Re: IMCB$V_PARENT_PROT What is it good for?

Hi,

Hoff wrote: -
Against my better judgment, I've provided someone claiming to be
Richard (or Richard) with an example of how security is broken within a
UWSS image constructed the way he posits.

I am more than happy if Steve wishes to reproduce any or all correspondance
I have had with him. Then, maybe, you'll be able to spot the "example" that
he (or someone equally as vague as Steve) refers to and that, so far, has
eluded my detection.

I will not provide that example here, as I have enough work to do
without giving the script kiddies more to think about.

Well, that's a real shame 'cos prevention is most often better than the
cure. If people were simply warned of the dangers then they could prevent
security breeches from occuring. Sorry, I forgot. Your answer to the annual
road toll is to simply to stop people from getting in their cars :-(

Anyway we're not getting anywhere here, so I call on *everyone* out there to
attack the following code and if you can prove a security breech due to an
inherent flaw in calling out from an inner-mode UWSS (maher$get_user_dir)
into another UWSS (sys$getuai) then I will give you one* carton of beer
deliverable anywhere within the inner Perth Meteropoliton area :-) I don't
mean some simple coding bug that can be fixed - (a dodgy pointer or an
invalid probe) I mean whatever hallucinogenic fantasy Hoff is banging on
about when he says: -

"And AFAIK, it is not safe to call sys$getuai, since this call is
implemented as a UWSS and not as part of the kernel -- the LOADSS calls
needed to use outer-mode APIs as part of their operations, so the LOADSS
APIs are not directly part of the kernel.)"

I mean something that is inherently flawed in the architecture. Show me
elevated privileges, show me protected/system memory corruption, show me the
money! But, whatever you do, SHOW ME!

I had a look at the $getuai code the other day and the comments discuss how
the MAIL and JOBCTL utilities are linked directly against the $getuai
"object" code specifically to avoid this issue of calling out to a another
shareable image.Also, I can't find anywhere in VMS (ok layered products I
can, but not core VMS) where this is done! ($persona_create asks customers
to kill themselves, but it doesn't actually do it for them.)

But regardless of that mountain of evidence, I submit to you that Steve's
talking absolute ***! I'm right and you're all wrong. (Well not quite
*all* of you. And I'll discuss that later if I don't get a satisfactory
response to this) You're all harking back to the pre-imcb$v_parent_prot days
during the War, when life was good, the days were longer, the grass was
greener, and a dodgy prostate was the last thing on your minds.

Regards Richard Maher

* Offers limited to first "successful" case. Beer must be drunk with me and
brand choice is at my discretion :-) And BTW that's Perth, WA.

So here's the code. Come and shut me up. Dish out humiliations gallore! Put
an end to this nonsense once and for all.

1) maher$share is the UWSS shareable image that contains the routine
maher$get_user_dir
2) maher$get_user_dir calls out from maher$share to sys$getuai in
secureshrp.exe
3) maher$user is just a user-mode RTL that calls maher$get_user_dir (and
isn't really necessary)
4) The ef_get_user_dir stuff is useful if you want to call this stuff from
Rdb
5) Replace the &s with spaces and I've done my best to prevent wrapping
6) Go crazy. . .

$&on&warning&then&exit
$&if&.not.&f$privilege("cmkrnl,sysprv,pfnmap")&&then&goto&no_priv
$&if&f$getsyi("arch_name")&.nes.&"Alpha"&then&goto&no_vax
$!
$&create&maher$share.mar
;+
;&&&&Author:&Richard&Maher
;--
&&&&.macro&define_service,name,narg=0,mode=exec,?endmacro
&
&&&&'mode'_routine_count='mode'_routine_count+1
&
&&&&.call_entry&&&&&max_args=narg,&&&&&&&&&-
&&&&&&&&&&&&&&&&&&&&home_args=true,&&&&&&&&-
&&&&&&&&&&&&&&&&&&&&label=name

&&&&.save_psect&&&&local_block
&
&&&&.psect&&'mode'_list
&
&&&&.address&&&&&&&&name
&
&&&&.restore_psect
&
&&&&.if&not_equal&narg

&&&&&cmpb&&&&(ap),#narg
&&&&&bgeq&&&&endmacro
&&&&&movzwl&&#ss$_insfarg,r0
&&&&&ret
&
endmacro:

&&&&.endc
&&&&.endm

&&&&&&&&.title&&maher$share&-&Get&users&default&directory
&&&&&&&&.ident&&"V3.0"
&
&&&&&&&&.library&"sys$library:lib.mlb"

&&&&&&&&$plvdef
&&&&&&&&$prvdef
&&&&&&&&$psldef
&&&&&&&&$dscdef
&&&&&&&&$ssdef
&&&&&&&&$uaidef

usrnam_max=12
out_len=94
enable=1
disable=0

kernel_routine_count=0
exec_routine_count=0
&
&&&&&&&&.psect&&exec_list,pic,con,rel,lcl,noshr,noexe,rd,nowrt,long
exec_table:
&
&&&&&&&&.psect&&kernel_list,pic,con,rel,lcl,noshr,noexe,rd,nowrt,long
kernel_table:
&
&&&&&&&&.page
&&&&&&&&.psect&&maher$data,pic,con,rel,lcl,noshr,noexe,rd,wrt,quad

uai_ctx:.long&&&0

uai_lst:.word&&&32,&uai$_defdev
&&&&&&&&.address&-
&&&&&&&&&&&&&&&&def_dev
&&&&&&&&.long&&&0

&&&&&&&&.word&&&64,&uai$_defdir
&&&&&&&&.address&-
&&&&&&&&&&&&&&&&def_dir
&&&&&&&&.long&&&0

&&&&&&&&.long&&&0

def_dev:.blkb&&&32
def_dir:.blkb&&&64
fao_ctl:.ascid&&"!AC!AC"
out_dsc:.long&&&out_len
out_adr:.blkl&&&1

&&&&&&&&.align&&quad
sys_prv:.quad&&&<prv$m_sysprv>&&&&&&
del_prv:.quad&&&0
old_prv:.blkq&&&1

&&&&&&&&.psect&&maher$code,pic,con,rel,lcl,shr,exe,rd,nowrt,quad

&&&&&&&&.sbttl&&Get&directory&info

&&&&&&&&define_service&maher$get_user_dir,3

&&&&&&&&&ifnord&&#dsc$k_s_bln,@4(ap),99$&&&&;&Can&read&descriptor
&&&&&&&&&movzwl&&@4(ap),r8&&&&&&&&&&&&&&&&&&;&Get&username&len
&&&&&&&&&bnequ&&&10$&&&&&&&&&&&&&&&&&&&&&&&&;&Check&len&<>&zero
&&&&&&&&&movzwl&&#ss$_badparam,r0
&&&&&&&&&ret

10$:&&&&&cmpw&&&&#usrnam_max,r8&&&&&&&&&&&&&;&Check&length&<=&12
&&&&&&&&&bgequ&&&20$
&&&&&&&&&movzwl&&#ss$_badparam,r0
&&&&&&&&&ret

20$:&&&&&addl3&&&#dsc$a_pointer,4(ap),r7&&&&;&Get&->&to&username->
&&&&&&&&&ifnord&&r8,(r7),99$&&&&&&&&&&&&&&&&;&R&username&string
&&&&&&&&&ifnowrt&#out_len,@8(ap),99$&&&&&&&&;&W&output&buff&&
&&&&&&&&&ifnowrt&#2,@12(ap),99$&&&&&&&&&&&&&;&W&output&len&
&&&&&&&&&brb&&&&&100$

99$:&&&&&movzwl&&#ss$_accvio,r0&&&&&&&&&&&&&;&Access&violation
&&&&&&&&&ret&&&&&&&&&&&&&&&&&&&&&&&&&&&&&

100$:&&&&$setprv_s&-
&&&&&&&&&&&&&&&&&enbflg=#enable,-
&&&&&&&&&&&&&&&&&prvadr=sys_prv,-
&&&&&&&&&&&&&&&&&prvprv=old_prv
&&&&&&&&&
&&&&&&&&&$getuai_s&-
&&&&&&&&&&&&&&&&&contxt=uai_ctx,-
&&&&&&&&&&&&&&&&&usrnam=@4(ap),-
&&&&&&&&&&&&&&&&&itmlst=uai_lst
&&&&&&&&&blbc&&&&r0,&999$

&&&&&&&&&movl&&&&8(ap),out_adr&
&&&&&&&&&$fao_s&&ctrstr=fao_ctl,-
&&&&&&&&&&&&&&&&&outlen=@12(ap),-
&&&&&&&&&&&&&&&&&outbuf=out_dsc,-
&&&&&&&&&&&&&&&&&p1=#def_dev,-
&&&&&&&&&&&&&&&&&p2=#def_dir

999$:&&&&movl&&&&r0,r5
&&&&&&&&&evax_bic&-
&&&&&&&&&&&&&&&&&sys_prv,old_prv,del_prv
&&&&&&&&&$setprv_s&-
&&&&&&&&&&&&&&&&&enbflg=#disable,-
&&&&&&&&&&&&&&&&&prvadr=del_prv
&&&&&&&&&movl&&&&r5,r0
&&&&&&&&&ret

&&&&&&&&.psect&&dickie$services,page,vec,pic,nowrt,exe
&
&&&&&&&&.long&&&&plv$c_typ_cmod,&0
&&&&&&&&.long&&&&kernel_routine_count
&&&&&&&&.long&&&&exec_routine_count
&&&&&&&&.address&kernel_table
&&&&&&&&.address&exec_table&&
&&&&&&&&.long&&&&0,&0,&0,&0,&0&&&
&
&&&&&&&&.end
$!
$&macro/list/enable=quad&maher$share
$!&
$&link&&/share=maher$share&-
&&&&&&&&/sysexe&-
&&&&&&&&/notrace&-
&&&&&&&&/section_binding&-
&&&&&&&&maher$share,&-
&&&&&&&&sys$input:/options

gsmatch=lequal,3,0

symbol_vector&=&(maher$get_user_dir=procedure)

protect=yes
collect=safe,maher$data

$!
$copy/log&maher$share.exe&sys$common:[syslib]
$!
$if&f$file_attributes("sys$share:maher$share.exe","KNOWN")
$then
$&&&&&&&installx&replace&sys$share:maher$share.exe
$else
$&&&&&&&installx&add&sys$share:maher$share.exe&-
&&&&&&&&&&&&&&&&/open/header/share=address/protect
$endif
$!
$!&Need&SYSPRV&to&link&against&these&services
$!
$set&file/protection=(w:e)&sys$share:maher$share.exe&
$purge&sys$share:maher$share.exe&
$!
$create&maher$user.cob
identification&division.
program-id.&&&&ef_get_user_dir&with&ident&"V3.0".
*
data&division.
working-storage&section.
01&&ss$_normal&&&&&&&pic&9(9)&comp&value&external&ss$_normal.
01&&rms$_rnf&&&&&&&&&pic&9(9)&comp&value&external&rms$_rnf.
01&&sys_status&&&&&&&pic&9(9)&comp.
*
linkage&section.
*
01&&username_desc&&&&pic&x(8).
*
01&&out_dir.
&&&&03&&out_dir_len&&pic&9(4)&comp.
&&&&03&&out_dir_text&pic&x(94).
*
procedure&division&
&&&&&&&&using&&&out_dir,
&&&&&&&&&&&&&&&&username_desc.
00.
&&&&move&spaces&to&out_dir_text.
&&&&move&zeroes&to&out_dir_len.

&&&&call&"maher$get_user_dir"&
&&&&&&&&using&&&username_desc,&
&&&&&&&&&&&&&&&&out_dir_text,&
&&&&&&&&&&&&&&&&out_dir_len&
&&&&&&&&giving&&sys_status.
&&&&if&sys_status&=&rms$_rnf
&&&&&&&&move&"NL:"&to&out_dir_text
&&&&&&&&move&3&to&out_dir_len
&&&&else
&&&&&&&&if&sys_status&not&=&ss$_normal&
&&&&&&&&&&&&call&"lib$stop"&using&by&value&sys_status.

&&&&exit&program.
*
end&program&ef_get_user_dir.
$!
$cobol/lis&maher$user.cob
$link/share=maher$user.exe&maher$user.obj,sys$input/opt

sys$library:maher$share/share

symbol_vector=(ef_get_user_dir=procedure)

gsmatch=lequal,3,0
$!
$define/nolog&maher$user&'f$parse("maher$user.exe")
$sql:==$sql$
$sql
attach&'file&mf_personnel';

drop&function&ef_get_user_dir;

create&&function&ef_get_user_dir&(in&char(32)&by&descriptor)
&&&&&&&&returns&varchar(94)&by&reference
&&&&&&&&language&sql
;
&&&&&&&&external&name&ef_get_user_dir
&&&&&&&&location&'maher$user'&with&all&logical_name&translation
&&&&&&&&language&cobol
&&&&&&&&general&parameter&style&variant
&&&&&&&&comment&is&'Get&UAF&device&and&directory&info&for&user'
&&&&&&&&BIND&ON&CLIENT&SITE
&&&&&&&&bind&scope&connect
;
commit;
exit;
$exit
$!
$no_priv:
$&&&&&&&write&sys$output&-
&&&&&&&&"Insufficient&privilege.&You&need&(CMKRNL,SYSPRV,PFNMAP)"
$&&&&&&&exit&44
$no_vax:
$&&&&&&&write&sys$output&"This&code&only&works&on&alpha"
$&&&&&&&exit&44


"Hoff Hoffman" <hoff-remove-this@xxxxxx> wrote in message
news:ngh3g.6783$tG7.5011@xxxxxxxxxxxxxxxxxxx

Against my better judgment, I've provided someone claiming to be
Richard (or Richard) with an example of how security is broken within a
UWSS image constructed the way he posits.

I will not provide that example here, as I have enough work to do
without giving the script kiddies more to think about.

I've also suggested (to Richard or someone claiming to be him) that
OpenVMS itself need not follow its own rules for support; that OpenVMS
itself contains constructs and mechanisms and calls that are not or
would not be supported for use within application programs. I certainly
make heavy use of a number of APIs that I wrote and that I also hold as
undocumented, for instance -- BACKUP is also using one of these newer
APIs, too. (I've discussed a few of these undocumented APIs at the
bootcamp, and have several pages in the presentations on these.)

I have occasionally offered what amounts to an application security
class at various (restricted) events, though it has tended to cause me
various problems because it is basically also a how-to class for hacking
into OpenVMS. Obviously.


.