Frisco's Weblog Webcome to my Welblog !

As open source and intellectual property licensing are two hot Sun Bloggers topics, I thought that I would recommend an article titled "The Linux Killer", published in this month (July 2004) issue of WIRED magazine. It talks about SCO President and CEO Darl McBridge who, by claiming intellectual property rights on Unix operating systems, is aggressively sueing major Linux distributers for non authorized derivative code appropriation, even targeting directly their customers. See SCO intellectual property license published on its web site (access might be slow, they are said to be under frequent deny of service attacks ;)). In a related article, Linus Torvalds is also blamed of not having enforced a strict copyright assignment policy for Linux code contributors.

I spent yesterday evening listening to live music bands at the Tongue'n Groove" Club, on Van Ness and Union Street, in San Francisco. It was a night of showcases from Blue Bear School of American Music Band Workshop students. I like this place, and the opportunity it gives to all kind of people to perform. I actually played twice on this stage in the past... So, I went home this evening with one song in mind... Of course bands, and songs within a band, are unequal, that what makes the charm of such an evening of music. I enjoyed it all, but I have to say that one particular song, I had never heard before, took my mind away for few minutes. The band influence was mostly rock, but for this song, the lead took an acoustic guitar. After the show, I had to ask the singer... She told me that it was a song from The Arlenes, Titled "Lonely Won't Leave me Alone". Turns out, the Arlenes original version is actually made available for free (and legally ;) on the web, so, should you be interested, here it is: arlenes_1.mp3... The band arrangement that night was really good... decifering the esssence of this song might not be too challenging, but I wanna rather believe that mister Bill "Sputnik" Spooner was just nicely inspired that particular workshop rehearsal day...

Since Solaris 9, a bunch of pretty cool debugger commands have been added to mdb, among which ::print, ::sizeof and ::offsetof... Well, you might have noticed that whose commands are only available for a subset of Solaris kernel modules, in particular, they are not applicable to Sun Cluster product specific types. These new commands work only for kernel modules that are embedding a specific symbolic debugging information. This type of information, named CTF ("Compact Type Format") is derived (extracted and compressed) from the symbol table entries (stabs) generated at compile time. As of today, CTF supports only C code. Sun Cluster (Release 3 and up) kernel modules are written with C++... Now you know the rest of the story...

Recovering a Root Password on a Sun box is kind of simple and well documented, using a Solaris installation CD or a network installation server. Now, suppose you do not have a CD handy... in a cold dark lab... late at night, deadline big time overdue (this of course is pure fiction)... hungry and tired (not this)... junk food machine empty... why not use kadb and get out of here... This requires some knowledge of Solaris Internals (vnode architecture a plus), and of course kadb kernel debugger... The idea here is that as init spawns login, we should be able to substitute its execution with a shell... We know that exece is the kernel entry point for executing a binary, now, because input parameters are still in user land memory space at the time exece is called... that is not the exact place to look for... but sooner or later anyway, kernel will have to map the target binary name to an inode... Path name traversal is done by the lookuppn routine (lookup path name), called by lookupname (thanks dtrace for that information), that should do it... Of course no security hole has been exploited here, people that care about security would setup the box the way... well people that care about security setup machines... I do not know, but I bet at least no kadb module in /platform and Stop-A desactivated (and tape on CD drive)...

Ok, so we first "boot kadb", and wait for the login prompt, then enter kadb (control-A "send break" from telnet session or STOP-A on keyboard), setup a first breakpoint in exece, and continue (use dummy login)..:

console login:
telnet> send brk
stopped at:
edd000d8:       ta        %icc,%g0 + 125
kadb[0]: exece:b
kadb[0]: :c
console login:
console login:
console login: foo
breakpoint at:
exece:          save      %sp, -0xb0, %sp

Now from what we said earlier, we are supposed to put the next breakpoint at lookupname, but in order to see (and modify) the binary path name, we need to wait for the next "save" instruction, witch does not occur in lookupname, nor in lookuppn (called by lookupname), but in lookuppnat (called by lookuppn). So now we know (you might wanna step through all whose calls to double check), lets directly break in lookuppnat (and step "]" to the next "save" instruction (even better we could break at lookuppnat+4, but well...)).

kadb[0]: lookuppnat:b
kadb[0]: :c
breakpoint at:
lookuppnat:     save      %sp, -0xc0, %sp
kadb[0]: ]

Here we are, the path name is in the structure "pathname" passed as first parameter (see /usr/include/sys/pathname.h). Lets check that we intercept the right binary execution request (register i0):

stopped at:
lookuppnat+4:   ldx       [%i0 + 0x10], %g2
kadb[0]:
kadb[0]: *‹i0/S
3000b057a90:    /usr/bin/login

This is it, we are now going to replace "/usr/bin/login" (2f7573722f62696e) with "/sbin/sh" (2f7362696e2f7368), put \0 at the end of the string and update the length of the string (fourth parameter (offset 10 of struct "pathname") set to 8).

kadb[0]: *‹i0/K
3000b057a90:    2f7573722f62696e
kadb[0]: ./Z 2f7362696e2f7368
3000b057a90:    2f7573722f62696e=       2f7362696e2f7368
kadb[0]: .+8/Z 0
3000b057a98:    2f6c6f67696e0064=       0
kadb[0]: ‹i0+10/Z 8
2a1004bda20:    e               =       8

Check everything's ok now and resume the execution now (will delete breakpoint when encountered)...

kadb[0]: *‹i0/S
3000b057a90:    /sbin/sh
kadb[0]: :c
breakpoint at:
lookuppnat:     save      %sp, -0xc0, %sp
kadb[0]: :d
kadb[0]: :c
#

Here we go ! we have a prompt, lets try to do some stuffs... (Oups, forgot to remove the exece breakpoint...)

#
# ls
breakpoint at:
exece:          save      %sp, -0xb0, %sp
kadb[0]: :d
kadb[0]: :c
bin         export      lost+found  pos         shared      ws
db          global      mc_metadb   proc        src         xfn
design      home        mnt         proj        tmp
dev         import      net         sac         tools
devices     java        nse         sbin        usr
doe         kernel      opt         scde        var
etc         lib         platform    share       vol
# id
uid=0(root) gid=1(other)

Done, you just have now to repair your box (edit /etc/passwd and /etc/shadow).

Sleeping is definitively overrated... You actually do not really need to sleep that much... I guess it takes a baby, or two :) to find that out... So lately, every day 7 am, baby gives me the choice between complaining alone in the crib, playing with me, or falling asleep immediatly in my bed, next to me, for about 1 to 2 more hours... This smart cookie got me, the slightest hope of getting few more minutes of sleep around 7 am in the morning is priceless... Baby knows that... But - I - got the choice... who's the boss...

Hey, I should have introduced myself much earlier. I am an engineer employed by Sun Microsystems (daa...) in Menlo Park campus, CA. I am now working on Sun Cluster product. Before that, I was working on Sun's Netra High Availability Suite project (actually not Fundation, but Framework, but that is a long (and quite disapointing) story). And before that, I worked on Sun's Embedded Realtime OS Chorus, in Paris, France, for a while (actually you might wanna have a look at Jaluna, if interested...). This year is my fifth year at Sun ! I graduated in 1999 from Paul Sabatier University in Toulouse France, with a Ph.D. on Dependability of Microkernel-Based Operating Systems, whithin the Dependable Computing and Fault Tolerance groups at LAAS-CNRS Laboratory. My most recent (well, or less old should I say) contribution to a paper was in a Special section on "Fault-Tolerant Embedded Systems", IEEE ToC, Vol.51, in 2002, I was also contributing author for a book, published by Kluwer Academic, in 2003.

The Blue Bear School of American Music, is an cool place to go for music lessons (guitar, piano, singing, and much more). It is located in Fort Mason, San Francisco, on the Marina (you get a nice view of the Golden Gate Bridge and Alcatraz...). Teachers are all mind blowing musicians, whether they are young dudes booking local gigs or ex rock stars (no names, check it out yourself ;).

Hum, so this is to be my first post... I cannot think of anything more important than my baby sucking is foot for the first time this week :) THAT is an achievement... I am a proud daddy :)