[7239] in bugtraq
Re: Regarding Mudge's OBP/FORTH root hack (PHRACK53)
daemon@ATHENA.MIT.EDU (Mike Scher)
Mon Jul 13 14:00:10 1998
Date: Sat, 11 Jul 1998 23:55:54 -0500
Reply-To: Mike Scher <strange@TEZCAT.COM>
From: Mike Scher <strange@TEZCAT.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <35A5CD04.767B48@rawten.off.ai>
On Fri, 10 Jul 1998, Jericho Nunn wrote:
> An easy and quick work-around that avoids granting just anybody at
> the console the ability to "Stop-A" and drop into OBP, is to enable the
> "security-mode" and "security-password" variables within OBP. Changing
> the default value of "security-mode" from 'none' to 'full', forces a
> user who tries to halt the system to authenticate against the password
> defined in "security-password" before having access to the OBP command
> line.
Alas, "full" password mode on at least some of the Sun systems I have used
will also prompt for the password before completing any legitimate boot,
more or less cripping the lab/server in the event of any kind of
unattended restart. Such as might well happen in a lab, or on a server
after a panic, power out, or other incident. It also does not prevent the
Stop-A/Break from freezing the running system.
I believe that setting the EEPROM security mode to "command" will prevent
anyone from doing much to the system other than to Stop-A/Break halt it
and reboot with the default boot params; it will also will allow a halted
machine to be continued. It should (at least so the manual pages seem to
claim) not allow other commands, and I am pretty sure it will allow an
unattended reboot to the default boot device. Seems like this would be
the best remedy in a lab environment.
Note that none of the modes will prevent the Stop-A/Break halt itself,
AFAIK. But now we're talking physical access issues, and all physcially
accessible system are subject to the snip hole (power cord? <snip>), and
the spray hole (spray water into the box), should the malicious person
want to halt it in person.
Finally, remote consoling any server or device that treats the console as
possessing special privileges should be undertaken with great caution.
Cisco owners take note (!).
-M
Michael Brian Scher (MS683) | Anthropologist, Attorney, Part-Time Guru
strange@cultural.com | http://www.tezcat.com/~strange/
strange@uchicago.edu | strange@tezcat.com
Give me a compiler and a box to run it, and I can move the mail.
