in Technology

on hacking the Unisys ICON

Some time ago I had promised to reminisce a little bit about the Unisys ICON terminals that I used through elementary school and high school, and some of the fun things we did with them (not all of them sanctioned by the school, of course). After reading in ;login: magazine about Dru Lavigne’s efforts [USENIX members only] to catalogue old protocols, I’ve been inspired to add a few words about the trusty old ICON.

The Unisys ICON was a diskless client-server setup, with 80186-based ICON terminals netbooting off a central file server called the LexICON. You can see a picture of a standard ICON terminal on the Wikipedia page but the LexICON is not shown; it was a generic steel box about 6″ high and 2-3 feet deep, containing one full-height MFM/RLL hard disks mounted vertically, in addition to a 5 1/4″ floppy disk drive. It was also possible to hook up a standard EGA video monitor to the LexICON in order to have local console access (one of the non-sanctioned things we did in the computer lab)

The hardware itself was all rather amusing as it was obviously constructed in the days when steel was cheap; each ICON terminal weighed over 50 lbs. when the monitor was bolted to the chassis. The most interesting thing about the whole setup was not the hardware, but the fact that the LexICON and all the ICON terminals ran an early version of QNX. QNX included all kinds of nifty utilities such as apb, which is functionally equivalent to wall(1) on a modern UNIX system. You can see how annoying this program would be in the hands of high school students, so the system administrators had wisely chmod -x‘d the program.

Nevertheless, there was fun to be had since the ICONs shipped with Watcom‘s C compiler pre-installed and a complete set of the printed UNIX manual pages in binders, conveniently stored in the computer lab. I discovered that hacking around in C was much more interesting than the teacher-sanctioned PASCAL or Turing, and my fellow students and I spent many hours poring over the man pages for fun functions to call. We soon discovered that the QNX version of exec(3) had a major security flaw: it worked kind of like clone(2), and not only could you clone the calling process, but you could specify the PID of any arbitrary process on the system to clone — including PID 0. You could also set a flag to inherit all permissions from the parent! So a simple one-line C program like

exec("/bin/sh", 0, CLONE_PERM)

is all it would take to get you a root shell on the box.

We subsequently disassembled the existing apb program and wrote our own, in addition to programs for manipulating users’ displays (e.g. turning them upside down, inverting the colours, etc.) The educational authorities were not amused and we were given a stern speaking-to and told to destroy all copies of our software from the LexICON. I did back them up on a floppy disk, although I doubt the floppy is readable by now.

And that’s the story of how I first got interested in UNIX-like operating systems!