On 2020-01-04, Snowshoe <n...@spam.please> wrote:
> On 1/4/2020 5:31 PM, Simon Clubley wrote:
>>
>> The difference is that DCL has a privileged role within the VMS security
>> model whereas bash is just a normal user-mode program.
>>
>
> If, in theory, one wanted to create a new shell/CLI or modify something
> like bash to run as a new VMS shell, what special VMS-specific mods
> would be needed? Assume it still runs in super mode, but what other
> special abilities would it need? I do know the path to do certain DCL
> things like read/set DCL symbols and other CLI$ functions is convoluted
> and undocumented so if an equivalent is supplied there is that.
> Something must be done for execute-only images (although I think that's
> actually dealt with in exec mode) or privileged images (ditto).
>
A couple of things come immediately to mind:
An implementation of sys$cli() would need to be added
Handling VMS's rather "unique" approach to image activation (image
activation on VMS is not atomic and images share the same address
space as the shell).
Actually co-existing in the same address space as the program when it
is running. Until the problem I described below is fixed, that includes
making sure you can't do anything security sensitive in the shell when
control is returned back to the shell while a privileged image is running.
It also includes making sure that non-privileged users cannot supply
their own shell until that same problem is fixed.
>> You may still be able to compromise a Linux box using bash provided that
>> bash is just one part of the vulerability chain (there was a well published
>> issue with bash when used with a webserver in some environments).
>>
>> However, with DCL, you only need to get shellcode you control running
>> inside DCL itself to stand a good chance of being able to compromise
>> the VMS system itself.
>>
>
> You mentioned before that certain exec mode routines were called via
> $CMEXEC which is always allowed from supervisor mode regardless of
> privs, what would it take to eliminate them, then changing $CMEXEC to
> require privs when called from super mode?
>
Special supervisor mode access to $CMEXEC outside of what I describe
below would be a new one on me if true. Are you sure you are not
misremembering what I said ?
The problem I described (and is the problem I was able to exploit)
is that DCL has access to the privileges of the programs it runs.
This means that if an image is installed with CMKRNL (for example)
then, if you can get shellcode running inside DCL itself while the
privileged program is loaded (as I did), you can use those image
privileges to do whatever you want in your shellcode even though you
are a non-privileged user.
In the current VMS design, if you allowed a non-privileged user to supply
their own supervisor mode login shell, then the user can also do whatever
they want with those privileges during execution of that shell.
The only proper fix for this is to make sure that DCL (or any other
shell) _never_ sees the privileges of that image at any point during
image loading and image execution.
That includes making sure that DCL cannot see the image privileges
during image activation and having the _kernel_ and _NOT_ DCL strip
the privileges from the current process when Ctrl-Y is pressed.
At the moment, DCL just turns off the privileges when you press Ctrl-Y.
They need to actually be stripped by the kernel (not just turned off)
before any DCL Ctrl-Y code is run and then restored by the kernel when
DCL has finished executing the Ctrl-Y handler code.
Until you do that, that is a VMS-specific weakness just waiting to be
exploited if you can find a way into supervisor mode and there's no way
you can allow a non-privileged user to supply their own shell to run as
their supervisor mode login shell.