[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[thomas@cuivre.fr.eu.org: Important security hole: mbr allows anyone to boot from a floppy.]

This is #56821 in the BTS.

----- Forwarded message from Thomas Quinot <thomas@cuivre.fr.eu.org> -----

From: Thomas Quinot <thomas@cuivre.fr.eu.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Important security hole: mbr allows anyone to boot from a floppy.
X-Reportbug-Version: 0.48
X-Mailer: reportbug 0.48
Date: Tue, 01 Feb 2000 19:29:48 +0100

Package: boot-floppies
Version: 2.2.5
Severity: critical

During installation, boot-floppies set up a MBR using /sbin/install-mbr.
The installed mbr allows user to boot from a floppy by pressing any
key, then typing "F" at the prompt. Any password protection or
boot restriction defined in lilo.conf can thus be bypassed. There
should be prominent warnings in the installation procedure to
inform administrators that choosing the default choice for MBR
installation (which is to use /sbin/install-mbr) grants root privileges
to all users with access to the console.

This is a very serious security problems; several machines at this
site have been compromised at this site because of it. This report
is therefore graded "critical" and will be forwarded to debian-security.

-- System Information
Debian Release: potato
Architecture: i386
Kernel: Linux melchior 2.2.13 #1 mer nov 3 16:09:02 CET 1999 i586

----- End forwarded message -----


Attachment: pgppYRRefsjJT.pgp
Description: PGP signature

Reply to: