[UNIX] gfxboot Allows Boot Password Circumvention
From: support@securiteam.com
Date: 12/15/02
- Previous message: support@securiteam.com: "[NT] Directory Traversing Vulnerability in 'myServer' Web Server"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: 15 Dec 2002 23:14:57 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
Beyond Security would like to welcome Tiscali World Online
to our service provider team.
For more info on their service offering IP-Secure,
please visit http://www.worldonline.co.za/services/work_ip.asp
- - - - - - - - -
gfxboot Allows Boot Password Circumvention
------------------------------------------------------------------------
SUMMARY
SuSE 8.1's "gfxmenu" which is configured into GRUB by default on many
machines allows the user to pass in additional kernel boot parameters
without entering the password, even though one is configured in the GRUB
configuration file.
DETAILS
Vulnerable systems:
* SuSE 8.1 GRUB
How to check whether you are vulnerable:
As no fix is known at the moment, just reading the /boot/grub/menu.lst
configuration file is sufficient. If yours has a line that starts with
"gfxmenu", the computer is vulnerable.
Impact:
A malicious user who can make the computer reboot can for example append
init=/bin/bash to defeat the regular boot procedures to bypass the root
password and steal data or install backdoors.
Workaround:
Remove the gfxboot line from /boot/grub/menu.lst.
Vendor status:
2002-11-27 v1.0 initial announcement, disclosed to SuSE Security only.
2002-11-29 extended schedule to 2002-12-13, 24:00 GMT
2002-12-03 original schedule date for publication
2002-12-13 deadline. public announcement will be made on this day at the
latest.
2002-12-13 v1.1 reword first paragraph, not all machines enable gfxmenu by
default, add section on checking for the problem.
2002-12-14 sent this announcement to vulnwatch and bugtraq, a workaround
is documented, so holding back the announcement makes no sense.
ADDITIONAL INFORMATION
The information has been provided by <mailto:matthias.andree@gmx.de>
Matthias Andree.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Next message: support@securiteam.com: "[NEWS] Remote Console Applet Allows Remote File Retrieval"
- Previous message: support@securiteam.com: "[NT] Directory Traversing Vulnerability in 'myServer' Web Server"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
