[Coco] setuid? wasRe: Telnet to your CoCo.. and invite 6 of your friends

Aaron Wolfe aawolfe at gmail.com
Mon Nov 30 17:21:54 EST 2009


On Mon, Nov 30, 2009 at 5:02 PM, Tim Fadden <t.fadden at cox.net> wrote:
> To the thread in general, not you Willard. :-)
>
> You are all talking about using a system call and creating a program and
> than being able to change userID.  Thats great, but how does the program get
> on the host computer when there is no way to compile on it, or transfer
> files to it?  If all you can do is see in your own home directory, and do a
> list, dir or start a bbs menu or what I the super user allows you to use,
> how do you get the offending program on there?

The issue is that a very small sequence of bytes will allow anyone to
become user 0.   There are a great number of ways to get some bytes
executed by the system, especially in a system like OS-9 on the Coco,
where nothing is protected in hardware (no MMU help for us :(  All
memory in the coco is executable, all you have to do is get the cpu
pointed at your bytes and you're in.

Even without the built in "hack me" subroutine, I don't think it would
be very difficult to come up with a small series of instructions that
granted additional rights.  As far as I can tell, there is nothing to
stop one process from clobbering another.

I mentioned buffer overflows briefly before.  In a nutshell, any time
the computer accepts input from a user or a file or a device,
basically any time it starts loading or copying ram, there is a finite
amount of space allocated to accepting this data.  What happens when
you send more data than the process has space determines whether you
can "overflow" the buffer.  In some cases, the additional data gets
written to a portion of memory that will soon be executed by the
program... and so with the proper amount of filler and about 5 bytes
of code, you've got user 0.  A large number of programs written in the
time period were not too careful about this type of thing.  I havent
taken a good look at the OS-9 utils, so not saying  there is
necessarily any problem there.  I would not be surprised however if
some issues existed.



> Of course you can hack your own system!  Given  physical root access to any
> machine it can be hacked.  Many can be hacked without root access!   Logging

the experiment was to test that the system call worked as documented,
not to demonstrate a "hack"..  a break in might use a similar set of
calls to the OS-9 system, but would not likely take the form of a
command installed on the system.  some more "interesting" means of
getting the code executed are usually called for.

> in remotely with a sub-set of safe to run commands is a whole different
> story. In fact I contend that os9 would be harder to exploit than any
> current operating system.  There are NO network protocals running
> whatsoever! No browsers, no email etc. etc.
>
> I'm tempted to give you remote access and see if you can hack it! he he he

I was thinking about doing the same thing..  now that I've written the
network access part, maybe I should put a coco online and see if
people can break in..  put a secret phrase in a file that only user 0
should be able to see, and see who finds it.. might be interesting,
but would be more interesting to me if I could be a contestant.. let
me know if you decide to set up a trial :)



>
>
> Tim
>
>
>
> Willard Goosey wrote:
>>
>> On Sun, Nov 29, 2009 at 07:13:05PM -0500, Aaron Wolfe wrote:
>>
>>>
>>> I think this reflects the attitude towards computer security,
>>> especially on micros, at the time OS-9 was created.  Basically, more
>>> of a feature than a requirement.
>>
>> No doubt.  Still, it surprised me.  Motorola is the home of "Friar
>> Tuck" and "Robin Hood", after all. ;-) (Look in the Jargon File) Of
>> course, it may just be the Tandy version that had SETID broken.
>>
>>
>>>
>>> Another option for "safe" internet access is to combine Boisy's idea
>>> of locking access at the DriveWire server side with a simple account
>>> system.
>>
>> Yes, since you've got a PC as a front-end box you can handle the
>> security there.
>>
>> Willard
>>
>
>
> --
> Coco mailing list
> Coco at maltedmedia.com
> http://five.pairlist.net/mailman/listinfo/coco
>



More information about the Coco mailing list