Re: Hard: Laptop HD

Tue, 20 Jun 2006 20:03:54 -0700 

On Tue, 20 Jun 2006, Roger Lawson wrote:
First thing I did when I got it home was flash the BIOS with the latest version. 


The Dell HD password bug seems to have been the bios allowing 
illegal characters in the password. The password prompt would 
not accept the illegal characters, in effect locking the drive. 
But it does not seem to apply to your particular model.


 -----------------------
<http://www.derkeiler.com/Mailing-Lists/Securiteam/2003-12/0029.html>

 Dell BIOS DoS (Invalid Characters in BIOS Password)

SUMMARY


The Dell BIOS allows users to set several different passwords 
to protect their machines from unauthorized access. There is:



1) A Setup Password, which is required to enter the BIOS setup, 
as well as



2) A Hard Drive Password, as per the ATA Security Feature Set 
Specification



Due to a bug in the BIOS, a password containing characters that 
cannot be later entered, can be provided by a user. This allows 
a local user to create a denial of service (as the password 
authentication mechanism cannot be bypassed) situation.


DETAILS

Affected Systems:


Dell Inspiron 2650 System BIOS, A11 (A11 is the current BIOS as 
of writing, and was released in late September of this year)



Unfortunately, once a Hard Drive Password is set which contains 
one or more of the following characters , < > . ; : ' [ ] { }.



It can not be later entered to access the machine. It appears 
as though a bug in the BIOS code prevents those characters from 
being taken as input when the user is asked for the password - 
however, the BIOS incorrectly allows users to set passwords 
containing those characters.



This is not an incredibly serious problem as such, since a user 
can go back into the BIOS setup and change the password there, 
provided the BIOS Setup is not protected with an unknown 
password. Or, as a last resort, Dell can be phoned to provide a 
master backdoor password, as long as the user can prove that he 
is the legal owner of the computer. Of course, the prerequisite 
of physical access to the machine highly mitigates this 
vulnerability.

 -----------------------

--
               ----------------------------------------
To Change your email Address for this list, send the following message:
CHANGE  WIN-HOME  your_old_address  your_new_address
to:  [EMAIL PROTECTED]
Note carefully that both old and new addresses are required.
























					Reply via email to