[Info-vax] Kernel Transplantation
Simon Clubley
clubley at remove_me.eisner.decus.org-Earth.UFP
Thu Jan 18 13:38:11 EST 2024
On 2024-01-18, Mark Berryman <mark at theberrymans.com> wrote:
>
> Sorry, I am only infrequently on this forum.
>
> On my system EVL runs with exactly the privs I specified earlier but I
> did do some digging.
>
> EVL is started by netacp in whatever account netacp is running using the
> command file sys$system:evl.com. EVL neither raises nor lowers privs.
> The startup command file normally looks like this:
> $ ! Copyright (c) 1987 Digital Equipment Corporation. All rights reserved.
> $ SET NOON
> $ IF "''EVL$COMMAND'" .NES. "" THEN EVL$COMMAND
> $ RUN SYS$SYSTEM:EVL
> $ PURGE/KEEP=3 EVL.LOG
> $ LOGOUT/BRIEF
>
> However, sometime in the dim and distant past (meaning I no longer
> remember when or why) I inserted this line:
>
> $ SET PROCESS/PRIVILEGES=(NOALL,SYSNAM,OPER,SYSPRV,NETMBX,TMPMBX)
>
> which is why EVL is limited in privs on my system. Anyone concerned can
> make the same edit.
>
Because that command is being run in the same process as the EVL listener
it will not help constrain an attacker. This is because all an attacker
needs to do in their shellcode is to reenable those privileges.
Simon.
--
Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
Walking destinations on a map are further away than they appear.
More information about the Info-vax
mailing list