IBM thinkpad boot sequence insecurity

From: Pavel Machek (pavelat_private)
Date: Sun Feb 21 1999 - 10:20:25 PST

Next message: pedwardat_private: "Re: Frontpage extensions under Apache 1.3.4"

Previous message: Sergey V. Kolychev: "ANNOUNCE: Net::RawIP 0.06 has been released"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi!

   IBM gave me Thinkpad 560X notebook, about year ago (thanx, it is nice
   beast). I discovered few misfeatures, and few bugs, some of them are
   related to security. Here it goes:
     * Thinkpad will boot from floppy, even if it has boot-up sequence
       set to hard drive first and hard disk is bootable. Floppy has to
       have IBM bootsector for this to work, for example personality
       setting boot disk distributed by IBM has it. I've successfully
       created Linux boot disk, which can be used on Thinkpad with floppy
       booting disabled. If someone relied on boot up sequence for
       security (I believe many people do), you are screwed. (BTW I use
       it now as a feature. Thinkpad will refuse to boot, if their
       self-tests fail (which is pretty bad behaviour: if your trackpoint
       fails, you are not unable to get to critical data stored on your
       thinkpad). Anyway, if you put IBM floppy, it will boot even if
       self-tests failed. So I can at least access my data.
     * Thinkpad will allow people to change personality information, even
       without supervisor password. Thinkpad has "personality" feature
       which allows people to mark their computer with their name,
       address, and picture. I use penguin ;-). Unfortunately, this info
       is changeable even without supervisor password. (And BTW floppy
       which allows you to change it has "magic" format.) This might be
       more severe than it seems, because, IMHO, setting personality
       information means flashing bios. I'm not sure if flashing in
       modified bios is UN-doable.
     * Easy setup - HDD tests. Easy setup is just plain ugly. It looks
       like a perfectly safe thing. Well, it will overwrite part of your
       hard drive without even asking for confirmation. It seems like
       hard drives come preformated to slightly little capacity then they
       really have. The rest is test zone, used for easy setup's rw
       tests. But if you happen to re-fdisk your drive, it is pretty easy
       to put normal partition into this zone (this zone is not
       documented anywhere). This one killed 2000 of your inodes 4 times.
       Last two times was random person coming around my computer, and
       launching tests because machine asked them to do so. Beware!
      [snip]

   As a side note, does anyone know if there are seals inside thinkpad
   560X? IBM gave me computer, but they failed to give me warranty. I
   think broken trackpoint should not be _that_ hard to fix ;-).


(This is trimmed version of page available at
http://atrey.karlin.mff.cuni.cz/~pavel/thinkpad.html. I mailed a copy
IBM week ago, and got no response so far. They had enough time.)

--
I'm really pavelat_private 	   Pavel
Look at http://atrey.karlin.mff.cuni.cz/~pavel/ ;-).

Next message: pedwardat_private: "Re: Frontpage extensions under Apache 1.3.4"
Previous message: Sergey V. Kolychev: "ANNOUNCE: Net::RawIP 0.06 has been released"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:37:03 PDT