Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Posting-Version: version B 2.10.2 8/7/84; site ucbvax.ARPA Path: utzoo!watmath!clyde!burl!ulysses!ucbvax!info-vax From: info-vax@ucbvax.ARPA Newsgroups: fa.info-vax Subject: Eunice: *Warning* and a question Message-ID: <2108@ucbvax.ARPA> Date: Sat, 22-Sep-84 01:06:12 EDT Article-I.D.: ucbvax.2108 Posted: Sat Sep 22 01:06:12 1984 Date-Received: Wed, 26-Sep-84 01:32:53 EDT Sender: daemon@ucbvax.ARPA Organization: University of California at Berkeley Lines: 30 From: *Hobbit*Some of you probably know all about this one already, so skip to the question. If you have the binary distribution of the Eunice tools, on a VMS system, you very likely have a big raggedy security hole. On our system at least, sys_tools:sh is installed with detach privs, presumably to handle background [&] processes right so they stay around when you log out the top level. Given correct procedure, sh would snarf up your UIC and start the process using that, simply allowing the detached process [and presumably *not* passing the detach priv to that process!]. But, I found, it is not loaded with /notrace, so you can go into DBG> on it. It's then fairly easy to load in a little program to do a $creprc with UIC [1,4] or something -- and from there, you head straight for the UAF. We don't have sources for any of this stuff [well, we have something strange called .W files that look kinda like C sources but with funny other things in them], so if sh is to stay extant and work properly, the hole must remain. [On our instructional 780, no one, including the system manager, really knows enough to understand how it works anyways!] It would probably be good to look around and check all your privileged images with run/debug. Even ones with OPER can be dangerous, if you have smart terminals in system offices that can send lines ... We've all heard about that one, right? Well, okay, this is all well and good, but I still can't get sh to work properly. If I do something like foo.com & [which I assume would do foo.com in a detached process], it complains about not being able to find the shell image. What logical names does it want so it can find its interpretation of /bin/sh or whatever and start it up?? _H* -------