Re: Regarding Mudge's OBP/FORTH root hack (PHRACK53)

[mudge () L0PHT COM (Dr. Mudge)]

> Well, not to detract from Mudge's reputation, but there were several
> exploits published in 90-92 dealing with dropping into the console
> monitor/debugger on Suns and poking at various things in memory.  This
> is hardly new.

Egads, didn't realize my reputation was on the line <grin>. The article
was largely supposed to interest people in FORTH (heck, the cisco
decryptor in the article isn't new either - but figured people might be
interested in an implementation done in FORTH on a PalmPilot).

Oh yes, it was also supposed to remind people of the interplay between
hardware and software in many places. You should see some of the
wonderfull things that have been done accessing 8051 chips in keyboards to
obtains less than laudable ends.

Or what of the nice 256 byte buffer available for each key on the
programmable keyboards (like the gateway 2000 models). Wow, what a
wonderful way to export/smuggle information that could be. Remap each key
to contain 256bytes worth of code - disconnect the keyboard from the
computer and trust the NVRAM to keep the info in tact. Get it where you
want and plug it back in typing each key to extract the information. Then
the beauty is that you have a working keyboard afterwards.

It was just an added little bonus that one of the examples in the article
shows you how to change the ucred structure to give yourself root if you
are sitting at the terminal.

But then again, if you didn't get root out of it how much of a phrack
article would it have made ;)

> This is also how you can steal Kerberos tickets and passwords, PGP
> keys, and other assorted goodies if you have physical access to a
> machine someone is using remotely.

Or compromise group kmem in many situations. Heck, who needs physical
access?

All of your points are completely acurate and I agree with them. Thanks
and cheers,

.mudge