Bug 457087 - grub/lilo: fails to sanitize keyboard buffer before and after reading password
grub/lilo: fails to sanitize keyboard buffer before and after reading password
Status: CLOSED WONTFIX
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
source=secalert,reported=20080729,pub...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-07-29 11:25 EDT by Tomas Hoger
Modified: 2010-03-22 11:42 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-03-22 11:42:35 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2008-07-29 11:25:31 EDT
Jonathan Brossard of the iViZ Techno Solutions reported, that commonly used
Linux bootloaders grub and lilo fails to sanitize keyboard buffer before and
after reading pre-boot passwords.

Based on the OS booted, this can allow privileged (Unix systems) or unprivileged
users (Windows systems, according to Jonathan's report) to extract boot password
from the system memory, or fill keyboard buffer with commands that will get
executed by boot loader on the system reboot.

Further details are planned to be disclosed on the Defcon conference:
https://www.defcon.org/html/defcon-16/dc-16-speakers.html#Brossard
Comment 1 Tomas Hoger 2008-07-29 11:28:09 EDT
Jonathan's proposed solution:

Implementing a chacking routine doing something like this, (this is real mode
16b asm, for nasm compiler) :

; zero 36b starting at address 0x40:0x1a
    xor ax,ax
    mov al, 0x40
    mov ds, ax
    mov al, 0x1a
    mov si, ax
    mov cx, 0x24

    xor al, al

cleanall:
    mov [ds:si], ax
    loop cleanall


and calling it _before_ and _after_ reading the password will fix both
vulnerabilities.
Comment 5 Tomas Hoger 2008-07-30 08:09:56 EDT
Opening bug, as all the information is public now via grub bug mailing list
public archives:

http://www.mail-archive.com/bug-grub@gnu.org/msg11628.html
http://www.mail-archive.com/bug-grub@gnu.org/msg11629.html

Note You need to log in before you can comment on or make changes to this bug.