Thursday, December 8, 2011

War Story: power.sh

When I attended community college, the computers in the labs were running Windows 95, pretty much in a state of constant hilarity.  I'll get to that some other time, though; today's wacky hijinks are about The Server: the most secure machine on all of the campus, since it was the master authentication source.




The Server was running SunOS, if I do remember correctly.  Though that makes it a tad more obsolete than the Windows 95 machines.

In any case, when logged into the Sun via good olde Telnet, we puny students were running in the shell's restricted mode.  One of the goals of this process was to prevent us from having the Full Power of UNIX SunOS at our fingertips.  I have long since forgotten the allowed commands, but there were only a handful of them, such that they used less than two lines when listed out.  The only one of these that was technically needed in my time at that college was passwd.

Though it prevented writes to $PATH so that I couldn't add "allowed" commands, rbash didn't prevent reading from it.  I noticed that ~/bin was part of the list, and of course we had write access to our home directories through some GUI on the Windows machines.  (Whatever provided that access also allowed for setting permission bits.)  I can't really remember how that all worked, but I quickly studied the Internet and put together a shell script in Notepad that would simply run an unrestricted shell.  This was the ever-so-subtly named power.sh.

Then I discovered that Notepad writes "CRLF" line-endings, and the extra "CR" characters were preventing the script from running.  I searched the Internet again; clearly, I needed dos2unix.  But the code I found was implemented as another shell script that just called tr -d '\r'.  Being rather ignorant, I went home and rewrote power.sh on my Linux machine there.  I tested it at home, but it was still torture to wait for the next day in the lab to try it out.

It worked.  I felt like the biggest genius on the whole campus, having clearly outsmarted the Guys Who Were Paid to Secure the Server.

But other than that, it was actually kind of anticlimactic.  Being so ignorant, I didn't really have a use for the Full Power of UNIX SunOS myself.  I probably would have explored it harder if I hadn't had Linux at home, though.

I also didn't bother to tell the administrators.  According to the policy, merely attempting to circumvent any restriction for any purpose, including but not limited to reporting the vulnerability, was grounds for having your access revoked.  And as a computer science major, that was just a senseless risk to take.


Need more pointless rambling?  Follow me on twitter.

No comments: