[880] in bugtraq
Re: "magic" hole
daemon@ATHENA.MIT.EDU (Wes Morgan)
Thu Feb 2 19:41:12 1995
Date: Thu, 2 Feb 95 09:19:38 EST
From: morgan@engr.uky.edu (Wes Morgan)
To: bugtraq@fc.net
>the other day, i happened to join a conversation about Unix security with
>a couple of fellows at a local bookstore. one of them mentioned the "magic"
>hole. i have heard mention of this hole before, but i assumed the hole
>no longer existed. apparently, this was a hole in /bin/login. does anyone
>else remember this?
The only "magic" hole I remember required physical access to the
console, and some floppies besides...
The following info (from the 3b2 FAQ on comp.sys.att) applies to
the AT&T 3b2 family; SVR3 (and, if you can still find it out there,
SVR2) variants closest to 'stock' AT&T may also be vulnerable in this
respect. I seem to recall that AT&T's System V/386 3.x also offered
this undocumented feature.
>"Open Sesame"
>
> To give standalone a try, first shut the machine down to firmware
>mode. Assuming the machine is now in firmware mode, put a copy of the
>boot disk into the drive. Note that some versions of the operating
>system (Sys V Release 2, at least) require that the boot floppy be
>write-enabled (i.e., no write-protect tab); it is this requirement that
>mandates multiple backups of the boot floppy. UNIX will be updating
>the disk while it runs -- the superblock, access times, etc. -- and if
>the machine crashes at the wrong time it simply will not boot again
>without an fsck. Be careful.
>
> Type in your firmware password and boot /unix from the floppy
>drive (Option 0, named `FD5') instead of the hard drive (Option 1,
>named `HD30' or `HD72'). It can take several minutes for UNIX to boot,
>but when it does, the familiar menu will be displayed:
>
> 1) Full Restore
> 2) Partial Restore
> 3) Dual-Disk Upgrade
> 4) Release Upgrade
> Selection? [1, 2, 3, 4, quit, help]
>
> At this point, type the phrase
>
> magic mode
>
> The system recognizes this special option and responds:
>
> Poof!
>
> Selection? [1, 2, 3, 4, quit, help, shell, copy]
>
> Notice the new options? Now type shell, then RETURN, and you will
>be greeted with the familiar # prompt. You are now running a
>standalone shell on the floppy.
From here, exploitation should be obvious.
Moral of the story - keep those install floppies in a safe place.
--Wes
