Vulnerability Development mailing list archives
Advisory on (Award) BIOS default/backdoor passwords (edited)
From: Bluefish <11a () GMX NET>
Date: Sat, 29 Jul 2000 14:41:05 +0200
I've updated my advisory, it contain some new information (and a few less typos) Advisory on (Award) BIOS default/backdoor passwords =================================================== Author: bluefish () 11a nu http://bluefish.11a.nu/ Created: 2000-07-18 (%Y-%m-%d) Last ed: 2000-07-29 (%Y-%m-%d) The author does not make any claims of correctness, lack of typos or responsibility for usage etc, etc. Any error is probably due to lack of coffee. Abstract ======== The recent search for default/backdoor passwords in security mailinglists such as vuln-dev and bugtraq has uncovered suspiciously long lists of passwords for BIOSes, mainly for Award BIOS. As suspected, some of them are false or 'duplicates'. This advisory is intended to aid maintainers of such lists to advoid listing such. These passwords are fundamental tools for in numerous situations, everything from doing security reviews (verify if you are vulnerable to them), fixing computers after password loss or cmos corruption, to simplify malicious attacks. Any way around, error free lists makes everyones life easier. Summary ======= I've identified three kinds of misstakes in published lists regarding BIOSes; (a) softwares incorrectly listed as passwords. "KILLCMOS", "CMOSPWD" and "BIOS310" was noted which are wellknown password reovery tools. (b) "duplicates" of one and the same Award password. A "duplicate" is a password which has an equal Award hash as other, allready listed, passwords. More about this later in the advisory. (c) Award hashes accidently listed as plaintext passwords. 1EAAh is such an example, it is not a password, it is an Award hash. Introduction to the Award Hash (message digest algorithm) ========================================================= As the main developer of "!BIOS", one of the BIOS Password recovery widely available, I investigated the Award BIOS years ago and it was one of my first attacks against a simple cryptographic system. It turns out that it is extremly weak, the message digest is only 16 bit and the algorithm used is made up of two rotations and one addition for each character. Because of its weakness, a few thousand passwords will evaluate to each hash. Thus the "duplicates". To the best of my knowledge, "!BIOS" was the first cracker which cracked this version of Award, but since then several others have successfully attacked it, most successfully the code by Jan Stohner, "pwdigit", which now is included in "!BIOS". Additionally, we later reverse engineered some parts the F000 memory segment and derived a copy of the original algorithm. On Award 4.50, these passwords aren't merely default passwords, but backdoor passwords which will override any admin or user password. On some systems this hash is readable at FEC60, "!BIOS" among other tools can decipher it. In some newer Awards the algorithm is only used for user/admin passwords and another routine (one to one cipher, not a hash) is used to store the backdoor password. It seems all Award 4.51PG and later versions use the new algorithm, and most manufacturer doesn't enable the backdoor on those computers. However, "!BIOS" can decipher such passwords as well. List of "duplicate" Award passwords =================================== I've identified the following "duplicates": Duplicates with hash 1EAA: 01322222, 589589, 589721, zjaaadc, AWARD_SW Duplicates with hash 16AA: g6PJ, h6BB, j09F, j256, j262, j322 Duplicates with hash 7409: CONCAT, djonet, efmukl Duplicates with hash BEA2: TTPTHA, ttptha, ZAAADA Keyboard layout duplicates & typos: award_ps, AWARD_PW, award.sw, AWARD?SW, award_? I suspect that the last passwords are replaceable with any of the 1EAA duplicates as well, although they don't evaluates to 1EAA. I believe they are either typos or variants for different keyboard layouts (Award BIOS assume American standard keyboards). As an example, underscore ("_") is a question mark ("?") on both Swedish and German keyboards. Therefore, list maintainers should avoid (if possible) listing passwords containing any character not from the following set: [A-X, 0-9] Tool used to identify "duplicates": =================================== I created a simple program in java which takes a password from the command-line and then tell you the hash corresponding to it. I used it together with the following command: cat awpass.txt | awk '{ print "java ptToAw " $1 }' | sh The file ptToAw.java (short for "plaintext to award hash") is quite simple: public class ptToAw { public static short awardEncipher(String s) { short ax, bx, cx; ax = bx = 0; s = s.trim().toUpperCase(); for (cx=0; cx<s.length(); cx++) { ax = (short) s.charAt(cx); bx = rol_1(rol_1(bx)); bx = (short) (ax+bx); } return bx; } private static short rol_1(short x) { return (short) ((x<<1)^((x>>15)&1)); } public static void main(String[] argv) { int md, i; for (i=0; i<argv.length; i++) { md = awardEncipher(argv[i]) & 0xFFFF; System.out.println(Integer.toHexString(md)+ " :: "+argv[i]); } } } References and credits: ======================= Thanks & credits goes to * Nicolas Rachinsky for comments on the first edition of this advisory, esp. regarding none-american keyboards. * Nathan Einwechter, for compiling a list of known BIOS passwords. Nathan can be reached at psychospy () softhome net, please notify him if you are aware of any BIOS passwords. * People maintaining the default/backdoor password lists on the net. * bugtraq & vuln-dev posters participating in the disclosure of default/backdoor passwords. Links related to this advisory * The original Award algorithm, "!BIOS", etc can be found at: http://www.11a.nu/ * default/backdoor password lists can be found at: http://www.phenoelit.de/dpl/ (maintained by dev () phenoelit de) * vuln-dev and bugtraq archives can be found at: http://www.securityfocus.com/ ..:::::::::::::::::::::::::::::::::::::::::::::::::.. http://www.11a.nu || http://bluefish.11a.nu eleventh alliance development & security team
Current thread:
- Advisory on (Award) BIOS default/backdoor passwords (edited) Bluefish (Jul 30)