Bug 457087

Summary: grub/lilo: fails to sanitize keyboard buffer before and after reading password
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: bressers, pjones
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-03-22 15:42:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tomas Hoger 2008-07-29 15:25:31 UTC 
Jonathan Brossard of the iViZ Techno Solutions reported, that commonly used
Linux bootloaders grub and lilo fails to sanitize keyboard buffer before and
after reading pre-boot passwords.

Based on the OS booted, this can allow privileged (Unix systems) or unprivileged
users (Windows systems, according to Jonathan's report) to extract boot password
from the system memory, or fill keyboard buffer with commands that will get
executed by boot loader on the system reboot.

Further details are planned to be disclosed on the Defcon conference:
https://www.defcon.org/html/defcon-16/dc-16-speakers.html#Brossard
Comment 1 Tomas Hoger 2008-07-29 15:28:09 UTC 
Jonathan's proposed solution:

Implementing a chacking routine doing something like this, (this is real mode
16b asm, for nasm compiler) :

; zero 36b starting at address 0x40:0x1a
    xor ax,ax
    mov al, 0x40
    mov ds, ax
    mov al, 0x1a
    mov si, ax
    mov cx, 0x24

    xor al, al

cleanall:
    mov [ds:si], ax
    loop cleanall


and calling it _before_ and _after_ reading the password will fix both
vulnerabilities.
Comment 5 Tomas Hoger 2008-07-30 12:09:56 UTC 
Opening bug, as all the information is public now via grub bug mailing list
public archives:

http://www.mail-archive.com/bug-grub@gnu.org/msg11628.html
http://www.mail-archive.com/bug-grub@gnu.org/msg11629.html