codewarrior@daemon.org (Andrew Brown) wrote:
>can't be patched directly?!  it can...or are you referring to the
>silly "patch" i made?  as for patching the p_cred->cr_uid field, it
>would take me more than a few minutes to manually walk over to that
>particular field i think...

Actually, I did just that on our university's Sun 3 machines, before
they had the PROM version that required a password for that sort of thing.
It really isn't all that difficult to do, and after the initial
preparation and practice runs, I could do it within a minute or so.

I used gdb to disassemble the getuid() system call to learn how to
get from a process pointer to p_cred->cr_uid. For good measure, I did
both real, effective, and saved uids. And SunOS had a nice
command to list process pointers for processes. Piece of cake.

Even though in NetBSD I can't quickly find a command to list process
pointers, it is easy enough to get a shell in a tight loop, and then
you can use curproc as your process pointer. That's what I did before I
refined my attack.

>andrew@echonyc.com (TheMan)        * "ah!  i see you have the internet
-Olaf.
--
___ Olaf 'Rhialto' Seibert      D787B44DFC896063 4CBB95A5BD1DAA96 
\X/ It's not easy having a good time    rhialto@polder.ubc.kun.nl