Bugtraq mailing list archives

Re: Possible Linuxconf Vulnerability

From: harik () CHAOS AO NET (Dan Merillat)
Date: Wed, 5 May 1999 07:46:55 -0400


Neale Banks writes:

On Sat, 1 May 1999, Desync wrote:

If someone really wanted to do some damage with physical access to a
machine, popping a rescue disk set into the drive and rebooting with the
reset switch would do fine.


Agreed: there is much to be said for the assertion "physical access ==
game over".


Keyboard + monitor != floppy drive + reset switch.

It's simple enough to secure a system inside a locked cabinet and only have
a keyboard and monitor outside.  Furthermore, if you put a bios setup password
(and binary edit your flash to change the !@#!@# backdoor password) and password
lock your boot manager (in this case, it would be LILO)  someone with
keyboard access cannot do anything.   Unless, of course, a braindead boot-script
gives them some kind of root access.

Another (generally fixed now) example would be boot-time fsck(8).

Administrators take heed:  Read your bootscripts.  Make sure they "Do the Right Thing"
in case of errors.

--Dan

Current thread:

Re: Possible Linuxconf Vulnerability Desync (May 01)
- Re: Possible Linuxconf Vulnerability Patrick J. Volkerding (May 01)
- Re: Possible Linuxconf Vulnerability Neale Banks (May 03)
- FW: NT Security: Domain user adding self to Domain Admin group. Gary Kalbfleisch (May 03)
- MSIE 5 favicon bug Flavio Veloso (May 03)
- <Possible follow-ups>
- Re: Possible Linuxconf Vulnerability Dan Merillat (May 05)