On Jul 29, 2008, at 5:45 AM, Jonathan Brossard wrote:
1) Plain text password disclosure.
Required privileges to perform this operation are OS dependant,
from unprivileged users under Windows (any), to root under most Unix.
2) A privileged attacker able to write to the MBR and knowing the
password
(for instance thanks to 1), is able to reboot the computer in spite
of the
password prompted at boot time by initializing the Bios keybaord
buffer with
the correct password (using a second bootloader that will in turn run
lilo).
--[ A bit more details :
On x86 computers, Grub relies on BIOS interrupts to read user passwords.
This API relies on an internal BIOS Keyboard buffer in the BIOS Data
Area,
which is not sanitized before and after use.
This allows a loged in user to potentially retreive the password in
plain text
(the level of privileges required to perform this activity can be as
low as an
unprivileged guest user under Windows - from 9x to Vista).
Since the BIOS keyboard buffer is also not initialized before use, an
attacker can
fill it up using a rogue bootloader and then load grub, allowing him
to reboot the
computer without having physical access to the computer, resulting in
a full security
bypass of the Grub password authentication.
While #1 seems like a real problem to me, particularly on Windows, I'm
having trouble
understanding the security implication of #2. If the attacker can run
a rogue bootloader
before GRUB, can't he boot your machine anyway? What stops him from
running an evil
fork of GRUB that just doesn't check boot passwords?