Who am I ?
Scope of this presentation
We present a new class of vulnerabilities,
Affecting multiple
Exploitable without physical access.
Limitations : we will focus on password based authentication solely.
Contents
(Technically) defining
Password leakage under Windows
Password leakage under *nix
Rebooting in spite of a
Examples of vulnerable software
Mitigating those vulnerabilities
I - (Technically) defining
authentication
Boot sequence overview
Taxonomy of
BIOS API for user inputs
BIOS internals for keyboard management
BIOS keyboard buffer Remanence...
Verifying this bug exists “in real life”
Password chaining
Bios Passwords
Bootloader Passwords (Vista's Bitlocker, Grub or Lilo, and most others
Early kernel stage passwords – typically before decompression (eg: suspend2 hibernation patch for GNU/Linux)
Interruption 0x16 invoked via functions :
ah=0x00 , “Get keystroke” : returns the keystroke scancode in AH and its ASCII code in AL.
ah=0x01 , “Check for keystroke” : idem, but the Zero Flag is set if no keystroke is available in the Bios keyboard buffer.
eg : lilo password reading routine :
Remanance... (1/3)
Filling the BIOS keyboard buffer (with the keyboard) :
Remanence... (2/3)
Reading the BIOS keyboard buffer (using int 0x16, ah=0x00 or 0x01) :
Remanence... (3/3)
Who is supposed to clear the keyboard buffer ?
life” (1/2) :
We want to check the authentication routines in the BIOS themselves (aka: BIOS Passwords)
We will write a small
life” (2/2) :
Results :
Most BIOS Passwords are vulnerable (more on this later).
... if the BIOS Programmers themselves do not clear the BIOS keyboard buffer... just imagine third party programmers...
Let's now imagine we have two authentication devices in a raw (asking for pass1 and pass2 respectively)....
What happens in the BIOS keyboard buffer ?
The passwords are concatenated ! So we can retrieve both ;)
[p][a][s][s][1][Enter][p][a][s][s][2][Enter]