Date: Thu, 16 Jul 1998 22:46:31 +0200
From: "Ralf Lehmann [email protected]" <[email protected]>
To: [email protected]Subject: Security risk with powermanagemnet on Solaris 2.6
Recently we found a security risk caused by powermanagement on Solaris
2.6. I am pretty sure that it exists on Solaris 2.5 too, though I
haven't tested it.
Sorry if this has been posted before.
Powermanagement Functionality:
If you are using a desktop like CDE or OpenLook you can press the
on/off button on the keyboard to suspend the system. Suspending means
that the whole kernel and all process memory is saved to disk. If you
turn on the machine, the boot procedure realizes that the system has
been suspended and restores the kernel and the processes. Operation
of the system continues exately where it has been stopped, with one
exeption. Lockscreen is called to prevent unauthorized access to the
just started maschine.
Here is the bug:
When you reboot a suspended system you will see the line like
Restoring system...
on your screen. After a few seconds the line disapears and the screen is
dark. Now start typing characters on the keyboard. On a slow SPARC 5 you
will have 20 to 30 seconds to enter characters. All that input is delivered
to the last active tool on the desktop even before lockscreen can catch
the input fokus.
It is a lot of fun if the superuser suspended the system and the last active
tool was a shell.
Try this: Shortly after the line "Restoring ..." disapears type
passwd -d root
or echo + + >> /.rhosts
or any other command you like to be executed as root. You don't have to worry
about the time. On a SPARC 5 you will have a lot of time (20 seconds).
After about 20 seconds of darkness you can see the desktop for a short
moment before lockscreen is activated. But the damage is done already.
I haven't found a bugdescription or patch from sun. The only workaround is
not to use Powermanagement with a desktop. But who is using powermanagement
anyway?
Ralf Lehmann
[email protected]
