This article was posted to the Usenet group alt.hackers in
1995; any technical information is probably outdated.
Child Child Child
Getting AIX root access
Article: 7618 of alt.hackers From: dcs@Starbase.NeoSoft.COM (David C Smith) Newsgroups: alt.hackers Subject: Getting AIX root access Date: 7 Apr 1995 11:02:09 -0500 Organization: NeoSoft Internet Services +1 713 968 5800 Lines: 65 Approved: My Cat Minuet Message-ID: 3m3nm1$fn2@Starbase.NeoSoft.COM NNTP-Posting-Host: starbase.neosoft.com Keywords: AIX root Status: RO
-----BEGIN PGP SIGNED MESSAGE----- Background: At work, we received 6 IBM PowerStation 520's/530's that were on loan to another company for a project. The project was completed, and about 3/4 of the loaned equipment was returned to the owners. The owners then let our company use them. The problem was that these PowerStations had AIX installed, but the owners did not know any of the passwords to access the systems, and were unable to get the information from the company they loaned the systems to. So, they were pretty much useless to us and we just left them sitting around for a month or so. Since we hadn't really done much with these boxes, I wanted to find out what kind of hardware these things had in them. I decided to check out the diagnostic programs for these things. Luckily, the diagnostics could be run in "Standalone" mode, not requiring the OS to be running. ObHack: Changing AIX root password via Standalone Mode Diagnostics. To run the diagnostics, the keylock on the PowerStation has to be in "Service" mode. If you don't have the key, you're out of luck. Boot from harddisk with keylock in service mode. It boots the operating system in single-user mode (I think) and runs the diagnostic menu program. From at least one of the options, you can use ! to run unix commands. !smit, select Users and Security, select Add User, define a userid. Next, select Change Password, and set an initial password for the new user. Next you exit from the diagnostic program, switch the keylock to Normal, and re-boot. Logon to your new user, change the password when it prompts for new password. Switch the keylock back to Service, re-boot to bring up diagnostics. Again, this time, !vi /etc/security/passwd. Copy the encrypted password from your new user and replace root's original password. Exit from diagnostics. Switch keylock to normal, reboot AIX, logon as root with the new password. I was happy, my co-workers were happy, and my boss was happy. :-) MyNonUnixExpertAnalysis: Apparently the when the diagnostics are running you are su. I did try to change root's password via passwd, but it required knowing root's old password, which I did not know. ObDisclaimer: I don't see this as a security hole, since you *must* have the key to change the keylock setting. Although if you weren't practicing good physical security and left the key in the keylock at all times, it _could_ be. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBL4Vhll8NLo2vey9NAQG2YQQAg13vp4LTjA+zcOrQOsVHxSHuDXwHpMwc RedM5lqTJME8TSptap5gQ+4lO8xfgVYVxnQ9pYADdO7iYoqBE8J5D5qJ5fN6CzNc KSnzOyDER3HT04aLZmhRMMsQe0QWQ/cCXODY5IAI40Y+Nu2NJeTQXzFS7cjBmo20 2KFeduaXbb4= =aSSh -----END PGP SIGNATURE----- -- | David C. Smith dcs@starbase.neosoft.com | | Finger or email for PGP Public Key | | "Don't play with the dead, boy. They have eerie powers.." | | - Homer Simpson |
Child Child Child