[7265] in bugtraq
Re: Regarding Mudge's OBP/FORTH root hack (PHRACK53)
daemon@ATHENA.MIT.EDU (Casper Dik)
Tue Jul 14 16:33:07 1998
Date: Mon, 13 Jul 1998 21:58:43 +0200
Reply-To: Casper Dik <casper@HOLLAND.SUN.COM>
From: Casper Dik <casper@HOLLAND.SUN.COM>
X-To: "John W. Temples" <john@KUWAIT.NET>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: Your message of "Sat, 11 Jul 1998 16:37:25 PDT."
<Pine.SCO.3.96.980711163331.561C-100000@jwt>
>On Fri, 10 Jul 1998, Jericho Nunn wrote:
>
>> An easy and quick work-around that avoids granting just anybody at
>> the console the ability to "Stop-A" and drop into OBP, is to enable the
>> "security-mode" and "security-password" variables within OBP. Changing
>> the default value of "security-mode" from 'none' to 'full', forces a
>> user who tries to halt the system to authenticate against the password
>> defined in "security-password" before having access to the OBP command
>> line.
>
>On some (older?) OBP versions, you can reset the NVRAM to default
>values (hence disabling the password) by pressing Stop-N.
That doesn't work. (Well, maybe on really old Rev 1.0 PROMS).
L1-N only works if the PROM isn't in secure mode.
While the Forth in the Openboot PROM make it a bt easier (and I'm sure
I've seen code snippets to set your creds years ago), the older
Sun 3 and pre openboot Sun roms have similar functionality but with
arcane syntax.
And, you can boot in kadb; and have even more support to walk around in
the kernel. Then there's kadb work-a-like in Forth that we use
at Sun.
>And of course, a truly dedicated attacker simply has to open the box up
>and drop in his own NVRAM chip which has no password.
There's no security with physical access. Modge article serves to highlight
what everbody should have realized a long time ago; with password protection
on the boot firmware, cracking root is easy.
Casper
