Vulnerability Development: Advisory on (Award) BIOS default/backdoor passwords

[11a () GMX NET (Bluefish)]

Advisory on (Award) BIOS default/backdoor passwords
===================================================

 Author:  bluefish () 11a nu
          http://bluefish.11a.nu/

 Created: 2000-07-18 (%Y-%m-%d)
 Last ed: 2000-07-18 (%Y-%m-%d)

 The author does not make any claims of correctness, lack of typos,
 correctness or responsibility for usage etc, etc. Any error is probably
 due to lack of coffee.

Abstact
=======

 The recent search for default/backdoor passwords in security mailinglists
 such as vuln-dev and bugtraq has uncovered suspiciously long lists of
 passwords for BIOSes, mainly for Award BIOS. As suspected, some of them
 are false or 'duplicates'. This advisory is intended to aid maintainers
 of such lists to advoid listing such.

 These passwords are fundamental tools for in numerous situations,
 everything from doing security reviews (verify if you are vulnerable to
 them), fixing computers after password loss or cmos corruption, to
 simplify malicious attacks. Any way around, error free lists makes
 everyones life easier.

Summary
=======

 I've identified three kinds of misstakes in published lists regarding
 BIOSes;

 (a) softwares incorrectly listed as passwords. "KILLCMOS" and "BIOS310"
     was noted which are wellknown "anti-password" tools. I sincerly doubt
     that any manufacturer uses them as passwords...
     If they do, their engineers sure got weird humor.

 (b) "duplicates" of one and the same Award password. A "duplicate" is a
     password which has an equal Award hash as other, allready listed,
     passwords. More about this later in the advisory.

 (c) Award hashes accidently listed as plaintext passwords. 1EAAh is such
     an example, it is not a password, it is an Award hash.

Introduction to the Award Hash (message digest algorithm)
=========================================================

 As the main developer of "!BIOS", one of the BIOS Password recovery
 widely available, I investigated the Award BIOS years ago and it was one
 of my first attacks against a simple cryptographic system.

 It turns out that it is extremly weak, the message digest is only 16 bit
 and the algorithm used is made up of two rotations and one addition for
 each character.

 To the best of my knowledge, "!BIOS" was the first cracker which cracked
 this version of Award, but since then several others have successfully
 attacked it, most successfully the code by Jan Stohner, "pwdigit", which
 now is included in "!BIOS". Additionally, we later reverse engineered
 some parts the F000 memory segment and derived a copy of the original
 algorithm.

 On Award, these passwords aren't merely default passwords, but backdoor
 passwords which will override any admin or user password. On some systems
 this hash is readable at FEC60, "!BIOS" among other tools can try to
 decipher it. In some newer Awards the algorithm is only used for
 user/admin passwords and another routine (one to one cipher, not a hash)
 is used to store the backdoor password.

List of "duplicate" Award passwords
===================================
 I've identified the following "duplicates":

 Duplicates with hash 1EAA:
 01322222, 589589, 589721, zjaaadc, AWARD_SW

 Duplicates with hash 16AA:
 g6PJ, h6BB, j09F, j256, j262, j322

 Duplicates with hash 7409:
 CONCAT, djonet, efmukl

 Duplicates with hash BEA2:
 TTPTHA, ttptha, ZAAADA

 Additionally I suspect that the following passwords are really typos and
 should be "AWARD_SW". However, I have no proof of it. They do NOT give
 the same hash as "AWARD_SW" though!

 award_ps, AWARD_PW, award.sw, AWARD?SW, award_?

Tool used to identify "duplicates":
===================================

 I created a simple program in java which takes a password from the
 command-line and then tell you the hash corresponding to it. I used it
 together with the following command:
    cat awpass.txt | awk '{ print "java ptToAw " $1 }' | sh

 There may be some minor bugs in the software.

   public class ptToAw {
     public static short awardEncipher(String s) {
       short ax, bx, cx;
       ax = bx = 0;
       s = s.trim().toUpperCase();
       for (cx=0; cx<s.length(); cx++) {
         ax = (short) s.charAt(cx);
         bx = rol_1(rol_1(bx));
         bx = (short) (ax+bx);
       }
       return bx;
     }
     private static short rol_1(short x) {
       return (short) ((x<<1)^((x>>15)&1));
     }
     public static void main(String[] argv) {
       int md, i;
       for (i=0; i<argv.length; i++) {
         md = awardEncipher(argv[i]) & 0xFFFF;
         System.out.println(Integer.toHexString(md)+
                                    " :: "+argv[i]);
       }
     }
   }

References and credits:
=======================
  Thanks & credits goes to

    * Nathan Einwechter, for compiling a list of known BIOS passwords.
      Nathan can be reached at psychospy () softhome net, please notify
      him if you are aware of any BIOS passwords.

    * People maintaining the default/backdoor password lists on the net.

    * bugtraq & vuln-dev posters participating in the disclosure of
      default/backdoor passwords.

  Links related to this post

    * The original Award algorithm, "!BIOS", etc can be found at:
        http://www.11a.nu/

    * default/backdoor password lists can be found at:
        http://www.phenoelit.de/dpl/ (maintained by dev () phenoelit de)

    * vuln-dev and bugtraq archives can be found at:
        http://www.securityfocus.com/

EOF

This advisory was originally posted to:
  vuln-dev (security mailinglist)
  ibiosdev (BIOS security forum)
  psychospy () softhome net, maintains a BIOS password list
  dev () phenoelit de, maintains a password list

..:::::::::::::::::::::::::::::::::::::::::::::::::..
     http://www.11a.nu || http://bluefish.11a.nu
    eleventh alliance development & security team