Re: [TCLUG:3932] fatal X error - Really fsck on /

To: tclug-list@listserv.real-time.com
Subject: Re: [TCLUG:3932] fatal X error - Really fsck on /
From: Peter Lukas <peter@math.umn.edu>
Date: Fri, 5 Feb 1999 14:49:30 -0600 (CST)
In-Reply-To: <Pine.BSF.3.96.990205093537.22568A-100000@chemsun.chem.umn.edu>

   Sometimes, the best thing to do is to boot with a rescue disk.  While
RedHat and other vendors supply them, they aren't exactly immediate and
not totally functional.  By employing a LILO exploit, you can gain swifter
and fuller access to the system.  This is a dangerous hack and should be
treated with a great deal of respect.  
   Anyway, the loophole in lilo is that if you're dual-booting, or even
have prompt set (or not), you can hit tab or shift or whatever to get to
the boot: option.  From there, LILO will tell you what your boot options
are.  Let's pretend that your working kernel label is "Linux"  A common
parameter is to use this:

LILO Boot: Linux root=/dev/hda1

This will tell the kernel that the root filesystem is on /dev/hda1 and
that it should expect to find init living there.  The dangerous problem is
that you can do the following:

LILO Boot: Linux init=/bin/sh

This will boot the machine accordingly, but bring you directly to a sh
shell.  You will have full root access at this point and be able to do
maintainence on the system.  

NOTE:  USE THIS EXPLOIT FOR GOOD, NOT EVIL!!

   Anyway, you'll still need to do a few other nasty things to get total
access to the system, but at this point, you'll be in the system with
access to / (ro).  Run e2fsck on the suspect drive and hopefully, you'll
be able to get the appropriate fixes done.  You can mount the / filesystem
read-write if you need to, but I won't say how as I'm feeling like I've
already said enough :-)
   In any event, this security risk can be absolved by patching the
assembly code in the lilo source code (why this hasn't been "officially"
added is beyond me).  I'll include the patch at below.  Basically, it
treats the loop in reverse.  If the prompt bit is 0, it'll not wait for a
keystroke and ignore keyboard requests, booting safely and immediately
into the system.  On the other hand, if prompt is set to 1 (like in a
dual-boot environment), the system remains vulnerable to this exploit.   I
have rpm's and src.rpm's for a secure lilo and more secure default RedHat
packages available at:

http://www.math.umn.edu/~peter/packages/5.2/
in either RPMS or SRPMS.

Anyway, here's the patch:
--- second.S.orig       Thu Jun 19 11:11:42 1997
+++ second.S    Wed Aug  5 17:08:15 1998
@@ -1259,6 +1259,10 @@
 ! Shift wait loop (AX = timeout, returns CY set if interrupred)

 waitsh:        call    setto           ! set timeout
+acnosp: test    byte ptr timeout,#1 ! timed out ?
+        jz      actlp           ! no -> wait
+        clc                     ! clear carry
+        ret                     ! done
 actlp: mov     ah,#2           ! get shift keys
        int     0x16
        and     al,#0x5f        ! anything set ? (except NumLock)
@@ -1271,11 +1275,7 @@
        add     dx,#5           ! check for pending break
        in      al,dx
        test    al,#0x10
-       jnz     shpress         ! break received -> return with CY set
-acnosp:        test    byte ptr timeout,#1 ! timed out ?
-       jz      actlp           ! no -> wait
-       clc                     ! clear carry
-       ret                     ! done
+       jz      acnosp          ! break received -> return with CY set
 shpress:stc                    ! set carry
        ret                     ! done

Peter Lukas

On Fri, 5 Feb 1999, Tim Wilson wrote:

> On Fri, 5 Feb 1999, Peter Lukas wrote:
> 
> > Hey Neighbor,
> 
> Well, not quite a neighbor. I haven't taken a class in a while, but the
> sysadmin the in the chem. dept. hasn't booted me off their system yet.
> 
> > It looks like you ought to umount the filesystem and run e2fsck to remap
> > some of those inodes.  If things get dicey from there, you may want to use
> > the badblocks program to fix things a little further although I doubt
> > that'll be necessary.
> 
> This sounds like what I need to do. I'm afraid I haven't had to delve this
> far into the innards of my filesystem before. (I suspect most readers on
> the list haven't either.) How can I safely unmount the filesystem and use
> these utilties? Do I need to run them off of a floppy disk? I'm a complete
> newbie with this "down and dirty" sysadmin stuff.
> 
> -Tim
> 
> --
> Timothy D. Wilson			"A little song, a little dance,
> University of MN, chem. dept.		a little seltzer down your 
> wilson@chem.umn.edu			pants."   -Chuckles the Clown
> Phone: (612) 625-9828                       as eulogized by Ted Baxter
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tclug-list-unsubscribe@listserv.real-time.com
> For additional commands, e-mail: tclug-list-help@listserv.real-time.com
> Try our website: http://tclug.real-time.com
> 
>

Follow-Ups:
- Re: [TCLUG:3932] LILO feature / exploit
  - From: "Mark A. Bentley" <bentlema@cs.umn.edu>

References:
- Re: [TCLUG:3932] fatal X error
  - From: Tim Wilson <wilson@chemsun.chem.umn.edu>

Prev by Date: Re: [TCLUG:3894] LUGs galore
Next by Date: Re: [TCLUG:3948] simple bash script - redirect pipe
Prev by thread: Re: [TCLUG:3932] fatal X error
Next by thread: Re: [TCLUG:3932] LILO feature / exploit
Index(es):
- Date
- Thread