COMMAND
BIOS
SYSTEMS AFFECTED
Award BIOS
PROBLEM
Bluefish posted following. Some of passwords on BIOS are false
or 'duplicates'. This advisory is intended to aid maintainers of
such lists to advoid listing such.
These passwords are fundamental tools for in numerous situations,
everything from doing security reviews (verify if you are
vulnerable to them), fixing computers after password loss or cmos
corruption, to simplify malicious attacks. Any way around, error
free lists makes everyones life easier.
There are three kinds of misstakes in published lists regarding
BIOSes;
(a) softwares incorrectly listed as passwords. "KILLCMOS" and
"BIOS310" was noted which are wellknown "anti-password" tools.
So, feel free to doubt that any manufacturer uses them as
passwords... If they do, their engineers sure got weird
humor.
(b) "duplicates" of one and the same Award password. A "duplicate"
is a password which has an equal Award hash as other, allready
listed, passwords. More about this later in the advisory.
(c) Award hashes accidently listed as plaintext passwords. 1EAAh
is such an example, it is not a password, it is an Award hash.
Introduction to the Award Hash (message digest algorithm)
=========================================================
As the main developer of "!BIOS", one of the BIOS Password
recovery widely available, Bluefish investigated the Award BIOS
years ago and it was one of his first attacks against a simple
cryptographic system.
It turns out that it is extremly weak, the message digest is only
16 bit and the algorithm used is made up of two rotations and one
addition for each character.
To the best of his knowledge, "!BIOS" was the first cracker which
cracked this version of Award, but since then several others have
successfully attacked it, most successfully the code by Jan
Stohner, "pwdigit", which now is included in "!BIOS".
Additionally, we later reverse engineered some parts the F000
memory segment and derived a copy of the original algorithm.
On Award, these passwords aren't merely default passwords, but
backdoor passwords which will override any admin or user password.
On some systems this hash is readable at FEC60, "!BIOS" among
other tools can try to decipher it. In some newer Awards the
algorithm is only used for user/admin passwords and another
routine (one to one cipher, not a hash) is used to store the
backdoor password.
List of "duplicate" Award passwords
===================================
Bluefish identified the following "duplicates":
- Duplicates with hash 1EAA: 01322222, 589589, 589721, zjaaadc, AWARD_SW
- Duplicates with hash 16AA: g6PJ, h6BB, j09F, j256, j262, j322
- Duplicates with hash 7409: CONCAT, djonet, efmukl
- Duplicates with hash BEA2: TTPTHA, ttptha, ZAAADA
You have to type AWARD?SW on a German keyboard to get AWARD_SW.
Award does a flawed conversion to ASCII. Maybe it assumes
american keyboards. Then maybe we have to assume that with some
keyboards award.sw is allright too. Anyway around, those
passwords gives hash 1EAA, so they can be replaced by any of the
other passwords with that hash.
Tool used to identify "duplicates":
===================================
Bluefish created a simple program in java which takes a password
from the command-line and then tell you the hash corresponding to
it. He used it together with the following command:
cat awpass.txt | awk '{ print "java ptToAw " $1 }' | sh
There may be some minor bugs in the software.
public class ptToAw {
public static short awardEncipher(String s) {
short ax, bx, cx;
ax = bx = 0;
s = s.trim().toUpperCase();
for (cx=0; cx<s.length(); cx++) {
ax = (short) s.charAt(cx);
bx = rol_1(rol_1(bx));
bx = (short) (ax+bx);
}
return bx;
}
private static short rol_1(short x) {
return (short) ((x<<1)^((x>>15)&1));
}
public static void main(String[] argv) {
int md, i;
for (i=0; i<argv.length; i++) {
md = awardEncipher(argv[i]) & 0xFFFF;
System.out.println(Integer.toHexString(md)+
" :: "+argv[i]);
}
}
}
SOLUTION
Nothing yet.