Vigil@nce: GRUB, LILO, TrueCrypt, password disclosure
August 2008 by Vigil@nce
A vulnerability of GRUB, LILO and TrueCrypt can be used by a local
attacker to obtain the password entered when the system starts.
– Gravity: 1/4
– Consequences: data reading
– Provenance: user shell
– Means of attack: no proof of concept, no attack
– Ability of attacker: expert (4/4)
– Confidence: multiples sources (3/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Creation date: 27/08/2008
– Identifier: VIGILANCE-VUL-8065
IMPACTED PRODUCTS
– Microsoft Windows - plateform
– TrueCrypt [confidential versions]
– Unix - plateform
DESCRIPTION
When the computer starts, data entered on the keyboard are stored
at the address 0x40:0x1e (named "BIOS Keyboard Buffer").
Softwares such as GRUB, LILO and TrueCrypt ask user to enter a
password on booting. This password is stored at the address
0x40:0x1e.
However, these softwares do not erase the memory area after its
usage. This memory address can be read by all users on Windows and
by root on Unix.
A local attacker can therefore obtain the password that was
entered when user booted the computer.
CHARACTERISTICS
– Identifiers: IVIZ-08-001, IVIZ-08-002, IVIZ-08-003, IVIZ-08-004,
IVIZ-08-005, IVIZ-08-006, IVIZ-08-007, IVIZ-08-008, IVIZ-08-009,
VIGILANCE-VUL-8065
– Url: https://vigilance.aql.fr/tree/1/8065