Re: [vendor-sec] Re: [Fwd: Vulnerabilities in Lilo 22.6.1 and previous versions]

[Vincent Danen]

* [2008-07-29 18:15:36 +0530] Jonathan Brossard wrote:

> Dear Pierre Yves,
> (Cher Pierre Yves, meme ;),
>
> > Thanks for the information, I'm forwarding your e-mail to the vendor-sec
> > mailing list (in CC) since other linux distros could be interested,
>
> Thanks for relying the information, I really didn't know who to ping
> since the main author's email is erroneous...
>
> > although nowadays most of us use GRUB as the default bootloader :)
>
> Actually, the same vulnerability also affects Grub...
> Let me reproduce the mail I sent to the Grub team
> a few hours back (see below...)

Hi, Jonathan.

Let me get this straight real quick.  For Linux, at least, it seems to
require root privileges, right?  It's only on Windows that an
unprivileged user could get to this info?

I'm assuming this is true for both grub and lilo and any other
bootloader that may be used (thinking of stuff like yaboot and others).

> 1) Plain text password disclosure.
> Required privileges to perform this operation are OS dependant,
> from unprivileged users under Windows (any), to root under most Unix.
>
> 2) A privileged attacker able to write to the MBR and knowing the password
> (for instance thanks to 1), is able to reboot the computer in spite of the
> password prompted at boot time by initializing the Bios keybaord buffer 
> with
> the correct password (using a second bootloader that will in turn run 
> lilo).

The only real vector I can see here is for someone who dual-boots and
the "attacker" has local physical access.  On a pure Linux system, the
person needs root privileges to begin with, which means if this were an
"attacker" (unauthorized) than all bets are off because they could boot
from a livecd or whatever already.

Am I missing another scenario?

--
Vincent Danen @ http://linsec.ca/

pgp1eLjyNBVEb.pgp
Description: PGP signature