Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: PC Hacks :: bios7.htm

Latitude C800 BIOS Suspend to Disk problems



COMMAND

    Latitude C800 BIOS

SYSTEMS AFFECTED

    Latitude C800 BIOS

PROBLEM

    Bernhard Rosenkraenzer found following.   There's a major  problem
    with the  Latitude C800  BIOS, originally  noted in  revision A09,
    still present in A13 and probably all prior releases.  When  using
    suspend to disk, the Latitude BIOS dumps the system status to  the
    suspend to  disk partition  and prepends  an OS  loader code,  and
    toggles the active bit on the suspend to disk partition.

    If DOS or a sufficiently  similar system is installed, the  master
    boot record will boot anything that  has the active bit - such  as
    the suspend to  disk partition when  it's there; so  it'll restore
    the session as expected.

    This is VERY dangerous though - it allows things like suspending a
    session, then  booting the  normal OS  (or something  else from  a
    floppy or  CD-ROM -  the BIOS  does nothing  to ensure  the stored
    session  is  actually   recovered),  doing  something   completely
    different including  modifying disk  content, reading  all content
    (passwords  and  confidential   data)  from  the   suspend-to-disk
    partition), then restoring the session that was suspended  before.
    The result of this can be anything and will almost certainly  lead
    to data loss.

    Assume the following  situation: The BIOS  is set up  to boot from
    floppy  disks  first.   The  user  locks  the  screen and puts the
    notebook in suspend to  disk mode.  With  a normal BIOS, his  data
    is safe - it will restore  the session the next time the  computer
    is  turned  on.   With  the  C800  BIOS,  a cracker inserts a boot
    floppy, turns the notebook on  -- and can edit the  saved session,
    reading  everything  that  was  in  memory  (passwords,  sensitive
    data), and modify it.  Furthermore, if the computer isn't  running
    off  encrypted  partitions,  the  cracker  has  full access to the
    owner's files, and can mess them  up.  He removes the floppy,  the
    owner turns  the notebook  back on,  his session  is restored, but
    the rest of the system is no longer in the same state -->  pending
    disk  accesses  will  return  garbage  and  mess  up  the  system,
    possibly beyond repair.

    Furthermore,  while  not  relevant  to  security,  this   behavior
    prevents suspend to disk from working correctly with boot  loaders
    that don't use the  active flag, such as  LILO or grub.   However,
    considering  the  usual  risks  involved  in letting anyone with a
    floppy boot to it on your machine, this isn't really a surprise.

SOLUTION

    Nothing yet.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH