Re: Breaking in from the monitor at the console

[jkb () mrc-lmb cam ac uk (Bonfield James)]

Hello,

> # Description:
> #      Tell people how to give themselves root (on SunOS 4.1.3 machines)
[using the PROM hack method]

Note that even with a PROM password applied, there are methods of performing
this trick.

Firstly, the password is only as secure as the /dev/eeprom device. If you can
trick a program into reading this (maybe even comsat?) then it can read the
password direct.

Secondly, you may not even need the password. On older systems it often seems
that you can use L1-A during bootup and then not require the password. On
later systems this is fixed - you always need the password.

However a friend discovered that it was sometimes possible by (during a
reboot) doing 'L1-A' and 'C'ontinue repeatedly to blank the password
(presumably by some memory or stack corruption).

Also I'm sure many would have found it useful to have some notes on how to
block this attack (using the simple fixes described later by another mailer)
using PROM passwords and setting the console to be insecure.

Note that the attack described changes your uid in the cred structure, as
pointed to by the proc structure, as obtained by pstat. In my past
examinations I found that this uid doesn't appear to be the one listed by ps.
Presumably ps uses the uid/gid listed in the proc structure itself. Hence
modifying only the cred structure implies that the process modified has root
access, but it not shown as such with ps. If I recall correctly, even forked
processes are listed in this fashion too. So it becomes extremely tricky to
detect someone under such circumstances.

        James