Home page logo

bugtraq logo Bugtraq mailing list archives

Re: password backdoors (on Apollo)
From: hpeyerl () beer org (Herb Peyerl)
Date: Thu, 11 May 1995 22:59:28 -0600

Dan Thorson <Dan_Thorson () notes seagate com>  wrote:
Sure, shut the machine, REset, then (and I can't remember the exact sequence) 
you should be able to modify the /etc/passwd file, re-start the OS, root has 
the password (or lack thereof) you set up in the previous step.

Bzzt.. Can't do that on an Apollo running Domain/OS.

Domain/OS has a typed filesystem and the password file is of type
'rgy' or some such and the type manager interprets all file accesses
and does network registry lookups.  This of course is only useful when
the system is "up" more than single-user mode.

Also, in order to even get the thing into single-user mode, you have
to enter the root password (which it looks up in a local-copy of the
registry when the network-registry is un-reachable which is certainly
is in single-user mode)... The local registry is not in normal human-readable
format... If you're going to be editing binary files then there are much
easier ways to get into a Domain/OS machine.

In the past I've done things like put it into service mode (with the
switchin the back), wait for it to come up to the login prompt, 
hit ctrl-enter (equivalent to L1-A on a Sparc), set a breakpoint in
one of the rgy_$ global functions (can't remember offhand which one)
and then step-trace til you get to the appropriate 'cmp' and alter
the behavior accordingly...

However, when you're monkeying around at that level, there ain't a
heck of a lot that's going to keep you out of a system.

It's been a number of years since I've had to do the above and I 
certainly don't remember the addresses of any of the calls and
of course it's dependant on OS revision as well as machinetype to
some extent...

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]