[Info-vax] Kernel Transplantation
Simon Clubley
clubley at remove_me.eisner.decus.org-Earth.UFP
Fri Jan 19 13:44:29 EST 2024
On 2024-01-19, Mark Berryman <mark at theberrymans.com> wrote:
> On 1/18/24 11:38 AM, Simon Clubley wrote:
>> On 2024-01-18, Mark Berryman <mark at theberrymans.com> wrote:
>>>
>>> Sorry, I am only infrequently on this forum.
>>>
>>> On my system EVL runs with exactly the privs I specified earlier but I
>>> did do some digging.
>>>
>>> EVL is started by netacp in whatever account netacp is running using the
>>> command file sys$system:evl.com. EVL neither raises nor lowers privs.
>>> The startup command file normally looks like this:
>>> $ ! Copyright (c) 1987 Digital Equipment Corporation. All rights reserved.
>>> $ SET NOON
>>> $ IF "''EVL$COMMAND'" .NES. "" THEN EVL$COMMAND
>>> $ RUN SYS$SYSTEM:EVL
>>> $ PURGE/KEEP=3 EVL.LOG
>>> $ LOGOUT/BRIEF
>>>
>>> However, sometime in the dim and distant past (meaning I no longer
>>> remember when or why) I inserted this line:
>>>
>>> $ SET PROCESS/PRIVILEGES=(NOALL,SYSNAM,OPER,SYSPRV,NETMBX,TMPMBX)
>>>
>>> which is why EVL is limited in privs on my system. Anyone concerned can
>>> make the same edit.
>>>
>>
>> Because that command is being run in the same process as the EVL listener
>> it will not help constrain an attacker. This is because all an attacker
>> needs to do in their shellcode is to reenable those privileges.
>
> IIRC, you managed to crash EVL using an insecure setup. Crashing a
> process is much different that convincing a process to run bogus code
> and, of course, simply crashing EVL causes its process to exit.
>
By "insecure setup", you mean using a network stack as supplied out of
the box by a vendor selling "the world's most secure operating system" ?
> With a secure setup, you can't get your malformed packets into EVL.
> However, if you'd like to show how you can get EVL to run bogus code, in
> any setup, then you will have raised a very valid concern. Until then,
> I have addressed what concern you have raised.
>
For my concern to be handled, they would also have to be permanently
removed from the list of authorised privileges, not just the list of
currently enabled privileges.
Simon.
--
Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
Walking destinations on a map are further away than they appear.
More information about the Info-vax
mailing list