Re: Hijacking tool

[mouse () Collatz McRCIM McGill EDU (der Mouse)]

Here's something I just finished tossing together.  This goes into a
SunOS 4.1.2 kernel; it would probably go into 4.1.3 with little pain
(you may need to change VD_MAJOR, for example - it should be the major
device number for /dev/vd).

To those who are used to adding drivers: treat this as a character
special device driver with only an open routine (no close, even)
called security_open.  Put it into your kernel as usual.

A brief synopsis, for those who aren't used to adding drivers.  Unpack
this somewhere under /sys (I use /sys/local).  Then go to your conf
directory (/sys/sun4c/conf, /sys/sun4/conf, whatever), and make a copy
of your kernel config (eg, cp GENERIC MYKERNEL).  Edit MYKERNEL and
change the ident line from "ident GENERIC" to "ident MYKERNEL".  Create
(or edit, if you've already got one 'cause you've done the above
before) files.MYKERNEL and add a line
        local/security.c        optional device-driver
(where the first part must be a path to the source, relative to /sys).
Edit /sys/sun/conf.c and add an entry to cdevsw.  Step by step:
        - search for "cdevsw"
        - add the following text just above it:
                #ifdef MYKERNEL
                extern int security_open();
                #else
                #define security_open nodev
                #endif
          where MYKERNEL must the "ident" string from your config file.
        - Go to the end of the cdevsw array (search for "};")
        - Add a new device declaration:
    {
        security_open,  nodev,          nodev,          nodev,          /*128*/
        nodev,          nodev,          nodev,          0,
        0,              0,
    },
          For the sake of aesthetics, you should change the number (128
          in the above) to be one greater than the previous entry's
          number.  Write down this number.
Reconfig ("config MYKERNEL") and remake ("cd ../MYKERNEL; make depend;
make") your kernel.  Install the new kernel; if you're smart you'll
save the old one in case there's something wrong ("cp vmunix /vmunix+
&& mv /vmunix /vmunix- && mv /vmunix+ /vmunix && reboot").  You will
need to create a device file somewhere ("mknod /dev/security c NNN 0"
where NNN is the number I told you to write down six lines up).

Then, when you want to lock the door after all kosher modloads and kmem
writes have happened, attempt to open the device (for example, add
"sh -c '</dev/security'" at the end of /etc/rc).  The attempt will
fail, just as if the driver were not present in the system - but
magically, after that one attempt, /dev/vd no longer exists as far as
user-land is concerned (thus, modload/modunload/modstat will no longer
work, as if loadable kernel module support were not configured in), and
several memory devices are affected as described in the "Known memory
device minors" comment in the code.  (Note that /dev/eeprom becomes
inaccessible.  This will break the eeprom command.  If having eeprom(8)
work is more important than the potential exposure of your eeprom info
(including firmware password, if set), then yank out the "case 11:"
code in mmopen_wrapper().)

Of course, this isn't perfect.  If your "friend" has broken root (which
is necessary to modload anything to begin with), sie can always patch
/etc/rc and/or /vmunix and reboot your machine, at which point the
security will be gone.  This isn't a pancea; it's just another
obstacle...which is really about all you can hope for.  But rebooting
the machine is hardly the sort of sneaky don't-notice-me intrusion I
assume most crackers prefer. :-)

                                        der Mouse

                            mouse () collatz mcrcim mcgill edu

(Oh yeah.  Legalisms.  As its sole author, I hereby place this code
into the public domain.  Anyone may use it or derivatives for any
purpose...though I would appreciate credit where it's due.  I make no
representations that this is suitable for your or any other situation;
the decision, and all assumption of risk, is yours.  It's free, and you
get what you pay for.)

#! /bin/sh
#
# Shar: Shell Archiver
#
# This archive created Tue Jan 24 12:25:58 1995
# Run this through sh to create:
#       security.c
echo x - security.c \(1031 characters\)
sed 's/^X//' > security.c << \EOF
X#include <sys/types.h>
X#include <sys/errno.h>
X#include <sys/conf.h>
X#include <sys/file.h>
X
Xextern int nodev();
Xextern int mmopen();
Xextern int mem_no;
X
X#define VD_MAJOR 57
X
X/*
X * Known memory device minors:
X *      0 mem           5 vme16d16     10 vme32d32     32 sbus0
X *      1 kmem          6 vme24d16     11 eeprom       33 sbus1
X *      2 null          7 vme32d16     12 zero         34 sbus2
X *      3 mbmem         8 vme16d32                     35 sbus3
X *      4 mbio          9 vme24d32
X * When security is on, /dev/null and /dev/zero are untouched,
X *  /dev/eeprom is completely disabled, and the rest are read-only.
X */
X
Xstatic int mmopen_wrapper(dev,flag)
Xdev_t dev;
Xint flag;
X{
X switch (minor(dev))
X  { case 2: /* /dev/null */
X    case 12: /* /dev/zero */
X       break;
X    case 11: /* /dev/eeprom */
X       return(EPERM);
X       break;
X    default:
X       if (flag & FWRITE) return(EPERM);
X       break;
X  }
X return(mmopen(dev,flag));
X}
X
Xint security_open(dev,flag)
Xdev_t dev;
Xint flag;
X{
X cdevsw[VD_MAJOR].d_open = nodev;
X cdevsw[VD_MAJOR].d_ioctl = nodev;
X cdevsw[mem_no].d_open = mmopen_wrapper;
X return(ENODEV);
X}
EOF
if test 1031 -ne "`wc -c security.c`"
then
echo shar: error transmitting security.c \(should have been 1031 characters\)
fi
exit 0
# end of shell archive