Red Hat Bugzilla – Bug 457087
grub/lilo: fails to sanitize keyboard buffer before and after reading password
Last modified: 2010-03-22 11:42:35 EDT
Jonathan Brossard of the iViZ Techno Solutions reported, that commonly used Linux bootloaders grub and lilo fails to sanitize keyboard buffer before and after reading pre-boot passwords. Based on the OS booted, this can allow privileged (Unix systems) or unprivileged users (Windows systems, according to Jonathan's report) to extract boot password from the system memory, or fill keyboard buffer with commands that will get executed by boot loader on the system reboot. Further details are planned to be disclosed on the Defcon conference: https://www.defcon.org/html/defcon-16/dc-16-speakers.html#Brossard
Jonathan's proposed solution: Implementing a chacking routine doing something like this, (this is real mode 16b asm, for nasm compiler) : ; zero 36b starting at address 0x40:0x1a xor ax,ax mov al, 0x40 mov ds, ax mov al, 0x1a mov si, ax mov cx, 0x24 xor al, al cleanall: mov [ds:si], ax loop cleanall and calling it _before_ and _after_ reading the password will fix both vulnerabilities.
Opening bug, as all the information is public now via grub bug mailing list public archives: http://www.mail-archive.com/bug-grub@gnu.org/msg11628.html http://www.mail-archive.com/bug-grub@gnu.org/msg11629.html