Date: Tue, 14 Aug 2001 17:28:36 +0200 (CEST)
From: Bernhard Rosenkraenzer <bero@redhat.de>
To: bugtraq@securityfocus.com
Subject: Security problems with Dell Latitude C800 Notebook BIOSes
Originally reported to Dell support on May 02, 2001.
After not getting a reply, sent to a Dell Employee with a request to pass
it on to the correct people on May 04, 2001.
Waited 3 BIOS revisions, this problem has still not been addressed, so
I'm warning the public about it.
There's a major problem with the Latitude C800 BIOS, originally
noted in revision A09, still present in A13 and probably all prior
releases:
When using suspend to disk, the Latitude BIOS dumps the system status to
the suspend to disk partition and prepends an OS loader code, and toggles
the active bit on the suspend to disk partition.
If DOS or a sufficiently similar system is installed, the master boot
record will boot anything that has the active bit - such as the suspend to
disk partition when it's there; so it'll restore the session as expected.
This is VERY dangerous though - it allows things like suspending a
session, then booting the normal OS (or something else from a floppy or
CD-ROM - the BIOS does nothing to ensure the stored session is actually
recovered), doing something completely different including modifying disk
content, reading all content (passwords and confidential data) from the
suspend-to-disk partition), then restoring the session that was
suspended before. The result of this can be anything and will almost
certainly lead to data loss.
Assume the following situation: The BIOS is set up to boot from floppy
disks first. The user locks the screen and puts the notebook in suspend to
disk mode.
With a normal BIOS, his data is safe - it will restore the session the
next time the computer is turned on.
With the C800 BIOS, a cracker inserts a boot floppy, turns the
notebook on -- and can edit the saved session, reading everything that
was in memory (passwords, sensitive data), and modify it.
Furthermore, if the computer isn't running off encrypted partitions,
the cracker has full access to the owner's files, and can mess
them up. He removes the floppy, the owner turns the notebook back on, his
session is restored, but the rest of the system is no longer in the same
state --> pending disk accesses will return garbage and mess up the
system, possibly beyond repair.
Furthermore, while not relevant to security, this behavior prevents
suspend to disk from working correctly with boot loaders that don't use
the active flag, such as LILO or grub.
Workaround:
- Don't use suspend-to-disk even if it happens to work with your OS, use
encrypted partitions if supported by the OS
