 |
Copyright 1999 Paul Williams. http://celigne.co.uk/paul/ex-emu.html |
Exploiting a defect in a terminal emulator nearly got me kicked off my degree course.
In 1986 I was in my first year of a four-year Computing Science B.Sc. degree course at North Staffordshire Polytechnic. The main computer available to first year students was an ICL 2966. Documentation, time and potential for fun seemed to be very limited with this machine, especially as the first language we were taught was COBOL.
Staffordshire County Council found they had underspent their budget by a quarter of a million pounds and needed to get rid of it. The Poly snapped up the money and bought two powerful VAXes, so many more terminals were suddenly required. Alongside Wyse and Cifer terminals, several labs-full of BBC Model B home computers appeared. They had been turned into terminals on the cheap by inserting a ROM which contained a terminal emulator, written by one of the lecturers.
This terminal emulator used the 32K RAM to provide a buffer which stored text that had scrolled off the screen, which was a definite improvement on the 24 lines and oh-shit-it-disappeared of the "real" terminals. These machines proved very popular, but there was a flaw that we very quickly exploited. Although the terminal emulator ROM was invoked when the BBC was turned on, a certain key sequence could take you back into the BASIC ROM, so one could type in and run BASIC programs. Writing a program to dump the contents of memory to the screen revealed that the username and password of the previous user was kept in memory!
To this day, I'm not quite sure why the password was stored. If you are using a character-cell terminal connected to a remote computer (the host), every character you type goes directly to the host, and only to the host, not to the screen. Most of the time, the host echoes this character back to the terminal. Hosts running Unix generally echo the character back instantly, whatever else the host is doing. This means that if a program is running and producing output while you are typing the next command, the letters of your command get mingled with the output. The other technique, adopted by VAX/VMS, is to not echo the letters typed until a program (or the shell) requests input.
When the user is being asked to type a password, most hosts don't echo the characters coming from the terminal, so the letters typed don't come up on the screen. It appeared that the mistake made by the author¹ of this emulator was to store the characters sent even when they weren't being echoed back by the host. For some unknown reason these characters didn't appear on screen during password entry, nor did they appear when you used the local scrollback facility. They may simply have been stored for debug purposes in an area other than the scrollback buffer.
This flaw would not have been significant if it hadn't been possible to examine memory by using the BASIC ROM. I fished for passwords in memory only once and came up with a final-year student's username and password for the ICL mainframe. Using the mainframe became a whole lot more interesting until I was caught. I'll tell you about that in another story.
I was accused of costing the Polytechnic a lot of money because the terminal emulator would have to be rewritten. I proposed what I thought was a simple solution; remove the BASIC ROM. Unfortunately this couldn't be done because the emulator ROM called routines in the BASIC ROM.
It wasn't until after this incident that the Polytechnic introduced a code of conduct for computer use that students would have to sign during enrolment. I don't think it had been considered necessary before, but during my first two years there were a large number of successful hacks² to circumvent what we thought were petty restrictions.
|
Copyright 1999 Paul Williams. http://celigne.co.uk/paul/ex-emu.html |