Bugtraq mailing list archives
Re: Breaking in from the monitor at the console
From: jkb () mrc-lmb cam ac uk (Bonfield James)
Date: Tue, 31 May 94 10:01:20 EDT
Hello,
# Description: # Tell people how to give themselves root (on SunOS 4.1.3 machines)
[using the PROM hack method] Note that even with a PROM password applied, there are methods of performing this trick. Firstly, the password is only as secure as the /dev/eeprom device. If you can trick a program into reading this (maybe even comsat?) then it can read the password direct. Secondly, you may not even need the password. On older systems it often seems that you can use L1-A during bootup and then not require the password. On later systems this is fixed - you always need the password. However a friend discovered that it was sometimes possible by (during a reboot) doing 'L1-A' and 'C'ontinue repeatedly to blank the password (presumably by some memory or stack corruption). Also I'm sure many would have found it useful to have some notes on how to block this attack (using the simple fixes described later by another mailer) using PROM passwords and setting the console to be insecure. Note that the attack described changes your uid in the cred structure, as pointed to by the proc structure, as obtained by pstat. In my past examinations I found that this uid doesn't appear to be the one listed by ps. Presumably ps uses the uid/gid listed in the proc structure itself. Hence modifying only the cred structure implies that the process modified has root access, but it not shown as such with ps. If I recall correctly, even forked processes are listed in this fashion too. So it becomes extremely tricky to detect someone under such circumstances. James
Current thread:
- Breaking in from the monitor at the console an100188 () anon penet fi (May 27)
- <Possible follow-ups>
- Re: Breaking in from the monitor at the console an100188 () anon penet fi (May 28)
- Re: Breaking in from the monitor at the console Bonfield James (May 31)
- More PROM password problems Bonfield James (May 31)
- Re: Breaking in from the monitor at the console George Hodson (May 30)
- Re: Breaking in from the monitor at the console John C. Orthoefer (May 31)
- Re: Breaking in from the monitor at the console Matthew Jude Brown (May 31)
- Re: Breaking in from the monitor at the console Bruce Barnett (May 31)
- Re: Breaking in from the monitor at the console Casper Dik (May 31)
- Re: Re: Breaking in from the monitor at the console Pete Hartman (May 31)