[9761] in bugtraq
IBM thinkpad boot sequence insecurity
daemon@ATHENA.MIT.EDU (Pavel Machek)
Tue Feb 23 17:55:45 1999
Date: Sun, 21 Feb 1999 19:20:25 +0100
Reply-To: Pavel Machek <pavel@BUG.UCW.CZ>
From: Pavel Machek <pavel@BUG.UCW.CZ>
To: BUGTRAQ@NETSPACE.ORG
Hi!
IBM gave me Thinkpad 560X notebook, about year ago (thanx, it is nice
beast). I discovered few misfeatures, and few bugs, some of them are
related to security. Here it goes:
* Thinkpad will boot from floppy, even if it has boot-up sequence
set to hard drive first and hard disk is bootable. Floppy has to
have IBM bootsector for this to work, for example personality
setting boot disk distributed by IBM has it. I've successfully
created Linux boot disk, which can be used on Thinkpad with floppy
booting disabled. If someone relied on boot up sequence for
security (I believe many people do), you are screwed. (BTW I use
it now as a feature. Thinkpad will refuse to boot, if their
self-tests fail (which is pretty bad behaviour: if your trackpoint
fails, you are not unable to get to critical data stored on your
thinkpad). Anyway, if you put IBM floppy, it will boot even if
self-tests failed. So I can at least access my data.
* Thinkpad will allow people to change personality information, even
without supervisor password. Thinkpad has "personality" feature
which allows people to mark their computer with their name,
address, and picture. I use penguin ;-). Unfortunately, this info
is changeable even without supervisor password. (And BTW floppy
which allows you to change it has "magic" format.) This might be
more severe than it seems, because, IMHO, setting personality
information means flashing bios. I'm not sure if flashing in
modified bios is UN-doable.
* Easy setup - HDD tests. Easy setup is just plain ugly. It looks
like a perfectly safe thing. Well, it will overwrite part of your
hard drive without even asking for confirmation. It seems like
hard drives come preformated to slightly little capacity then they
really have. The rest is test zone, used for easy setup's rw
tests. But if you happen to re-fdisk your drive, it is pretty easy
to put normal partition into this zone (this zone is not
documented anywhere). This one killed 2000 of your inodes 4 times.
Last two times was random person coming around my computer, and
launching tests because machine asked them to do so. Beware!
[snip]
As a side note, does anyone know if there are seals inside thinkpad
560X? IBM gave me computer, but they failed to give me warranty. I
think broken trackpoint should not be _that_ hard to fix ;-).
(This is trimmed version of page available at
http://atrey.karlin.mff.cuni.cz/~pavel/thinkpad.html. I mailed a copy
IBM week ago, and got no response so far. They had enough time.)
--
I'm really pavel@atrey.karlin.mff.cuni.cz. Pavel
Look at http://atrey.karlin.mff.cuni.cz/~pavel/ ;-).
