Saturday, March 28, 2015

With Great Power Comes Great Responsibility

Forth is used as a bootloader for SPARC based machines. One feature that SPARC based machines made by SUN Mircosystems had was the ability to drop back to the bootloader's Forth interpreter by pressing the Stop-A key combination at the console. This suspended the operating system and gave the user an ok prompt to work at. Typically this was used to kick off a kernel debugger or to kick errant SCSI hardware back into line. In effect the Open Boot Prom (OBP), as the Forth based bootloader was branded, was a very lightweight hypervisor.

A consequence of this was that while working at the ok prompt, the user wasn't subject to privilege system of Solaris. People at the console could use this to gain root privileges. The method worked as follows:

  1. Find the address in memory where the proc structure of a shell that the user has open, i.e., where the shell's process resides in memory.

  2. Press Stop-A to drop to OBP.

  3. Write 0 to the cr_uid field of the processes cred structure. The location of this in memory is easily found from the process address.

  4. Type go to return to Solaris where there is a shell where the user now has an effective user id of 0, i.e., root privileges.

Full details can be found at Brendan Gregg's website. The option to ps that gave easy access to processes' addresses, has been since removed to make this more difficult, but it would still be easy to find with a debugger, for example.

There are a few things to be learned from this:

  • With great power comes great responsibility.

  • A hypervisor can completely bypass the security controls of its guest operating systems.

  • If an attacker has access to a machine physically or via a hypervisor, it is a matter of "when" and not "if" they gain control.