A little guidance - TI Xenix

From: Captain Napalm <spc_at_armigeron.com>
Date: Fri Jun 13 21:51:02 1997

It was thus said that the Great Brett once stated:
> I realize this is a little off-topic (last build was about 1987 or 88)
> but I have my self in a corner 8-) There are a couple of windows I could
> crawl thru if I HAD to.
> I have a pristene TI Xenix 386DX16 system.
> I have access to one account and - you guessed it - it ain't root!
> Nobody seems to remember the root password 8-(
> I can't believe that I can't break into this thing!

> So - does any body know where I can find a way into Xenix?

  There are two I know of off hand that may let you in; one requiring you to
know your Intel 386 Assembly. And both assume you are running certain

  The first is via sendmail. There used to be a way to get into a debugging
mode and have sendmail run arbitrary commands, and since it often ran as
root, this was one way someone could break into a system. The debug mode of
sendmail is the "wizard" mode, but I came onto the e-mail scene just after
this hole was closed (after the Robert Morris Internet Worm of '88). I
don't know more than that, sorry.

  The second requires the Intel 386 Assembly and assumes you have fingerd
running (has to be fingerd). What this entails is feeding the fingerd
program too much information, which overwrites the program stack. With
careful programming, the excess information can be code that will then run
arbitrary commands (since fingerd often runs as root). This will also
require you to know where in memory the executable is loaded into so you
provide a valid return address on the stack.

  If you don't have either of those, try finding an interactive setuid root
program you can run, as it too, may be possible to overrun an input buffer.

  There may be easier ways, I just don't know of them offhand (do you have
access to another Xenix system? Could you mount your drives to it? Can you
boot MS-DOS on it (from the floppy)? If so, you might be able to use Norton
Utilities to scan the harddrive for the password file and modify it there
(and if not Norton, then some other low level disk editor program)).

  -spc (Just some ideas ... )
Received on Fri Jun 13 1997 - 21:51:02 BST

This archive was generated by hypermail 2.3.0 : Fri Oct 10 2014 - 23:30:29 BST