lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 08 Dec 2003 20:04:01 +0000
From: James Evans <jae7@...igh.edu>
To: bugtraq@...urityfocus.com
Subject: Dell BIOS DoS


The Dell BIOS allows users to set several different passwords to protect 
their machines from unauthorised access. There is 1) a Setup Password, 
which is required to enter the BIOS setup, as well as 2) a Hard Drive 
Password, as per the ATA Security Feature Set Specification.

Unfortunately, once a Hard Drive Password is set which contains one or 
more of the following characters,

, < > . ; : ' [ ] { }

it can not be later entered to access the machine. It appears as though 
a bug in the BIOS code prevents those characters from being taken as 
input when the user is asked for the password - however, the BIOS 
incorrectly allows users to set passwords containing those characters.

This is not an incredibly serious problem as such, since a user can go 
back into the BIOS setup and change the password there, provided the 
BIOS Setup is not protected with an unknown password. Or, as a last 
resort, Dell can be phoned to provide a master backdoor password, as 
long as the user can prove herself the legal owner of the computer. Of 
course, the prerequisite of physical access to the machine highly 
mitigates this vulnerability.

It is however an interesting bug from the point of view of Dell's 
practices. I have contacted them over two weeks ago, but their 
'technical support' is unable to understand or resolve the problem. Two 
of their representatives told me to reinstall Windows XP Chipset 
drivers, even when I asked to be forwarded to people higher in the 
technical support chain. Perhaps this post will encourage Dell to pay 
more attention in the future.

Affected Systems: Dell Inspiron 2650 System BIOS, A11
(A11 is the current BIOS as of writing, and was released in late 
September of this year)
Other BIOS/Dell models are perhaps vulnerable but have not been tested.

-- 
James Evans
GPG: http://www.lehigh.edu/~jae7/gpg

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ