Subject: Re: [ADVISORY] 4.4BSD Securelevels (fwd)
To: None <firstname.lastname@example.org, current-users@NetBSD.ORG,>
From: Olaf Seibert <email@example.com>
Date: 06/27/1997 12:36:02
firstname.lastname@example.org (Andrew Brown) wrote:
>can't be patched directly?! it can...or are you referring to the
>silly "patch" i made? as for patching the p_cred->cr_uid field, it
>would take me more than a few minutes to manually walk over to that
>particular field i think...
Actually, I did just that on our university's Sun 3 machines, before
they had the PROM version that required a password for that sort of thing.
It really isn't all that difficult to do, and after the initial
preparation and practice runs, I could do it within a minute or so.
I used gdb to disassemble the getuid() system call to learn how to
get from a process pointer to p_cred->cr_uid. For good measure, I did
both real, effective, and saved uids. And SunOS had a nice
command to list process pointers for processes. Piece of cake.
Even though in NetBSD I can't quickly find a command to list process
pointers, it is easy enough to get a shell in a tight loop, and then
you can use curproc as your process pointer. That's what I did before I
refined my attack.
>email@example.com (TheMan) * "ah! i see you have the internet
___ Olaf 'Rhialto' Seibert D787B44DFC896063 4CBB95A5BD1DAA96
\X/ It's not easy having a good time firstname.lastname@example.org