Bugtraq mailing list archives
vulnerability in Linux Debian default boot configuration
From: beyssac () ENST FR (Pierre Beyssac)
Date: Wed, 2 Feb 2000 11:39:37 +0100
The recent stable releases (at least 2.0, 2.1 and soon-to-be-released 2.2 -- Hamm, Slink and Potato) of the Debian Linux distributions use a dangerous MBR in their default installation. Maybe this applies to older releases as well but I haven't been able to check these. When the SHIFT key is pressed during the boot, the installed MBR displays the string "1FA:" then waits for a keypress. It then boots a floppy if the F key is pressed, bypassing any security measures. This happens: - regardless of the BIOS configuration (even with floppy boot disabled and password-protected configuration). - regardless of Lilo (or other) configuration: this happens before Lilo is even started, so putting a password on Lilo is of no use. Since this MBR is installed by default during the installation (unless the user chooses to keep the previous MBR, which is not the natural choice for an installation from scratch, and is not the default choice anyway), many sites are probably vulnerable even though they have taken the usual steps to prevent tampering with the boot process. Quick fix: use Lilo's MBR by putting "boot=/dev/hda" (or equivalent) instead of "boot=/dev/hda1" in your Lilo configuration to install a barebones MBR. Thanks to Patrice PiƩtu <Patrice.Pietu () enst fr>, Thomas Quinot <Thomas.Quinot () enst fr> and Samuel Tardieu <Samuel.Tardieu () enst fr> for their help in tracking down the source of this problem and finding a fix. [ Note: this has been registered as Debian bug ID 56821, but has just been downgraded as a mere "wishlist" item, so clearly it is not given the attention it deserves. ] -- Pierre Beyssac pb () enst fr
Current thread:
- Re: SyGate 3.11 Port 7323 / Remote Admin hole Brian Hampson (Jan 31)
- <Possible follow-ups>
- Re: SyGate 3.11 Port 7323 / Remote Admin hole Russ (Feb 01)
- war-ftpd 1.6x DoS Toshimi Makino (Jan 31)
- Re: war-ftpd 1.6x DoS Jarle Aase (Feb 02)
- [xforce () iss net: ISSalert: ISS E-Security Alert: Form Tampering Vulnerabilities in Several Web-Based Shopping Cart Applications] Patrick Oonk (Feb 01)
- SV: SyGate 3.11 Port 7323 / Remote Admin hole Sani Huttunen (Feb 01)
- vulnerability in Linux Debian default boot configuration Pierre Beyssac (Feb 02)
- [Debian] New version of apcd released Aleph One (Feb 02)
- Webspeed security issue George (Feb 03)
- war-ftpd 1.6x DoS Toshimi Makino (Jan 31)