Re: Regarding Mudge's OBP/FORTH root hack (PHRACK53)

From: Mike Scher (strangeat_private)
Date: Sat Jul 11 1998 - 21:55:54 PDT

Next message: Alan J Rosenthal: "Re: Remote count.cgi exploit mods"

Previous message: John W. Temples: "Re: Regarding Mudge's OBP/FORTH root hack (PHRACK53)"
Maybe in reply to: Jericho Nunn: "Regarding Mudge's OBP/FORTH root hack (PHRACK53)"
Next in thread: Gene Spafford: "Re: Regarding Mudge's OBP/FORTH root hack (PHRACK53)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 10 Jul 1998, Jericho Nunn wrote:
>     An easy and quick work-around that avoids granting  just anybody at
> the console the ability to "Stop-A" and drop into OBP, is to enable the
> "security-mode" and "security-password" variables within OBP.  Changing
> the default value of "security-mode" from 'none' to 'full', forces a
> user who tries to halt the system to authenticate against the password
> defined in "security-password" before having access to the OBP command
> line.

Alas, "full" password mode on at least some of the Sun systems I have used
will also prompt for the password before completing any legitimate boot,
more or less cripping the lab/server in the event of any kind of
unattended restart.  Such as might well happen in a lab, or on a server
after a panic, power out, or other incident.  It also does not prevent the
Stop-A/Break from freezing the running system.

I believe that setting the EEPROM security mode to "command" will prevent
anyone from doing much to the system other than to Stop-A/Break halt it
and reboot with the default boot params; it will also will allow a halted
machine to be continued.  It should (at least so the manual pages seem to
claim) not allow other commands, and I am pretty sure it will allow an
unattended reboot to the default boot device.  Seems like this would be
the best remedy in a lab environment.

Note that none of the modes will prevent the Stop-A/Break halt itself,
AFAIK.  But now we're talking physical access issues, and all physcially
accessible system are subject to the snip hole (power cord?  <snip>), and
the spray hole (spray water into the box), should the malicious person
want to halt it in person.

Finally, remote consoling any server or device that treats the console as
possessing special privileges should be undertaken with great caution.
Cisco owners take note (!).

      -M

Michael Brian Scher   (MS683)  | Anthropologist, Attorney, Part-Time Guru
     strangeat_private      |     http://www.tezcat.com/~strange/
     strangeat_private      |           strangeat_private
   Give me a compiler and a box to run it, and I can move the mail.

Next message: Alan J Rosenthal: "Re: Remote count.cgi exploit mods"
Previous message: John W. Temples: "Re: Regarding Mudge's OBP/FORTH root hack (PHRACK53)"
Maybe in reply to: Jericho Nunn: "Regarding Mudge's OBP/FORTH root hack (PHRACK53)"
Next in thread: Gene Spafford: "Re: Regarding Mudge's OBP/FORTH root hack (PHRACK53)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:03:23 PDT