[NEWS] BIOS ACPI DoS

From: SecuriTeam (support_at_securiteam.com)
Date: 03/31/05

  • Next message: SecuriTeam: "[NT] Trillian Plug-ins Buffer Overflow" 
    To: list@securiteam.com
Date: 31 Mar 2005 11:20:28 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      BIOS ACPI DoS
    ------------------------------------------------------------------------

    SUMMARY

    A vulnerability in ACPI (Advanced Configuration and Power Interface) BIOS
    has been found. The vulnerability allows a local attacker on any system
    running the vulnerable version of the BIOS to make the system no longer
    able to boot until the BIOS's vulnerability is fixed.

    DETAILS

    Vulnerable Systems:
     * Toshiba Satellite Pro A60 running the ACPI BIOS version 1.60
     * Any BIOS with ACPI version 1.60 and above may have this vulnerability

    There is a programming error in the BIOS when the Master Boot Record (MBR)
    is searched for the bootable disk partition. The error in the BIOS code
    results in only the first slot in the MBR partition table being tested for
    the active partition. Where the active partition is not described in the
    first slot of the MBR table, the BIOS ignores the remaining slots and
    searches other devices for a boot mechanism and in consequence fails to
    start the Operating System.

    The BIOS seeks to validate the contents of the MBR and the boot sector in
    the active partition to achieve confidence in the integrity of the boot
    mechanism. At various points on the start-up sequence the BIOS reads the
    MBR from disk and tests the data therein. In at least one case, the BIOS
    sets out to test all 4 entries in the MBR partition table but due to
    treating an absolute pointer as one relative to the start of the MBR, it
    drops out of the loop after the first iteration. Slots 2, 3 and 4 are
    never examined and the active partition not found.
    Specifically, the 512 byte MBR end-of-table is tested by comparing the
    pointer to see if it has reached end-of-table at 510 bytes. Unfortunately,
    in the ACPI version the pointer is set to MBR-start plus start-of-table
    within MBR. Therefore, the pointer begins with a value larger than the
    size of the MBR. The result is that the first slot fails, when testing for
    the active partition byte, the test will show an end-of-table result: the
    subsequent slots are ignored.

    An example of the problem is shown when the MBR is read into boot address
    0000:7C00h and then tested for an active partition.
        xor bx, bx ;zero BX
        mov es, bx
        mov bx, 7C00h ;buffer address ES:BX set to 0000:7C00h
        mov cx, 1 ;set sector and cylinder value
        xor dh, dh ;and head value to read cylinder 0, head 0, sector 1
        mov dl, 80h ;set first hard disk drive
        mov ax, 0201h ;set read 1 sector
        int 13h ;call BIOS routine to read MBR and assume success
        add bx, 446 ;ES:BX point to start of partition table in MBR (BX
    =7DBEh)

    NextSlot:
        cmp es:[bx], 80h ;is this slot bootable?
        je ActiveOk ;yes, drop out of loop
        add bx, 16 ;increment by length of slot in table (BX becomes
    7C00h+446+16)
        cmp bx, 510 ;end of slot table reached? error! should be cmp bx, 7C00h
    + 510
        jb NextSlot ;no, look at next entry - branch never taken
        stc ;set no active partition found status
        ret

    ActiveOk:
        clc ;set active partition found status
        ret

    The system will not boot. Standard analysis tools will not identify the
    contents of the MBR partition as invalid. Unless the help-desk engineer is
    aware of this BIOS error, he/she will be unable to diagnose the fault.
    Therefore, the impact is denial of service: the system will not boot and
    yet there is nothing wrong with the contents of the hard disk.

    The error in the BIOS code means that any workstation using this version
    of the BIOS, can be configured such that the bootable partition is defined
    below the first slot in the MBR partition table and will not boot. An
    attack at any time during an operating session can leave the workstation
    subsequently unable to reboot. The nature of the fault means that it is
    very difficult to identify and may leave the workstation inoperable for an
    extended period of time.

    Disclosure Timeline:
    Toshiba were notified initially by email, as no response was received this
    was followed up by telephone on Friday 4-Feb-2005 and again on Wednesday
    23-Feb-2005.

    Vendor Status:
    The A60 laptop works with their supplied configuration. Fault not
    recognized. Reference supplied by Toshiba is 1-585 92244. When the fault
    was reported again on 23-Feb-2005 a new fault reference was supplied 1-165
    162202 but no technical response was provided by Toshiba.

    Workaround:
    Either, the BIOS code must be corrected by the manufacturer, or a
    monitoring device installed to detect any re-configuration that would
    exploit the vulnerability. Validating and correcting the contents of the
    MBR at system shutdown is a minimum requirement in these circumstances.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:PJD@portcullis-security.com>
    Paul J Docherty.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NT] Trillian Plug-ins Buffer Overflow"

    Relevant Pages