Sam Trenholme's webpage
This article was posted to the Usenet group alt.hackers in 1995; any technical information is probably outdated.

Getting AIX root access

Article: 7618 of alt.hackers
From: dcs@Starbase.NeoSoft.COM (David C Smith)
Newsgroups: alt.hackers
Subject: Getting AIX root access
Date: 7 Apr 1995 11:02:09 -0500
Organization: NeoSoft Internet Services   +1 713 968 5800
Lines: 65
Approved: My Cat Minuet
Message-ID: 3m3nm1$fn2@Starbase.NeoSoft.COM
Keywords: AIX root
Status: RO


Background: At work, we received 6 IBM PowerStation 520's/530's
that were on loan to another company for a project. The project
was completed, and about 3/4 of the loaned equipment was returned
to the owners. The owners then let our company use them. The problem
was that these PowerStations had AIX installed, but the owners did
not know any of the passwords to access the systems, and were
unable to get the information from the company they loaned the
systems to. So, they were pretty much useless to us and we just
left them sitting around for a month or so.

Since we hadn't really done much with these boxes, I wanted to
find out what kind of hardware these things had in them. I decided
to check out the diagnostic programs for these things. Luckily,
the diagnostics could be run in "Standalone" mode, not requiring
the OS to be running.

ObHack: Changing AIX root password via Standalone Mode Diagnostics.
To run the diagnostics, the keylock on the PowerStation has to be
in "Service" mode. If you don't have the key, you're out of luck.
Boot from harddisk with keylock in service mode. It boots the
operating system in single-user mode (I think) and runs the
diagnostic menu program. From at least one of the options, you
can use ! to run unix commands. !smit, select Users and Security,
select Add User, define a userid. Next, select Change Password,
and set an initial password for the new user.

Next you exit from the diagnostic program, switch the keylock to
Normal, and re-boot. Logon to your new user, change the password
when it prompts for new password.

Switch the keylock back to Service, re-boot to bring up diagnostics.
Again, this time, !vi /etc/security/passwd. Copy the encrypted
password from your new user and replace root's original password.
Exit from diagnostics.

Switch keylock to normal, reboot AIX, logon as root with the new
password. I was happy, my co-workers were happy, and my boss was
happy. :-)

MyNonUnixExpertAnalysis: Apparently the when the diagnostics are
running you are su. I did try to change root's password via passwd,
but it required knowing root's old password, which I did not know.

ObDisclaimer: I don't see this as a security hole, since you *must*
have the key to change the keylock setting. Although if you weren't
practicing good physical security and left the key in the keylock
at all times, it _could_ be.

Version: 2.6.2

| David C. Smith                      |
|             Finger or email for PGP Public Key                        |
| "Don't play with the dead, boy. They have eerie powers.."
|							- Homer Simpson |

Child Child Child

Back to index