Please consider a donation to the Higher Intellect project. See or the Donate to Higher Intellect page for more info.

Authentication bypass in Sun 386i machines

From Higher Intellect Vintage Wiki
Revision as of 13:36, 9 July 2020 by Netfreak (talk | contribs) (Created page with "<pre> ________________________________________________________________ THE COMPUTER INCIDENT ADVISORY CAPABILITY CIAC ADVISORY NOTICE _________________________...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search




  		 Authentication bypass in Sun 386i machines

The login program supplied by Sun for its 386i machines, version 4.0.1 of Sun 
OS (SOS), accepts the argument "-n" which bypasses authentication.  It was
apparently added in order to allow the Sun program "logintool" to do the
authentication and have login do the housekeeping.  This allows a user who
discovers the new argument to the login program to become a root user in 
several ways.  An example of one method is attached. 

A temporary solution is to disable logintool and patch the binary using 
the "strings" and "adb"method used last November.  Alternatively and more 
simly, log in a root and issue the command

			chmod 110 /bin/login

Example of login endrun:
Script started on Tue Apr 11 14:16:25 1989
myhost[1] whoami
myhost[2] /bin/login -n root
Login incorrect
login: onceuponatime
No home directory specified in password file!  Logging in with home=/
# whoami
# who a i
myhost!onceupon ttyp2   Apr 11 14:17
# ^D myhost1[3] ^D
script done on Tue Apr 11 14:17:34 1989

Sun is presently working on a patch.  When it is available, CIAC will
inform you accordingly. 

For questions or additional information, please contact

                                 Gene Schultz
                                 CIAC Team Leader
                                 (415) 422-8193 or FTS 532-8193
                                 gschultz%[email protected]