lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.44.0310311609160.11573-100000@polar.negation.net>
Date: Fri, 31 Oct 2003 16:26:48 -0500 (EST)
From: Jason Storm <jms@...ergun.org>
To: bugtraq@...urityfocus.com
Subject: Console Root On OSX up to 10.2.8


On all versions of OSX up to and including 10.2.7 and possibly 10.2.8,
init can be crashed using a USB keyboard by holding down CTRL-C
immediately after boot, and keeping it held down.

Init crashes two or three minutes into the boot process and drops you into
a root shell.

At this point, you can of course modify the file system, or selectively
run components of the rc scripts to bring up full OSX functionality
without the GUI layer, which will demand a root password and lock you out
once its spawned successfully.

The 'exploit' is dependant on a USB keyboard being used; it wont work on a
powerbook without a USB keyboard attached, for example.

This was originally reported to Apple in 1998, and I was informed that
this was an 'internal development feature' that would be removed.

Three years later I reported this 'internal development feature' again,
and received no reply at all.

Now that Panther is out and this 'internal development feature' appears to
be resolved (no doubt thanks to the massive reworking of OSX USB code), I
see no reason not to give people a good reason to upgrade by releasing
this info..

peace and blessings,

-Jason Storm

"Only two things can stop an orgy.. and thats dawn, or a bigger orgy
across town."




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ