Company

Technical Security Consulting

Managing Risk

Research & Development

Forensics

Security Management

Media Centre

PCI DSS

• Home
• Overview
• R&D Services
• Technology Focus
• Messaging Systems Security
• Embedded Systems Security
• Collaborative Research Projects
• Technical Whitepapers
• Research Briefings
• Publicly Released Tools
• Vendor Alerts - 0days
• Security Advisories
• Advisories
• Advisory 028
• Advisory 027
• Advisory 026
• Advisory 025
• Advisory 024
• Advisory 023
• Advisory 022
• Advisory 021
• Advisory 020
• Advisory 019
• Advisory 018
• Advisory 017
• Advisory 016
• Advisory 015
• Advisory 014
• Advisory 013
• Advisory 012
• Advisory 011
• Advisory 010
• Advisory 009
• Advisory 008
• Advisory 007
• Advisory 006
• Advisory 005
• Advisory 004
• Advisory 003
• Advisory 002
• Advisory 001

Advisory 003

Safeboot PC Security User Emuneration Vulnerability 
Vulnerablity Type / Importance: User Enumeration / Medium 

Problem discovered: Fri, 31 Jan 2003 
Vendor contacted: Mon, 3 Feb 2003 
Advisory published: March 20th 2003

Abstract:
Safe boot PC security allows the discovery (by trial and error) of valid user account names by distinguishing between bad login names and bad passwords. 

Description:
Safeboot (www.safeboot.com) is a software product to prevent access to a PCs hard disk drive. This protection takes two forms: 
1) Pre-Boot user authentication
2) Hard Disk Encryption.

It is with the former that IRM identified a vulnerability.

Whilst safeboot supports a number of hardware-based tokens to provide user authentication, without these it relies on Username and Password Authentication.

When a user has entered a bad username or password, Safeboot will produce an error, specifically stating which of the credentials (username or password) is incorrect. By leaving the password blank, or entering anything, an attacker could use trial and error to establish valid usernames for this or other related systems, before proceding to attempt discovery of the associated password.

Tested Versions:
Safeboot 4.1 (current version) 
(The authors were not able to obtain any previous versions, but
understand these would be equally effected)

Tested Operating Systems:
Windows XP SP1

Vendor & Patch Information:
The vendor of this product, Control Break International, was contacted. They were receptive to our report and produced a statement reproduced here:

"Control Break International is aware of IRM's findings. We have not considered enumeration of the user list sensitive information up to now, as real-world user ID's are often trivial combinations of first name, last name, and initials, and are usually easily guessable through social engineering. With the popularity of directory systems such as AD and Novell, user id's are increasingly similar to e-mail addresses, yielding them even simpler to determine. We are however sensitive to customer concerns, so for those who would like to redefine the error messages reported for incorrect user id and password information, we can make available replacement error message  files accordingly".

These error message files are not available for public download, but users of Safeboot can obtain it by contacting Control Break via their Website.

Workarounds:
See Vendor and Patch Information.

Credits: 
Initial vulnerability discovery: C Crute 

Disclaimer:
All information in this advisory is provided on an 'as is' basis in the hope that it will be useful. Information Risk Management Plc is not responsible for any risks or occurrences caused by the application of this information.