Bugtraq mailing list archives

Safeboot PC Security User Emuneration Vulnerability


From: "Advisories" <advisories () irmplc com>
Date: Thu, 20 Mar 2003 14:21:24 -0000

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-  

        IRM Security Advisory No. 003   
        Safeboot PC Security User Emuneration Vulnerability     
        Vulnerablity Type / Importance: User Enumeration / Medium       
        Problem discovered: Fri, 31 Jan 2003    
        Vendor contacted: Mon, 3 Feb 2003       
        Advisory published: March 20th 2003

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Abstract:

        Safe boot PC security allows the discovery (by trial and error)
of valid user account names by distinguishing between bad login names 
and bad passwords. 

Description:

        Safeboot (www.safeboot.com) is a software product to prevent 
access to a PCs hard disk drive. This protection takes two forms: 
1) Pre-Boot user authentication, 2) Hard Disk Encryption. It is with 
the former that IRM identified a vulnerability.

        Whilst safeboot supports a number of hardware-based tokens to
provide user authentication, without these it relies on Username and 
Password Authentication.
        
        When a user has entered a bad username or password, Safeboot 
will produce an error, specifically stating which of the credentials 
(username or password) is incorrect. By leaving the password blank, or 
entering anything, an attacker could use trial and error to establish 
valid usernames for this or other related systems, before proceding to 
attempt discovery of the associated password.

Tested Versions:

        Safeboot 4.1 (current version)          
(The authors were not able to obtain any previous versions, but
 understand these would be equally effected)

Tested Operating Systems:

        Windows XP SP1

Vendor & Patch Information:

       The vendor of this product, Control Break International, 
was contacted. They were receptive to our report and produced 
a statement reproduced here:

"Control Break International is aware of IRM's findings. We have not 
considered enumeration of the user list sensitive information up to 
now, as real-world user ID's are often trivial combinations of first 
name, last name, and initials, and are usually easily guessable 
through social engineering. With the popularity of directory systems 
such as AD and Novell, user id's are increasingly similar to e-mail 
addresses, yielding them even simpler to determine. We are however 
sensitive to customer concerns, so for those who would like to 
redefine the error messages reported for incorrect user id and 
password information, we can make available replacement error message 
files accordingly".

       These error message files are not available for public download, 
but users of Safeboot can obtain it by contacting Control Break via
their Website.


Workarounds:

        See Vendor and Patch Information.

Credits:        

Initial vulnerability discovery:        Chris Crute 


Disclaimer:

        All information in this advisory is provided on an 'as is' basis
in the hope that it will be useful. Information Risk Management Plc is 
not responsible for any risks or occurrences caused by the application 
of this information.

A copy of this advisory may be found at http://www.irmplc.com/advisories

The PGP key used to sign IRM advisories can be obtained from the above 
URL, or from keyserver.net and its mirrors.

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Information Risk Management Plc.        http://www.irmplc.com
22 Buckingham Gate                      advisories () irmplc com

London                                  info () irmplc com
SW1E 6LB+44 (0)207 808 6420


Current thread: