>the other day, i happened to join a conversation about Unix security with >a couple of fellows at a local bookstore. one of them mentioned the "magic" >hole. i have heard mention of this hole before, but i assumed the hole >no longer existed. apparently, this was a hole in /bin/login. does anyone >else remember this? The only "magic" hole I remember required physical access to the console, and some floppies besides... The following info (from the 3b2 FAQ on comp.sys.att) applies to the AT&T 3b2 family; SVR3 (and, if you can still find it out there, SVR2) variants closest to 'stock' AT&T may also be vulnerable in this respect. I seem to recall that AT&T's System V/386 3.x also offered this undocumented feature. >"Open Sesame" > > To give standalone a try, first shut the machine down to firmware >mode. Assuming the machine is now in firmware mode, put a copy of the >boot disk into the drive. Note that some versions of the operating >system (Sys V Release 2, at least) require that the boot floppy be >write-enabled (i.e., no write-protect tab); it is this requirement that >mandates multiple backups of the boot floppy. UNIX will be updating >the disk while it runs -- the superblock, access times, etc. -- and if >the machine crashes at the wrong time it simply will not boot again >without an fsck. Be careful. > > Type in your firmware password and boot /unix from the floppy >drive (Option 0, named `FD5') instead of the hard drive (Option 1, >named `HD30' or `HD72'). It can take several minutes for UNIX to boot, >but when it does, the familiar menu will be displayed: > > 1) Full Restore > 2) Partial Restore > 3) Dual-Disk Upgrade > 4) Release Upgrade > Selection? [1, 2, 3, 4, quit, help] > > At this point, type the phrase > > magic mode > > The system recognizes this special option and responds: > > Poof! > > Selection? [1, 2, 3, 4, quit, help, shell, copy] > > Notice the new options? Now type shell, then RETURN, and you will >be greeted with the familiar # prompt. You are now running a >standalone shell on the floppy. >From here, exploitation should be obvious. Moral of the story - keep those install floppies in a safe place. --Wes