Advisory on (Award) BIOS default/backdoor passwords (edited)

[Bluefish <11a () GMX NET>]

I've updated my advisory, it contain some new information (and a few less
typos)

Advisory on (Award) BIOS default/backdoor passwords
===================================================

 Author:  bluefish () 11a nu
          http://bluefish.11a.nu/

 Created: 2000-07-18 (%Y-%m-%d)
 Last ed: 2000-07-29 (%Y-%m-%d)

 The author does not make any claims of correctness, lack of typos or
 responsibility for usage etc, etc. Any error is probably due to lack
 of coffee.

Abstract
========

 The recent search for default/backdoor passwords in security mailinglists
 such as vuln-dev and bugtraq has uncovered suspiciously long lists of
 passwords for BIOSes, mainly for Award BIOS. As suspected, some of them
 are false or 'duplicates'. This advisory is intended to aid maintainers
 of such lists to advoid listing such.

 These passwords are fundamental tools for in numerous situations,
 everything from doing security reviews (verify if you are vulnerable to
 them), fixing computers after password loss or cmos corruption, to
 simplify malicious attacks. Any way around, error free lists makes
 everyones life easier.


Summary
=======

 I've identified three kinds of misstakes in published lists regarding
 BIOSes;

 (a) softwares incorrectly listed as passwords. "KILLCMOS", "CMOSPWD"
     and "BIOS310" was noted which are wellknown password reovery tools.

 (b) "duplicates" of one and the same Award password. A "duplicate" is a
     password which has an equal Award hash as other, allready listed,
     passwords. More about this later in the advisory.

 (c) Award hashes accidently listed as plaintext passwords. 1EAAh is such
     an example, it is not a password, it is an Award hash.


Introduction to the Award Hash (message digest algorithm)
=========================================================

 As the main developer of "!BIOS", one of the BIOS Password recovery
 widely available, I investigated the Award BIOS years ago and it was one
 of my first attacks against a simple cryptographic system.

 It turns out that it is extremly weak, the message digest is only 16 bit
 and the algorithm used is made up of two rotations and one addition for
 each character. Because of its weakness, a few thousand passwords will
 evaluate to each hash. Thus the "duplicates".

 To the best of my knowledge, "!BIOS" was the first cracker which cracked
 this version of Award, but since then several others have successfully
 attacked it, most successfully the code by Jan Stohner, "pwdigit", which
 now is included in "!BIOS". Additionally, we later reverse engineered
 some parts the F000 memory segment and derived a copy of the original
 algorithm.

 On Award 4.50, these passwords aren't merely default passwords, but
 backdoor passwords which will override any admin or user password. On
 some systems this hash is readable at FEC60, "!BIOS" among other tools
 can decipher it.

 In some newer Awards the algorithm is only used for user/admin passwords
 and another routine (one to one cipher, not a hash)  is used to store the
 backdoor password. It seems all Award 4.51PG and later versions use the
 new algorithm, and most manufacturer doesn't enable the backdoor on those
 computers. However, "!BIOS" can decipher such passwords as well.


List of "duplicate" Award passwords
===================================

 I've identified the following "duplicates":

 Duplicates with hash 1EAA:
 01322222, 589589, 589721, zjaaadc, AWARD_SW

 Duplicates with hash 16AA:
 g6PJ, h6BB, j09F, j256, j262, j322

 Duplicates with hash 7409:
 CONCAT, djonet, efmukl

 Duplicates with hash BEA2:
 TTPTHA, ttptha, ZAAADA

 Keyboard layout duplicates & typos:
 award_ps, AWARD_PW, award.sw, AWARD?SW, award_?

 I suspect that the last passwords are replaceable with any of the
 1EAA duplicates as well, although they don't evaluates to 1EAA.

 I believe they are either typos or variants for different keyboard
 layouts (Award BIOS assume American standard keyboards). As an example,
 underscore ("_") is a question mark ("?") on both Swedish and German
 keyboards. Therefore, list maintainers should avoid (if possible)
 listing passwords containing any character not from the following set:
 [A-X, 0-9]


Tool used to identify "duplicates":
===================================

 I created a simple program in java which takes a password from the
 command-line and then tell you the hash corresponding to it. I used it
 together with the following command:

    cat awpass.txt | awk '{ print "java ptToAw " $1 }' | sh

 The file ptToAw.java (short for "plaintext to award hash") is quite
 simple:

   public class ptToAw {
     public static short awardEncipher(String s) {
       short ax, bx, cx;
       ax = bx = 0;
       s = s.trim().toUpperCase();
       for (cx=0; cx<s.length(); cx++) {
         ax = (short) s.charAt(cx);
         bx = rol_1(rol_1(bx));
         bx = (short) (ax+bx);
       }
       return bx;
     }
     private static short rol_1(short x) {
       return (short) ((x<<1)^((x>>15)&1));
     }
     public static void main(String[] argv) {
       int md, i;
       for (i=0; i<argv.length; i++) {
         md = awardEncipher(argv[i]) & 0xFFFF;
         System.out.println(Integer.toHexString(md)+
                                    " :: "+argv[i]);
       }
     }
   }


References and credits:
=======================
  Thanks & credits goes to

    * Nicolas Rachinsky for comments on the first edition of this
      advisory, esp. regarding none-american keyboards.

    * Nathan Einwechter, for compiling a list of known BIOS passwords.
      Nathan can be reached at psychospy () softhome net, please notify
      him if you are aware of any BIOS passwords.

    * People maintaining the default/backdoor password lists on the net.

    * bugtraq & vuln-dev posters participating in the disclosure of
      default/backdoor passwords.

  Links related to this advisory

    * The original Award algorithm, "!BIOS", etc can be found at:
        http://www.11a.nu/

    * default/backdoor password lists can be found at:
        http://www.phenoelit.de/dpl/ (maintained by dev () phenoelit de)

    * vuln-dev and bugtraq archives can be found at:
        http://www.securityfocus.com/

..:::::::::::::::::::::::::::::::::::::::::::::::::..
     http://www.11a.nu || http://bluefish.11a.nu
    eleventh alliance development & security team