Grub wrong BIOS API usage multiple vulnerabilities.

Jonathan Brossard
Tue, 29 Jul 2008 07:48:31 -0700

Dear Grub team,

This email is an attempt to follow the rules of responsible
disclosure by offering you to work on a patch to the vulnerability
we discovered, afecting Grub (I tested version 0.97  -lastest CVS-
specifically, but grub2 is most likely also vulnerable).

While during extensive research on Pre-boot authentification Software,
we discovered a new class of vulnerability, which affects among all, Grub.
Other similar products you are selling are likely to be vulnerable as well.

Full details will be made public during the Defcon Security conference,
on Saturday the 9th of August.

--[ Technical details :

The password checking routine of Grub fails to sanitize the BIOS keyboard
buffer before AND after reading passwords.

--[ ImpactS :

1) Plain text password disclosure.
Required privileges to perform this operation are OS dependant,
from unprivileged users under Windows (any), to root under most Unix.

2) A privileged attacker able to write to the MBR and knowing the password
(for instance thanks to 1), is able to reboot the computer in spite of the
password prompted at boot time by initializing the Bios keybaord buffer with
the correct password (using a second bootloader that will in turn run lilo).

--[ A bit more details :

 On x86 computers, Grub relies on BIOS interrupts to read user passwords.
 This API relies on an internal BIOS Keyboard buffer in the BIOS Data Area,
 which is not sanitized before and after use.

This allows a loged in user to potentially retreive the password inplain text(the level of privileges required to perform this activity can be aslow as an

 unprivileged guest user under Windows - from 9x to Vista).

Since the BIOS keyboard buffer is also not initialized before use, anattacker canfill it up using a rogue bootloader and then load grub, allowing himto reboot thecomputer without having physical access to the computer, resulting ina full security

 bypass of the Grub password authentication.

Configuring Grub to use an MD5 password at boot time doesn't solve theproblem.


--[ Full details :

Will be released at Defcon 16,
https://www.defcon.org/html/defcon-16/dc-16-speakers.html#Brossard

--[ PoC :

 I configured Grub to ask for a password at boot time.

 Once the computer has booted, the password remains in memory for ever :

[EMAIL PROTECTED]:~# grub --version
grub (GNU GRUB 0.97)

[EMAIL PROTECTED]:~# dd if=/dev/kmem ibs=1 skip=3221226526 count=322>/dev/null|xxd

0000000: 7414 6f18 7414 6f18 0d1c 0000 0000 0000  t.o.t.o.........
0000010: 0000 0000 0000 0000 0000 0000 0000 0000  ................
[EMAIL PROTECTED]:~#

--[ Patching :

Implementing a chacking routine doing something like this,
(this is real mode 16b asm, for nasm compiler) :

; zero 36b starting at address 0x40:0x1a

   xor ax,ax
   mov al, 0x40
   mov ds, ax
   mov al, 0x1a
   mov si, ax
   mov cx, 0x24

   xor al, al

cleanall:
   mov [ds:si], ax
   loop cleanall



and calling it _before_ and _after_ reading the password will
fix both vulnerabilities.



--[ Credits :

Jonathan Brossard, [EMAIL PROTECTED]
Lead Security Research Engineer,
iViZ Technosolutions Pvt. Ltd. Kolkata, India.

http://www.ivizindia.com
+91-33-23242212

Please feel free to contact us if you need more helps to create a patch.

Best regards,

Jonathan Brossard

-----------------------------------------Appendix-------------------------------------------------------

--[ Menu.lst Grub configuration :

--------------------------------------------------------------------------------------------------------

# menu.lst - See: grub(8), info grub, update-grub(8)
#            grub-install(8), grub-floppy(8),
#            grub-md5-crypt, /usr/share/doc/grub
#            and /usr/share/doc/grub-doc/.

## default num

# Set the default entry to the entry number NUM. Numbering starts from0, and

# the entry number 0 is the default if the command is not used.
#

# You can specify 'saved' instead of a number. In this case, the defaultentry

# is the entry saved with the command 'savedefault'.

# WARNING: If you are using dmraid do not change this entry to 'saved'or your

# array will desync and will not let you boot your system.
default        0

## timeout sec

# Set a timeout, in SEC seconds, before automatically booting thedefault entry

# (normally the first entry defined).
timeout        10

## hiddenmenu
# Hides the menu by default (press ESC to see the menu)
#hiddenmenu

# Pretty colours
color cyan/blue white/blue

## password ['--md5'] passwd

# If used in the first section of a menu file, disable all interactiveediting

# control (menu entry editor and command-line)  and entries protected by the
# command 'lock'
# e.g. password topsecret
#      password --md5 $1$gLhU0/$aW78kHK1QfV3P2b2znUoe/
# password topsecret
#password --md5 a8f2ff865cca86a79915cf559184dada


#
# examples
#
# title        Windows 95/98/NT/2000
# root        (hd0,0)
# makeactive
# chainloader    +1
#
# title        Linux
# root        (hd0,1)
# kernel    /vmlinuz root=/dev/hda2 ro
#

#
# Put static boot stanzas before and/or after AUTOMAGIC KERNEL LIST

### BEGIN AUTOMAGIC KERNELS LIST
## lines between the AUTOMAGIC KERNELS LIST markers will be modified
## by the debian update-grub script except for the default options below

## DO NOT UNCOMMENT THEM, Just edit them to your needs

## ## Start Default Options ##
## default kernel options
## default kernel options for automagic boot options
## If you want special options for specific kernels use kopt_x_y_z
## where x.y.z is kernel version. Minor versions can be omitted.
## e.g. kopt=root=/dev/hda1 ro
##      kopt_2_6_8=root=/dev/hdc1 ro
##      kopt_2_6_8_2_686=root=/dev/hdc2 ro
# kopt=root=UUID=ea6a9986-022a-48fd-a44b-3d6808ae9422 ro

## Setup crashdump menu entries
## e.g. crashdump=1
# crashdump=0

## default grub root device
## e.g. groot=(hd0,0)
# groot=(hd0,0)

## should update-grub create alternative automagic boot options
## e.g. alternative=true
##      alternative=false
# alternative=true

## should update-grub lock alternative automagic boot options
## e.g. lockalternative=true
##      lockalternative=false
# lockalternative=false

## additional options to use with the default boot option, but not with the
## alternatives
## e.g. defoptions=vga=791 resume=/dev/hda5
# defoptions=quiet splash

## should update-grub lock old automagic boot options
## e.g. lockold=false
##      lockold=true
# lockold=false

## Xen hypervisor options to use with the default Xen boot option
# xenhopt=

## Xen Linux kernel options to use with the default Xen boot option
# xenkopt=console=tty0

## altoption boot targets option
## multiple altoptions lines are allowed
## e.g. altoptions=(extra menu suffix) extra boot options
##      altoptions=(recovery) single
# altoptions=(recovery mode) single

## controls how many kernels should be put into the menu.lst
## only counts the first occurence of a kernel, not the
## alternative kernel options
## e.g. howmany=all
##      howmany=7
# howmany=all

## should update-grub create memtest86 boot option
## e.g. memtest86=true
##      memtest86=false
# memtest86=true

## should update-grub adjust the value of the default booted system
## can be true or false
# updatedefaultentry=false

## should update-grub add savedefault to the default options
## can be true or false
# savedefault=false

## ## End Default Options ##

splashimage=(hd0,2)/etc/frag.xpm.gz

title        Ubuntu 7.10, kernel 2.6.22-15-generic
root        (hd0,0)

kernel /vmlinuz-2.6.22-15-genericroot=UUID=ea6a9986-022a-48fd-a44b-3d6808ae9422 ro quiet splash

initrd        /initrd.img-2.6.22-15-generic
password toto
quiet

title        Ubuntu 7.10, kernel 2.6.22-15-generic (recovery mode)
root        (hd0,0)

kernel /vmlinuz-2.6.22-15-genericroot=UUID=ea6a9986-022a-48fd-a44b-3d6808ae9422 ro single

initrd        /initrd.img-2.6.22-15-generic

title        Ubuntu 7.10, kernel 2.6.22-14-generic
root        (hd0,0)

kernel /vmlinuz-2.6.22-14-genericroot=UUID=ea6a9986-022a-48fd-a44b-3d6808ae9422 ro quiet splash

initrd        /initrd.img-2.6.22-14-generic
quiet

title        Ubuntu 7.10, kernel 2.6.22-14-generic (recovery mode)
root        (hd0,0)

kernel /vmlinuz-2.6.22-14-genericroot=UUID=ea6a9986-022a-48fd-a44b-3d6808ae9422 ro single

initrd        /initrd.img-2.6.22-14-generic

title        Ubuntu 7.10, kernel 2.6.20-15-generic
root        (hd0,0)

kernel /vmlinuz-2.6.20-15-genericroot=UUID=ea6a9986-022a-48fd-a44b-3d6808ae9422 ro quiet splash

initrd        /initrd.img-2.6.20-15-generic
quiet

title        Ubuntu 7.10, kernel 2.6.20-15-generic (recovery mode)
root        (hd0,0)

kernel /vmlinuz-2.6.20-15-genericroot=UUID=ea6a9986-022a-48fd-a44b-3d6808ae9422 ro single

initrd        /initrd.img-2.6.20-15-generic

title        Ubuntu 7.10, memtest86+
root        (hd0,0)
kernel        /memtest86+.bin
quiet

### END DEBIAN AUTOMAGIC KERNELS LIST

--------------------------------------------------------------------------------------------------------

--
   Jonathan Brossard
   Security Research Engineer
   iViZ Techno Solutions Pvt. Ltd.
   Mobile: +91-9748772994

   Kolkata:
   iViZ Technolgy Solutions(P) Ltd
   c/o Erevmax Technologies (P) Ltd
   DLF IT Park,
   Tower-1, 12th Floor
   08 Major Arterial Road
   New Town, Rajarhat
   Kolkata- 700 156

   Kharagpur:
   iViZ Techno Solutions Pvt Ltd,
   School of Information Technology,
   Indian Institute of Technology,
   2nd Floor, Takshashila,
   Kharagpur 721302 West Bengal, India.
   Phone: +91-3222-282300 ext 4324

   Web page: http://www.ivizindia.com



_______________________________________________
Bug-grub mailing list
Bug-grub@gnu.org
http://lists.gnu.org/mailman/listinfo/bug-grub

Reply via email to