[7240] in bugtraq
Re: Regarding Mudge's OBP/FORTH root hack (PHRACK53)
daemon@ATHENA.MIT.EDU (John W. Temples)
Mon Jul 13 14:00:11 1998
Date: Sat, 11 Jul 1998 16:37:25 -0700
Reply-To: "John W. Temples" <john@KUWAIT.NET>
From: "John W. Temples" <john@KUWAIT.NET>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <35A5CD04.767B48@rawten.off.ai>
On Fri, 10 Jul 1998, Jericho Nunn wrote:
> An easy and quick work-around that avoids granting just anybody at
> the console the ability to "Stop-A" and drop into OBP, is to enable the
> "security-mode" and "security-password" variables within OBP. Changing
> the default value of "security-mode" from 'none' to 'full', forces a
> user who tries to halt the system to authenticate against the password
> defined in "security-password" before having access to the OBP command
> line.
On some (older?) OBP versions, you can reset the NVRAM to default
values (hence disabling the password) by pressing Stop-N.
And of course, a truly dedicated attacker simply has to open the box up
and drop in his own NVRAM chip which has no password.
--
John W. Temples, III || Providing the first public access Internet
Gulfnet Kuwait || site in the Arabian Gulf region
