This email is an attempt to follow the rules of responsible
disclosure by offering you to work on a patch to the vulnerability
we discovered, afecting Grub (I tested version 0.97 -lastest CVS-
specifically, but grub2 is most likely also vulnerable).
While during extensive research on Pre-boot authentification Software,
we discovered a new class of vulnerability, which affects among all, Grub.
Other similar products you are selling are likely to be vulnerable as well.
Full details will be made public during the Defcon Security conference,
on Saturday the 9th of August.
--[ Technical details :
The password checking routine of Grub fails to sanitize the BIOS keyboard
buffer before AND after reading passwords.
--[ ImpactS :
1) Plain text password disclosure.
Required privileges to perform this operation are OS dependant,
from unprivileged users under Windows (any), to root under most Unix.
2) A privileged attacker able to write to the MBR and knowing the password
(for instance thanks to 1), is able to reboot the computer in spite of the
password prompted at boot time by initializing the Bios keybaord buffer
with
the correct password (using a second bootloader that will in turn run
lilo).
--[ A bit more details :
On x86 computers, Grub relies on BIOS interrupts to read user passwords.
This API relies on an internal BIOS Keyboard buffer in the BIOS Data Area,
which is not sanitized before and after use.
This allows a loged in user to potentially retreive the password in
plain text
(the level of privileges required to perform this activity can be as
low as an
unprivileged guest user under Windows - from 9x to Vista).
Since the BIOS keyboard buffer is also not initialized before use, an
attacker can
fill it up using a rogue bootloader and then load grub, allowing him to
reboot the
computer without having physical access to the computer, resulting in a
full security
bypass of the Grub password authentication.
Configuring Grub to use an MD5 password at boot time doesn't solve the
problem.
--[ Full details :
Will be released at Defcon 16,
https://www.defcon.org/html/defcon-16/dc-16-speakers.html#Brossard
--[ PoC :
I configured Grub to ask for a password at boot time.
Once the computer has booted, the password remains in memory for ever :
address@hidden:~# grub --version
grub (GNU GRUB 0.97)
address@hidden:~# dd if=/dev/kmem ibs=1 skip=3221226526 count=32
2>/dev/null|xxd
0000000: 7414 6f18 7414 6f18 0d1c 0000 0000 0000 t.o.t.o.........
0000010: 0000 0000 0000 0000 0000 0000 0000 0000 ................
address@hidden:~#
--[ Patching :
Implementing a chacking routine doing something like this,
(this is real mode 16b asm, for nasm compiler) :
; zero 36b starting at address 0x40:0x1a
xor ax,ax
mov al, 0x40
mov ds, ax
mov al, 0x1a
mov si, ax
mov cx, 0x24
xor al, al
cleanall:
mov [ds:si], ax
loop cleanall
and calling it _before_ and _after_ reading the password will
fix both vulnerabilities.
--[ Credits :
Jonathan Brossard, address@hidden
Lead Security Research Engineer,
iViZ Technosolutions Pvt. Ltd. Kolkata, India.
http://www.ivizindia.com
+91-33-23242212
Please feel free to contact us if you need more helps to create a patch.
Best regards,
Jonathan Brossard
-----------------------------------------Appendix-------------------------------------------------------
--[ Menu.lst Grub configuration :
--------------------------------------------------------------------------------------------------------
# menu.lst - See: grub(8), info grub, update-grub(8)
# grub-install(8), grub-floppy(8),
# grub-md5-crypt, /usr/share/doc/grub
# and /usr/share/doc/grub-doc/.
## default num
# Set the default entry to the entry number NUM. Numbering starts from
0, and
# the entry number 0 is the default if the command is not used.
#
# You can specify 'saved' instead of a number. In this case, the default
entry
# is the entry saved with the command 'savedefault'.
# WARNING: If you are using dmraid do not change this entry to 'saved'
or your
# array will desync and will not let you boot your system.
default 0
## timeout sec
# Set a timeout, in SEC seconds, before automatically booting the
default entry
# (normally the first entry defined).
timeout 10
## hiddenmenu
# Hides the menu by default (press ESC to see the menu)
#hiddenmenu
# Pretty colours
color cyan/blue white/blue
## password ['--md5'] passwd
# If used in the first section of a menu file, disable all interactive
editing
# control (menu entry editor and command-line) and entries protected by
the
# command 'lock'
# e.g. password topsecret
# password --md5 $1$gLhU0/$aW78kHK1QfV3P2b2znUoe/
# password topsecret
#password --md5 a8f2ff865cca86a79915cf559184dada
#
# examples
#
# title Windows 95/98/NT/2000
# root (hd0,0)
# makeactive
# chainloader +1
#
# title Linux
# root (hd0,1)
# kernel /vmlinuz root=/dev/hda2 ro
#
#
# Put static boot stanzas before and/or after AUTOMAGIC KERNEL LIST
### BEGIN AUTOMAGIC KERNELS LIST
## lines between the AUTOMAGIC KERNELS LIST markers will be modified
## by the debian update-grub script except for the default options below
## DO NOT UNCOMMENT THEM, Just edit them to your needs
## ## Start Default Options ##
## default kernel options
## default kernel options for automagic boot options
## If you want special options for specific kernels use kopt_x_y_z
## where x.y.z is kernel version. Minor versions can be omitted.
## e.g. kopt=root=/dev/hda1 ro
## kopt_2_6_8=root=/dev/hdc1 ro
## kopt_2_6_8_2_686=root=/dev/hdc2 ro
# kopt=root=UUID=ea6a9986-022a-48fd-a44b-3d6808ae9422 ro
## Setup crashdump menu entries
## e.g. crashdump=1
# crashdump=0
## default grub root device
## e.g. groot=(hd0,0)
# groot=(hd0,0)
## should update-grub create alternative automagic boot options
## e.g. alternative=true
## alternative=false
# alternative=true
## should update-grub lock alternative automagic boot options
## e.g. lockalternative=true
## lockalternative=false
# lockalternative=false
## additional options to use with the default boot option, but not with the
## alternatives
## e.g. defoptions=vga=791 resume=/dev/hda5
# defoptions=quiet splash
## should update-grub lock old automagic boot options
## e.g. lockold=false
## lockold=true
# lockold=false
## Xen hypervisor options to use with the default Xen boot option
# xenhopt=
## Xen Linux kernel options to use with the default Xen boot option
# xenkopt=console=tty0
## altoption boot targets option
## multiple altoptions lines are allowed
## e.g. altoptions=(extra menu suffix) extra boot options
## altoptions=(recovery) single
# altoptions=(recovery mode) single
## controls how many kernels should be put into the menu.lst
## only counts the first occurence of a kernel, not the
## alternative kernel options
## e.g. howmany=all
## howmany=7
# howmany=all
## should update-grub create memtest86 boot option
## e.g. memtest86=true
## memtest86=false
# memtest86=true
## should update-grub adjust the value of the default booted system
## can be true or false
# updatedefaultentry=false
## should update-grub add savedefault to the default options
## can be true or false
# savedefault=false
## ## End Default Options ##
splashimage=(hd0,2)/etc/frag.xpm.gz
title Ubuntu 7.10, kernel 2.6.22-15-generic
root (hd0,0)
kernel /vmlinuz-2.6.22-15-generic
root=UUID=ea6a9986-022a-48fd-a44b-3d6808ae9422 ro quiet splash
initrd /initrd.img-2.6.22-15-generic
password toto
quiet
title Ubuntu 7.10, kernel 2.6.22-15-generic (recovery mode)
root (hd0,0)
kernel /vmlinuz-2.6.22-15-generic
root=UUID=ea6a9986-022a-48fd-a44b-3d6808ae9422 ro single
initrd /initrd.img-2.6.22-15-generic
title Ubuntu 7.10, kernel 2.6.22-14-generic
root (hd0,0)
kernel /vmlinuz-2.6.22-14-generic
root=UUID=ea6a9986-022a-48fd-a44b-3d6808ae9422 ro quiet splash
initrd /initrd.img-2.6.22-14-generic
quiet
title Ubuntu 7.10, kernel 2.6.22-14-generic (recovery mode)
root (hd0,0)
kernel /vmlinuz-2.6.22-14-generic
root=UUID=ea6a9986-022a-48fd-a44b-3d6808ae9422 ro single
initrd /initrd.img-2.6.22-14-generic
title Ubuntu 7.10, kernel 2.6.20-15-generic
root (hd0,0)
kernel /vmlinuz-2.6.20-15-generic
root=UUID=ea6a9986-022a-48fd-a44b-3d6808ae9422 ro quiet splash
initrd /initrd.img-2.6.20-15-generic
quiet
title Ubuntu 7.10, kernel 2.6.20-15-generic (recovery mode)
root (hd0,0)
kernel /vmlinuz-2.6.20-15-generic
root=UUID=ea6a9986-022a-48fd-a44b-3d6808ae9422 ro single
initrd /initrd.img-2.6.20-15-generic
title Ubuntu 7.10, memtest86+
root (hd0,0)
kernel /memtest86+.bin
quiet
### END DEBIAN AUTOMAGIC KERNELS LIST
--------------------------------------------------------------------------------------------------------
--
Jonathan Brossard
Security Research Engineer
iViZ Techno Solutions Pvt. Ltd.
Mobile: +91-9748772994
Kolkata:
iViZ Technolgy Solutions(P) Ltd
c/o Erevmax Technologies (P) Ltd
DLF IT Park,
Tower-1, 12th Floor
08 Major Arterial Road
New Town, Rajarhat
Kolkata- 700 156
Kharagpur:
iViZ Techno Solutions Pvt Ltd,
School of Information Technology,
Indian Institute of Technology,
2nd Floor, Takshashila,
Kharagpur 721302 West Bengal, India.
Phone: +91-3222-282300 ext 4324
Web page: http://www.ivizindia.com
Pierre-Yves Rofes wrote:
Hi Jonathan,
Thanks for the information, I'm forwarding your e-mail to the vendor-sec
mailing list (in CC) since other linux distros could be interested,
although nowadays most of us use GRUB as the default bootloader :)
---------------------------- Original Message ----------------------------
Subject: Vulnerabilities in Lilo 22.6.1 and previous versions
From: "Jonathan Brossard" <address@hidden>
Date: Tue, July 29, 2008 12:54 pm
To: "Jamie Strandboge" <address@hidden>
address@hidden
address@hidden
address@hidden
address@hidden
Cc: address@hidden
"cer >> \"CERT\(R\) Coordination Center\"" <address@hidden>
--------------------------------------------------------------------------
Dear Linux distribution makers,
We have discovered multiple vulnerabilities in Lilo, but can't get in
touch with
the author. The address of the maintainer given on
http://lilo.go.dyndns.org/
is no longer valid. I would therefore appreciate if you could deliver
this bug report
to whoever it may now concern.
Best regards,
------------------------------------------------------------------------
Subject:
Vulnerabilities in Lilo 22.6.1 and previous versions
From:
Jonathan Brossard <address@hidden>
Date:
Tue, 29 Jul 2008 16:02:19 +0530
To:
address@hidden
To:
address@hidden
CC:
address@hidden, "cer >> \"CERT(R) Coordination Center\""
<address@hidden>
Dear Lilo team,
This email is an attempt to follow the rules of responsible
disclosure by offering you to work on a patch to the vulnerability
we discovered, afecting lilo (all versions, up to current, tested under
version 22.6.1).
While during extensive research on Pre-boot authentification Software,
we discovered a new class of vulnerability, which affects among all,
lilo.
Other similar products you are selling are likely to be vulnerable as
well.
Full details will be made public during the Defcon Security conference,
on Saturday the 9th of August.
--[ Technical details :
The password checking routine of Lilo fails to sanitize the BIOS keyboard
buffer before AND after reading passwords.
--[ ImpactS :
1) Plain text password disclosure.
Required privileges to perform this operation are OS dependant,
from unprivileged users under Windows (any), to root under most Unix.
2) A privileged attacker able to write to the MBR and knowing the
password
(for instance thanks to 1), is able to reboot the computer in spite of
the
password prompted at boot time by initializing the Bios keybaord
buffer with
the correct password (using a second bootloader that will in turn run
lilo).
--[ Full details :
Will be released at Defcon 16,
https://www.defcon.org/html/defcon-16/dc-16-speakers.html#Brossard
--[ Patching :
Implementing a chacking routine doing something like this,
(this is real mode 16b asm, for nasm compiler) :
; zero 36b starting at address 0x40:0x1a
xor ax,ax
mov al, 0x40
mov ds, ax
mov al, 0x1a
mov si, ax
mov cx, 0x24
xor al, al
cleanall:
mov [ds:si], ax
loop cleanall
and calling it _before_ and _after_ reading the password will
fix both vulnerabilities.
--[ Credits :
Jonathan Brossard, address@hidden
Lead Security Research Engineer,
iViZ Technosolutions Pvt. Ltd. Kolkata, India.
http://www.ivizindia.com
+91-33-23242212
Please feel free to contact us if you need more helps to create a patch.
Best regards,
Jonathan Brossard
--
Jonathan Brossard
Security Research Engineer
iViZ Techno Solutions Pvt. Ltd.
Mobile: +91-9748772994
Kolkata:
iViZ Technolgy Solutions(P) Ltd
c/o Erevmax Technologies (P) Ltd
DLF IT Park,
Tower-1, 12th Floor
08 Major Arterial Road
New Town, Rajarhat
Kolkata- 700 156
Kharagpur:
iViZ Techno Solutions Pvt Ltd,
School of Information Technology,
Indian Institute of Technology,
2nd Floor, Takshashila,
Kharagpur 721302 West Bengal, India.
Phone: +91-3222-282300 ext 4324
Web page: http://www.ivizindia.com
- Re: [Fwd: Vulnerabilities in Lilo 22.6.1 and previous versions],
Jonathan Brossard <=