[32746] in bugtraq
Re: Dell BIOS DoS
daemon@ATHENA.MIT.EDU (jon schatz)
Tue Dec 9 12:58:29 2003
Message-ID: <3FD57BD6.4080702@divisionbyzero.com>
Date: Mon, 08 Dec 2003 23:37:58 -0800
From: jon schatz <jon@divisionbyzero.com>
MIME-Version: 1.0
To: James Evans <jae7@lehigh.edu>
Cc: bugtraq@securityfocus.com
In-Reply-To: <3FD4D931.7010407@lehigh.edu>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
James Evans wrote:
> This is not an incredibly serious problem as such, since a user can go
> back into the BIOS setup and change the password there, provided the
> BIOS Setup is not protected with an unknown password. Or, as a last
> resort, Dell can be phoned to provide a master backdoor password, as
> long as the user can prove herself the legal owner of the computer. Of
> course, the prerequisite of physical access to the machine highly
> mitigates this vulnerability.
...and once upon a time the default backdoor dell password was "dell".
seriously, bios passwords are worthless. there are numerous ways to get
around them. most motherboards have a jumper that you can set to reset
your cmos / bios (probably misusing one of those terms) to the factory
defaults. or you can just yank the cmos battery out. for your laptop, it
might be a bit trickier, but you can usually get to the jumpers
underneath the keyboard (at least on my old sager you could).
hth.
-jon
--
jon@divisionbyzero.com || www.divisionbyzero.com
gpg key: www.divisionbyzero.com/pubkey.asc
think i have a virus? www.divisionbyzero.com/pgp.html
"You are in a twisty little maze of Sendmail rules, all confusing."
