Re: [vendor-sec] Re: [Fwd: Vulnerabilities in Lilo 22.6.1 and previous versions]

[Mike Hamburg]

On Jul 29, 2008, at 5:45 AM, Jonathan Brossard wrote:
> 1) Plain text password disclosure.
> Required privileges to perform this operation are OS dependant,
> from unprivileged users under Windows (any), to root under most Unix.

> 2) A privileged attacker able to write to the MBR and knowing the  
> password
> (for instance thanks to 1), is able to reboot the computer in spite  
> of the
> password prompted at boot time by initializing the Bios keybaord  
> buffer with
> the correct password (using a second bootloader that will in turn  
> run lilo).
>
> --[ A bit more details :
>
> On x86 computers, Grub relies on BIOS interrupts to read user  
> passwords.
> This API relies on an internal BIOS Keyboard buffer in the BIOS Data  
> Area,
> which is not sanitized before and after use.
>
> This allows a loged in user to potentially retreive the password in  
> plain text
> (the level of privileges required to perform this activity can be as  
> low as an
> unprivileged guest user under Windows - from 9x to Vista).
>
> Since the BIOS keyboard buffer is also not initialized before use,  
> an attacker can
> fill it up using a rogue bootloader and then load grub, allowing him  
> to reboot the
> computer without having physical access to the computer, resulting  
> in a full security
> bypass of the Grub password authentication.

While #1 seems like a real problem to me, particularly on Windows, I'm  
having trouble
understanding the security implication of #2.  If the attacker can run  
a rogue bootloader
before GRUB, can't he boot your machine anyway?  What stops him from  
running an evil
fork of GRUB that just doesn't check boot passwords?

-- Mike Hamburg