[Debian]:(fwd) [BUGTRAQ] vulnerability in Linux Debian default boot configuration

To: debian-user-de <debian-user-de@jfl.de>
Subject: [Debian]:(fwd) [BUGTRAQ] vulnerability in Linux Debian default boot configuration
From: Thomas Bader <thomasb@trash.net>
Date: Thu, 3 Feb 2000 21:27:16 +0100
Message-id: <20000203212716.A527@tb.qad.org>
Mail-followup-to: debian-user-de <debian-user-de@jfl.de>
Reply-to: debian-user-de@jfl.de

Hallo!

folgendes kam soeben im Bugtraq. Ich denke, viele von euch wissen es
bereits, aber es gibt sicher viele Leute, die es noch nicht wissen.

 Cheers,
        Thomas

PS: Ich finds schrecklich, dass sie das nur zur Wishlist genommen haben,
    und nicht in die Bugliste.

----- Forwarded message from Pierre Beyssac <beyssac@ENST.FR> -----
Date:         Wed, 2 Feb 2000 11:39:37 +0100
From: Pierre Beyssac <beyssac@ENST.FR>
Subject:      [BUGTRAQ] vulnerability in Linux Debian default boot configuration
To: BUGTRAQ@SECURITYFOCUS.COM

The recent stable releases (at least 2.0, 2.1 and soon-to-be-released
2.2 -- Hamm, Slink and Potato) of the Debian Linux distributions
use a dangerous MBR in their default installation. Maybe this
applies to older releases as well but I haven't been able to check
these.

When the SHIFT key is pressed during the boot, the installed MBR
displays the string "1FA:" then waits for a keypress. It then boots
a floppy if the F key is pressed, bypassing any security measures.

This happens:
	- regardless of the BIOS configuration (even with floppy
	  boot disabled and password-protected configuration).
	- regardless of Lilo (or other) configuration: this happens
	  before Lilo is even started, so putting a password on
	  Lilo is of no use.

Since this MBR is installed by default during the installation
(unless the user chooses to keep the previous MBR, which is not
the natural choice for an installation from scratch, and is not
the default choice anyway), many sites are probably vulnerable even
though they have taken the usual steps to prevent tampering with
the boot process.

Quick fix: use Lilo's MBR by putting "boot=/dev/hda" (or equivalent)
instead of "boot=/dev/hda1" in your Lilo configuration to install
a barebones MBR.

Thanks to Patrice Piétu <Patrice.Pietu@enst.fr>, Thomas Quinot
<Thomas.Quinot@enst.fr> and Samuel Tardieu <Samuel.Tardieu@enst.fr>
for their help in tracking down the source of this problem and
finding a fix.

[ Note: this has been registered as Debian bug ID 56821, but has
  just been downgraded as a mere "wishlist" item, so clearly it is
  not given the attention it deserves. ]
----- End forwarded message -----

-- 
Thomas Bader <thomasb@trash.net>, Powered by LINUX 2.2
Infos und Tipps zu Linux, HOWTOs des DLHP <http://www.t-bader.ch/>
=> "If the box says 'Windows 95 or better', it should run on Linux, right?" 
						-anon 
------------------------------------------------
Um sich aus der Liste auszutragen schicken Sie
bitte eine E-Mail an majordomo@jfl.de die im Body
"unsubscribe debian-user-de <deine emailadresse>"
enthaelt.
Bei Problemen bitte eine Mail an: Jan.Otto@jfl.de
------------------------------------------------
Anzahl der eingetragenen Mitglieder:     762

Reply to:

Follow-Ups:
- [Debian]:Re: (fwd) [BUGTRAQ] vulnerability in Linux Debian default boot configuration
  - From: Marko Schulz <in6x059@public.uni-hamburg.de>
- [Debian]:Re: (fwd) [BUGTRAQ] vulnerability in Linux Debian default boot configuration
  - From: Roland Rosenfeld <roland@spinnaker.de>

Prev by Date: Re: [Debian]:Apache ssl ?
Next by Date: Re: [Debian]:MIME-Type
Previous by thread: Re: [Debian]:....now some of my keys no longer work. Why?
Next by thread: [Debian]:Re: (fwd) [BUGTRAQ] vulnerability in Linux Debian default boot configuration
Index(es):
- Date
- Thread