[22239] in bugtraq
Re: Security problems with Dell Latitude C800 Notebook BIOSes
daemon@ATHENA.MIT.EDU (Raymond M. Reskusich)
Tue Aug 14 15:49:25 2001
Date: Tue, 14 Aug 2001 13:56:43 -0500
From: "Raymond M. Reskusich" <reskusic@uiuc.edu>
To: bugtraq@securityfocus.com
Message-ID: <20010814135643.C18732@hume.cso.uiuc.edu>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
protocol="application/pgp-signature"; boundary="E13BgyNx05feLLmH"
Content-Disposition: inline
--E13BgyNx05feLLmH
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Tue, Aug 14, 2001 at 05:28:36PM +0200, Bernhard Rosenkraenzer wrote:
=2E..
> When using suspend to disk, the Latitude BIOS dumps the system status to
> the suspend to disk partition and prepends an OS loader code, and toggles
> the active bit on the suspend to disk partition.
=2E..
> This is VERY dangerous though - it allows things like suspending a
> session, then booting the normal OS (or something else from a floppy or
> CD-ROM - the BIOS does nothing to ensure the stored session is actually
> recovered), doing something completely different including modifying disk
> content, reading all content (passwords and confidential data) from the
> suspend-to-disk partition), then restoring the session that was
> suspended before. The result of this can be anything and will almost
> certainly lead to data loss.
Well, inasmuch as this is a security flaw one would imagine that the
"hibernate" functionality in Windows 2000 is about equally unsafe.
However, considering the usual risks involved in letting anyone with
a floppy boot to it on your machine, this isn't really a surprise.
I think to call this a BIOS flaw misses the point. Dell is adding
to the functionality of the expected PC BIOS with a minimum of
disruption to existing functionality. There is no reason, for
instance, for Dell to tell me that because I chose to suspend my
Windows session that I shouldn't be able to boot Linux before resuming
it. Admittedly, the reliance on the active flag will play havoc with
some boot loaders unless you add the suspend partition to your boot
menu, but linux users are used to such inconveniences. =20
If you want the boot to be limited to the suspend session, disable
floppy and cdrom boot, don't install a 3rd party boot loader, and
you're good. Even better, put in a boot password. But any scheme
where you write out a system memory image to disk unencrypted, you'll
still be vulnerable to anyone with physical access to the system.
Nothing stops the prospective data thief from popping your HD out that
convenient side panel and reading it in his laptop.
Raymond M. Reskusich
--E13BgyNx05feLLmH
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (SunOS)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAjt5dGoACgkQ741R/tL0R8VyvQCdECBalUsrXP5KnSbBuiQGh47o
MUgAn3hKnvMQb0TJ3GfZ0MIfLBqV32L7
=B+sL
-----END PGP SIGNATURE-----
--E13BgyNx05feLLmH--
