From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.0 required=5.0 tests=MAILING_LIST_MULTI,
	T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.4
Received: (qmail 1237 invoked from network); 1 Aug 2023 20:48:15 -0000
Received: from minnie.tuhs.org (2600:3c01:e000:146::1)
  by inbox.vuxu.org with ESMTPUTF8; 1 Aug 2023 20:48:15 -0000
Received: from minnie.tuhs.org (localhost [IPv6:::1])
	by minnie.tuhs.org (Postfix) with ESMTP id 12C2E41052;
	Wed,  2 Aug 2023 06:48:11 +1000 (AEST)
Received: from sdaoden.eu (sdaoden.eu [217.144.132.164])
	by minnie.tuhs.org (Postfix) with ESMTPS id 1B13B4104F
	for <tuhs@tuhs.org>; Wed,  2 Aug 2023 06:48:04 +1000 (AEST)
Date: Tue, 01 Aug 2023 22:48:00 +0200
Author: Steffen Nurpmeso <steffen@sdaoden.eu>
From: Steffen Nurpmeso <steffen@sdaoden.eu>
To: Niklas Karlsson <nikke.karlsson@gmail.com>
Message-ID: <20230801204800.wvlfp%steffen@sdaoden.eu>
In-Reply-To: <CAK6BEgegH3TeE4ETM489s70jV4xDFzEJF1EV7u2QPkHEr4pCFA@mail.gmail.com>
References: <CAP6exYJZv=tThsACn3sRvV0HXRYG_GLuUtWkxVk_n5XhuN1UpA@mail.gmail.com>
 <CAA1C+h3DVGd_BZB=0eaQrvnJrOdf91c3Ey_N+KwwgJ8oKQQ3Yw@mail.gmail.com>
 <CAP6exYLpMdPHvj0VuY+qm_S3x9fY0hhf3SantTf-+QHCRZCA-w@mail.gmail.com>
 <ema20a2ab4-d44e-4b1c-8e7e-079960bdd910@a70c2ae8.com>
 <CAK6BEgegH3TeE4ETM489s70jV4xDFzEJF1EV7u2QPkHEr4pCFA@mail.gmail.com>
Mail-Followup-To: Niklas Karlsson <nikke.karlsson@gmail.com>,
 The Eunuchs Hysterical Society <tuhs@tuhs.org>
User-Agent: s-nail v14.9.24-499-g5e26999314
OpenPGP: id=EE19E1C1F2F7054F8D3954D8308964B51883A0DD;
 url=https://ftp.sdaoden.eu/steffen.asc; preference=signencrypt
BlahBlahBlah: Any stupid boy can crush a beetle. But all the professors in
 the world can make no bugs.
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: HBQJW6Z42L7CSAHEHJY5GGX7AN6S6TDD
X-Message-ID-Hash: HBQJW6Z42L7CSAHEHJY5GGX7AN6S6TDD
X-MailFrom: steffen@sdaoden.eu
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: The Eunuchs Hysterical Society <tuhs@tuhs.org>
X-Mailman-Version: 3.3.6b1
Precedence: list
Subject: [TUHS] Re: shell escapes in utilities
List-Id: The Unix Heritage Society mailing list <tuhs.tuhs.org>
Archived-At: <https://www.tuhs.org/mailman3/hyperkitty/list/tuhs@tuhs.org/message/HBQJW6Z42L7CSAHEHJY5GGX7AN6S6TDD/>
List-Archive: <https://www.tuhs.org/mailman3/hyperkitty/list/tuhs@tuhs.org/>
List-Help: <mailto:tuhs-request@tuhs.org?subject=help>
List-Owner: <mailto:tuhs-owner@tuhs.org>
List-Post: <mailto:tuhs@tuhs.org>
List-Subscribe: <mailto:tuhs-join@tuhs.org>
List-Unsubscribe: <mailto:tuhs-leave@tuhs.org>

Niklas Karlsson wrote in
 <CAK6BEgegH3TeE4ETM489s70jV4xDFzEJF1EV7u2QPkHEr4pCFA@mail.gmail.com>:
 |Den tis 1 aug. 2023 kl 20:43 skrev Ron Natalie <ron@ronnatalie.com>:
 |> I remember IBM sending me an early RS/6000.    Booted the
 |> thing up but had no clue what root or any other password was.
 |> So, I set to work hacking on it.   Now this thing had a physical key on
 |> the front.   Off, On, and a Wrench symbol.   OK, let=E2=80=99s try the =
wrench.
 |>   Boots up some sort of maintenance program.   After playing around with
 |> it a bit I find a help option.    This starts up a paginator (more or pg
 |> or something).    Sure enough you can shell escape otu of that.
 |> Instant root shell.    Now it=E2=80=99s trivial to change the root pass=
word and
 |> reboot in normal mode.
 |
 |To be fair, local root exploits are a bit of a different animal from
 |remote ones. Even now, if you have physical access to your average *nix
 |box, you can likely gain root. Sure, there are ways and means of

I find this a provocative statement even in the silly saison.
I would assume that despite EFI firmware snooping key presses when
entering the disk key on cold boot, or other sort of nifty spying
(the famous USB sticks that "turn into keyboards and send key
presses" (as root?) cross my mind), i would think that you have
a hard time as a normal user to become root.  On this box; even
though you are not further separated via "ip netns exec .. unshare
.." etc.; some SETUID programs exist

  $ find /sbin /bin /usr/sbin /usr/bin -perm /4000
  /sbin/unix_chkpwd
  /bin/ping
  /bin/umount
  /bin/mount
  /bin/ksu
  /usr/bin/fusermount
  /usr/bin/crontab
  /usr/bin/doas
  /usr/bin/slock
  /usr/bin/traceroute
  /usr/bin/newuidmap
  /usr/bin/newgidmap
  /usr/bin/passwd
  /usr/bin/newgrp
  /usr/bin/expiry
  /usr/bin/chsh
  /usr/bin/chfn
  /usr/bin/chage
  /usr/bin/su

 |preventing that, but IME it's really only people doing really secret
 |spook stuff that bother with those. Even engineering outfits with big
 |secrets to protect usually don't bother.
 |
 |What you did with that RS/6000 sounds roughly equivalent to booting a
 |modern Linux box in single-user mode, where you can also set the root
 |password to anything you like.

Not here.

 |Niklas

--steffen
|
|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)