[rescue] Interactive Unix?

Greg A. Woods rescue at sunhelp.org
Mon Dec 10 12:46:10 CST 2001 

[ On Monday, December 10, 2001 at 11:21:40 (-0500), Michael A. Turner wrote: ]
> Subject: [rescue] Interactive Unix?
>
> 	I have a Pentium pro system that was donated to me recently. I
> decided to fire it up and see what it is and got some interesting surprises.
> First off it's not running NT (I thought that was the choice dejour of
> Pentium pros) it is running something called interactive UNIX. Now I may
> have been seeing things but it seemed to indicate that it had three fathers
> for this (copyright holders) I forget the first one but I also saw Microsoft
> and sunsoft listed. 1. I thought Microsoft didn't do UNIX 2. I thought sun
> hated Microsoft. am I making a bad assumption here that sunsoft is sun
> microsystems?

Though Micro$oft have at times had large investments in SCO (to the tune
where SCO Xenix/286 and mabye several afterwards came with Micro$oft C),
they have never, so far as I know, directly owned any portion of the
copyright of UNIX.  As far as I can remember they never owned more than
about 33% of SCO either.  They contributed lots of other bits to SCO
Xenix though, including other build tools and related headers, etc.
Once upon a time many Redmond developers had Xenix 68k workstations on
their desktops.

The reason there's a Micro$oft copyright notice on Interactive's UNIX is
because that release comes with some included support code that M$ owns.
It may even just be because of the bits of Xenix that are included in
the UNIX System V/386 releases (originally right from AT&T).

Sun also contributed to AT&T stuff that ended up in System V/386 and
thus ended up in ISC's products.

Interestingly at the time the "Interactive UNIX System V/386 Release 3.2
Guide for New Users" I have on my manuals shelf was printed, Interactive
was "A Kodak Company".  Yes, that "Kodak moment" Kodak.

I ran (and helped run) several Interactive UNIX systems through the late
1980's and early 1990's, even including one that was called 386ix in the
UUCP maps!  :-)

> 	Also this beastie has a DCP card in it (I think those were the
> initials) it's a standard pc slot board (but very long) with a 486 on it. I
> did some searching and came up with nothing on this model or make. anyone
> know what these boards are good for? I am curious about all this.

DCP -- isn't that a RAID controller?  What are the connectors and other
chips, and what other markings are there?

> Unfortunately I am going to have to slick this machine as I do not have the
> root password , or any password , to get into the OS itself. If you happen
> to know how to crack this system let me know. I always want to do that as a
> learning exercise.

It's a standard UNIX System V filesystem, and there'll either be an
old-fashioned V7 /etc/passwd, or a SysV /etc/passwd + /etc/shadow.  Any
system that can boot on that hardware and mount that disk can be used to
trivially delete the root password.  Any binary disk editor could
probably be used to change the password too.  You can't change the size
of a block on disk, but so long as you end up with the right number of
fields and you have an empty password field you should be able to login
as root.  The actual encrypted format should be compatible with any
SunOS or *BSD system, but even if you just add as many bytes to the
username field as you delete from the passwd field you should be OK.

Just search for something like the following:

in v7 format:

	root:E4tgBxw6pPkPo:0:0:

(there will be more at the end of the line of course) and change it to:

	root::0:0:1234567890123


Or if /etc/shadow is used it'll look like this:

	root:x:0:0:

and you just change it to:

	root::0:0:x


(I'm not 100% sure the group-id will be '0')

On the other hand if you can login as any other user then there are any
number of exploitable buffer overflows in that system, and probably even
canned exploits exactly ready to use for it too!  :-)

-- 
								Greg A. Woods

+1 416 218-0098;  <gwoods at acm.org>;  <g.a.woods at ieee.org>;  <woods at robohack.ca>
Planix, Inc. <woods at planix.com>; VE3TCP; Secrets of the Weird <woods at weird.com>

More information about the rescue mailing list