Skip to main content

With Great Power Comes Great Responsibility

Forth is used as a bootloader for SPARC based machines. One feature that SPARC based machines made by SUN Mircosystems had was the ability to drop back to the bootloader's Forth interpreter by pressing the Stop-A key combination at the console. This suspended the operating system and gave the user an ok prompt to work at. Typically this was used to kick off a kernel debugger or to kick errant SCSI hardware back into line. In effect the Open Boot Prom (OBP), as the Forth based bootloader was branded, was a very lightweight hypervisor.

A consequence of this was that while working at the ok prompt, the user wasn't subject to privilege system of Solaris. People at the console could use this to gain root privileges. The method worked as follows:

  1. Find the address in memory where the proc structure of a shell that the user has open, i.e., where the shell's process resides in memory.

  2. Press Stop-A to drop to OBP.

  3. Write 0 to the cr_uid field of the processes cred structure. The location of this in memory is easily found from the process address.

  4. Type go to return to Solaris where there is a shell where the user now has an effective user id of 0, i.e., root privileges.

Full details can be found at Brendan Gregg's website. The option to ps that gave easy access to processes' addresses, has been since removed to make this more difficult, but it would still be easy to find with a debugger, for example.

There are a few things to be learned from this:

  • With great power comes great responsibility.

  • A hypervisor can completely bypass the security controls of its guest operating systems.

  • If an attacker has access to a machine physically or via a hypervisor, it is a matter of "when" and not "if" they gain control.

Comments

Post a Comment

Popular posts from this blog

Learning Forth

One of my side projects for this year is to learn the programming language, Forth. Some people might consider this an odd language to learn. It is not a popular language. There are no hot startups using it (that I know of). It doesn't even show up in the top 100 languages in the TIOBE Index . However, I am convinced learning it is worthwhile. Some of my reasons for this are: Forth is probably the most successful and widely deployed language that nobody has heard of. It is the language used to develop OpenFirmware . This boot loader is installed on the laptops of the One Laptop Per Child Project , on PowerPC based Apple Mac computers, and on SPARC based computers from SUN Microsystems. It has also been used to develop to develop control software for the National Radio Astronomy Observatory , which is where it was developed. While not as widely used as C/C++, Forth is used a lot in embedded applications and has been ported to most micro-controllers. For example, the Forth, Inc. w...
Post a Comment
Read more

First Post

Hello and welcome to the inane ramblings of an Irish software developer. The title of the blog comes from Lewis Carroll's, Through the Looking Glass . In the book, Alice goes running with the Red Queen, but they don't seem to make any progress. Alice remarks on this, saying, "Well in our country, you'd generally get to somewhere else - if you ran very fast for a long time as we've been doing." The Red Queen replies, "A slow sort of country. Now, here, you see, it takes all the running you can do, to stay in the same place." The Red Queen Effect is quite applicable to the software industry, and as I probably will be talking quite a bit about the software industry, I thought it would be a good name for a blog. I have a few objectives for my new blog. By writing here, I hope to learn how to write well. That is, I hope to learn how to write clearly and concisely, and be interesting at the same time. I also hope that this blog will become a good prof...
Read more