Re: "magic" hole

Wes Morgan (morgan@engr.uky.edu)
Thu, 2 Feb 95 09:19:38 EST

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Reto Lichtensteiger: "Re: MAGIC PIDs (was Re: magic??)"
Previous message: robert owen thomas: "Re: MAGIC PIDs (was Re: magic??)"

>the other day, i happened to join a conversation about Unix security with
>a couple of fellows at a local bookstore.  one of them mentioned the "magic"
>hole.  i have heard mention of this hole before, but i assumed the hole
>no longer existed.  apparently, this was a hole in /bin/login.  does anyone
>else remember this?  

The only "magic" hole I remember required physical access to the 
console, and some floppies besides...

The following info (from the 3b2 FAQ on comp.sys.att) applies to
the AT&T 3b2 family; SVR3 (and, if you can still find it out there,
SVR2) variants closest to 'stock' AT&T may also be vulnerable in this 
respect.  I seem to recall that AT&T's System V/386 3.x also offered
this undocumented feature.

>"Open Sesame"
>
>     To give standalone a try, first shut the machine down to firmware
>mode.  Assuming the machine is now in firmware mode, put a copy of the
>boot disk into the drive.  Note that some versions of the operating
>system (Sys V Release 2, at least) require that the boot floppy be
>write-enabled (i.e., no write-protect tab); it is this requirement that
>mandates multiple backups of the boot floppy.  UNIX will be updating
>the disk while it runs -- the superblock, access times, etc. -- and if
>the machine crashes at the wrong time it simply will not boot again
>without an fsck.  Be careful.
>
>     Type in your firmware password and boot /unix from the floppy
>drive (Option 0, named `FD5') instead of the hard drive (Option 1,
>named `HD30' or `HD72').  It can take several minutes for UNIX to boot,
>but when it does, the familiar menu will be displayed:
>
>               1) Full Restore
>               2) Partial Restore
>               3) Dual-Disk Upgrade
>               4) Release Upgrade
>               Selection? [1, 2, 3, 4, quit, help]
>
>     At this point, type the phrase
>
>                           magic mode
>
>     The system recognizes this special option and responds:
>
>          Poof!
>
>          Selection? [1, 2, 3, 4, quit, help, shell, copy]
>
>     Notice the new options?  Now type shell, then RETURN, and you will
>be greeted with the familiar # prompt.  You are now running a
>standalone shell on the floppy.

>From here, exploitation should be obvious.

Moral of the story - keep those install floppies in a safe place.

--Wes

Next message: Reto Lichtensteiger: "Re: MAGIC PIDs (was Re: magic??)"
Previous message: robert owen thomas: "Re: MAGIC PIDs (was Re: magic??)"