Bugtraq mailing list archives
Re: BoS: Magic password of some linux-box(Hardware..)
From: ebradley () andromeda rutgers edu (Eugene Bradley)
Date: Wed, 20 Nov 1996 16:17:01 -0500
-----BEGIN PGP SIGNED MESSAGE----- on Nov 20, moost () xs4all nl writes: # On Mon, 18 Nov 1996, Seo Euiseong wrote: # [deletia] # > But, It's not true. Unfortunately almost versions of award bios has the # > magic password "condo," # # Some manuals of mainboards describe this 'feature'. Most Award bioses # I've come across respon to the password AWARD_SW (mind the case) and will # allow altering of the bios or just regular booting. # # Ofcourse this is meant as a sort of 'last' recover option, but for me it # seems a little foolish to make this default to all Award Bioses.. # # M. Oosterink I tested the [magic,universal] passwords on some of the new P120's we recently received that come with the Award BIOS. Surely enough the [magic,universal] passwords work and I've instructed all of my co-workers who repair computers on campus not to disclose these passwords to anyone, in addition to the BIOS passwords that are already set. I know that newer versions of the American Megatrends (AMI) BIOS require that you call an 800 number (1-800-U-BUY-AMI) in order to receive a disk that will recover a lost BIOS password. My idea for handling lost BIOS passwords (if this hasn't been implemented already by some company); forgive me if some portions of this seem wrong, but note that this is just an idea: 1) install a random, 16-bit universal password onto each BIOS made before inserting into the motherboard. 2) have computer buyer sign and register computer with the BIOS manufacturer. Then the BIOS manufacturer can give the user (or in some cases a network admin) a confirmation password that MUST be given to the BIOS support (as well as the name, address, company [if applicable], and job title) people before the random secret system password can be given out. Naturally, this applies when the user forgets any chosen and set password. 3) the secret system password can only be used _once_. If the user forgets the password that was personally set, the user must go through 2) but will also be sent a new BIOS chip for a $5 fee. My hope with this idea is that it will prevent the problems that I'm seeing where people use the set universal passwords found on the Award BIOS to change system settings. Afterwards, such doctored BIOS systems can be used for any (illegitimate) activity possible... -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMpN1RBskmjHS+zH1AQGwMwP7B18/4Kx2cPKg9Lnk+CAW832uwxkub4HN KhnBHyu0aj8vETFSALaP4MezaKUFNSqQVMPtp4MQCPx++OW4ETy7fa2sZKrS1NcM m81Gv9ZvlGS7k91x//CUSqpD0bexjNWpCY+BAGFJcOXBDGlj39HuWn2Is4uCZhJf TVGGMToYJpM= =3t0Z -----END PGP SIGNATURE----- -- Eugene Bradley | finger for PGP public key | Unsolicited commercial email webmaster of http://www.winter.org/ | will be deleted at $100/msg PGP Fingerprint = 55 70 DE 84 FE E1 3D 50 7F C2 88 22 30 8C 81 9E <a href="http://www.armory.com/~ebradley"> Eugene's W^3 Duckpond </a>
Current thread:
- Re: BoS: Magic password of some linux-box(Hardware..) Brian F. Knoll (Nov 20)
- Re: BoS: Magic password of some linux-box(Hardware..) Roger Moar (Nov 21)
- BoS: Magic password of some linux-box(Hardware..) (fwd) sameer (Nov 21)
- SGI Security Advisory 19961102 - FLEXlm and LicenseManager SGI Security Coordinator (Nov 21)
- SGI Security Advisory 19961103 - Sendmail Daemon Mode SGI Security Coordinator (Nov 21)
- CERT Advisory CA-96.24 - Sendmail Daemon Mode Vulnerability CERT Advisory (Nov 21)
- L0pht Kerberos Advisory sameer (Nov 22)
- <Possible follow-ups>
- Re: BoS: Magic password of some linux-box(Hardware..) Eugene Bradley (Nov 20)