Bugtraq mailing list archives
Re: Regarding Mudge's OBP/FORTH root hack (PHRACK53)
From: mudge () L0PHT COM (Dr. Mudge)
Date: Mon, 13 Jul 1998 18:43:23 -0500
Well, not to detract from Mudge's reputation, but there were several exploits published in 90-92 dealing with dropping into the console monitor/debugger on Suns and poking at various things in memory. This is hardly new.
Egads, didn't realize my reputation was on the line <grin>. The article was largely supposed to interest people in FORTH (heck, the cisco decryptor in the article isn't new either - but figured people might be interested in an implementation done in FORTH on a PalmPilot). Oh yes, it was also supposed to remind people of the interplay between hardware and software in many places. You should see some of the wonderfull things that have been done accessing 8051 chips in keyboards to obtains less than laudable ends. Or what of the nice 256 byte buffer available for each key on the programmable keyboards (like the gateway 2000 models). Wow, what a wonderful way to export/smuggle information that could be. Remap each key to contain 256bytes worth of code - disconnect the keyboard from the computer and trust the NVRAM to keep the info in tact. Get it where you want and plug it back in typing each key to extract the information. Then the beauty is that you have a working keyboard afterwards. It was just an added little bonus that one of the examples in the article shows you how to change the ucred structure to give yourself root if you are sitting at the terminal. But then again, if you didn't get root out of it how much of a phrack article would it have made ;)
This is also how you can steal Kerberos tickets and passwords, PGP keys, and other assorted goodies if you have physical access to a machine someone is using remotely.
Or compromise group kmem in many situations. Heck, who needs physical access? All of your points are completely acurate and I agree with them. Thanks and cheers, .mudge
Current thread:
- Re: Regarding Mudge's OBP/FORTH root hack (PHRACK53) James Bonfield (Jul 13)
- Re: Regarding Mudge's OBP/FORTH root hack (PHRACK53) Leendert van Doorn (Jul 13)
- Re: Regarding Mudge's OBP/FORTH root hack (PHRACK53) Aggelos P. Varvitsiotis (Jul 14)
- <Possible follow-ups>
- Re: Regarding Mudge's OBP/FORTH root hack (PHRACK53) Dr. Mudge (Jul 13)
- Re: Regarding Mudge's OBP/FORTH root hack (PHRACK53) Darren J Moffat - SunService ETZ-N OS Product Support Group (Jul 14)
- Linux and world-writable /tmp - UPDATE (fwd) Michal Zalewski (Jul 11)
- Berkley DB problem in slackware distribution Martin Bene (Jul 16)
- Re: Linux and world-writable /tmp - UPDATE (fwd) Olaf Kirch (Jul 16)
- Re: Linux and world-writable /tmp - UPDATE (fwd) Michal Zalewski (Jul 12)
- Linux and world-writable /tmp - UPDATE (fwd) Michal Zalewski (Jul 11)
- Re: Regarding Mudge's OBP/FORTH root hack (PHRACK53) Eric Johnson (Jul 15)
- Re: Regarding Mudge's OBP/FORTH root hack (PHRACK53) Casper Dik (Jul 15)
- S.A.F.E.R. Security Bulletin 980708.DOS.1.1 Security Research Team (Jul 16)
- Sun Security Bulletin #00172 (fwd) joshua grubman (Jul 15)