HPE Community
Operating System - OpenVMS
1827787 Members
3230 Online
109969 Solutions
New Discussion

Re: John Gillings' VMS Tech Journal V7 Faking Shareables Problem

 
SOLVED
Go to solution
Richard J Maher
Trusted Contributor

‎02-28-2006 11:19 PM

‎02-28-2006 11:19 PM

John Gillings' VMS Tech Journal V7 Faking Shareables Problem

Hi,

Not sure if it's the particular version of my browser, but the HTML that I'm seeing loses the angle brackets <> [The pointy version of these () if you can't see 'em :-]

It makes it a bit difficult for the MACRO Register save masks #^m.

I don't know how to get Acrobat to scroll over pages when I'm cutting and the "export to text" drops the formatting and has page headers/footers :-( so if you're out there John, can you please advise me and future people what to do to get a clean copy? Maher_RJ (at) hotmail would be just peachy.

Cheers Richard Maher

PS. Before I waste a lot of time trying to get it to work, do you know of any problem with faking sys$library:secureshrp.exe?

MOVPSL still works on Alpha doesn't it? BISL2 #PSL$V_CURMOD and if the result is 8 then I get to show a "real" gaping security hole to a bunch of flailing neurotics who are preventing an essential piece of functionality being added to Product X on the pretence that a certain deployment of $persona_query will unleash all sorts of wardrobe monsters unto the world.

PPS, If the result is zero then I'm just gonna ignore it as I'm not gonna compound the original coders stupidity by crashing the box. (Also I'll probable use $sndopr to the SECURITY guy, and I don't think that works in Kernel mode. lib$put_output also uses RMS so that won't return if it's an exec mode AST either will it?) Oh well, much to do!

PPS. Anyone see the English TV ad (for John Smith's beer I think?)Two couples in an Indian restaurant and one bloke answers his mobile to find one of his frightened children on the line, obviously unable to sleep and distressed that the parents aren't at home. Anyway, to the absolute disbelief of all present, the father is heard to say:- "No sweatheart, there's no such thing as wardrobe monsters; It's the burglars coming in thru the window that you gotta worry about!" With that he puts the phone down and casually orders another Lamb Buna (or Vindy?). Oh well, I liked it.
0 Kudos
Reply
7 REPLIES 7
Ian Miller.
Honored Contributor

‎03-01-2006 07:00 AM

‎03-01-2006 07:00 AM

Re: John Gillings' VMS Tech Journal V7 Faking Shareables Problem

Why not use the pdf version of the article?
http://h71000.www7.hp.com/openvms/journal/v7/faking_it_with_openvms_shareable_images.pdf

you can write mailboxes messages in kernel mode using EXE$WRTMBX. $SNDOPR parhaps as it basically just writes a message in the OPCOM mailbox. At what IPL are you running?
LIB$PUT_OUTPUT probably not.

Seen the ad - amusing I thought.
____________________
Purely Personal Opinion
0 Kudos
Reply
John Gillings
Honored Contributor

‎03-01-2006 07:21 AM

‎03-01-2006 07:21 AM

Solution

Re: John Gillings' VMS Tech Journal V7 Faking Shareables Problem

Richard,

I'm not sure I understand your problem. The procedure itself is downloaded from the link:

http://h71000.www7.hp.com/openvms/journal/v7/fake_rtl_com.txt

It has all the <> characters intact. No cutting and pasting required, just download it to your OpenVMS system and RENAME it to FAKE_RTL.COM.

I've added some minor extra features since that version, send me mail if you'd like a copy of the most recent version.

SECURESHRP? Sure, but there are a few extra steps involved. You need to install the "REAL_SECURESHRP" copy exactly the same way as SECURESHRP, so that the "real" image can be activated within the rules of known files. Obviously that requires privilege.

You may also need to bypass known file activation of the main program. For example, if you $ RUN AUTHORIZE you'll pick up the INSTALLed image, which will bypass non-trusted logical name translation, and hence skip the fake. Either use the version number trick, or make your pointer to the fake a trusted logical name.

If you want to discuss even potential "gaping security holes", this is not the place to do it. Please log a case with your local customer support centre.
A crucible of informative mistakes
Reply
Richard J Maher
Trusted Contributor

‎03-01-2006 10:00 AM

‎03-01-2006 10:00 AM

Re: John Gillings' VMS Tech Journal V7 Faking Shareables Problem

Hi John,

Thanks for the link.

[You need to install the "REAL_SECURESHRP" copy exactly the same way as SECURESHRP, so that the "real" image can be activated within the rules of known files. Obviously that requires privilege.]

Why? If you need CMKRNL to install then that sort of defeats the purpose. Which is good news!

[You may also need to bypass known file activation of the main program. For example, if you $ RUN AUTHORIZE you'll pick up the INSTALLed image, which will bypass non-trusted logical name translation, and hence skip the fake. Either use the version number trick, or make your pointer to the fake a trusted logical name.]

That's expected and fine.

[If you want to discuss even potential "gaping security holes", this is not the place to do it. Please log a case with your local customer support centre. ]

Heh! Your the Adnan Cashoggie(sp?) here :-)

Don't have a support contract.

Cheers Richard.
0 Kudos
Reply
Richard J Maher
Trusted Contributor

‎03-01-2006 10:30 AM

‎03-01-2006 10:30 AM

Re: John Gillings' VMS Tech Journal V7 Faking Shareables Problem

Hi John,

Just re-read your reply. (Not having read your example thoroughly (enough) I see that the real shareable has to be renamed REAL_name and therefore if the REAL_share is still sitting in INSTALL and memory as just is ordinary name then the image activator is going to take that one?)

I'll loook at it in more detail this weekend. Still seems doable.

Cheers Richard
0 Kudos
Reply
John Gillings
Honored Contributor

‎03-01-2006 11:05 AM

‎03-01-2006 11:05 AM

Re: John Gillings' VMS Tech Journal V7 Faking Shareables Problem

Rob,

Just occured to me, I can post the latest version of the procedure here.

The attachment is a version with the return PC in the call & argument log.

>Why? If you need CMKRNL to install
>then that sort of defeats the purpose.
>Which is good news!

Thems the rules. The image activator is VERY picky about activating protected images. Hijacking calls into a protected image is exactly one of the things it's guarding against. So, you need privilege to give the image activator an image that it can "trust".

Using FAKE_RTL on non-privileged images doesn't need privileges. Using it with privileged images does.
A crucible of informative mistakes
Reply
Richard J Maher
Trusted Contributor

‎03-04-2006 08:50 PM

‎03-04-2006 08:50 PM

Re: John Gillings' VMS Tech Journal V7 Faking Shareables Problem

Hi Jim,

Thanks for getting back to me and posting your latest and greatest FAKE_RTL.

One slight nit, where exactly were you pointing to when you said â Thems the rulesâ ? Because of recurring arguments over â Is it 2 shots if you sink your opponents ball but struck your ball first?â or â Can you shoot back from the D?â a lot of pubs/clubrooms find it beneficial to post the Rules up on a wall for all to see. So if you can refer me to the stone tablets or other WORM device that constitute â Themâ it would honestly make my day!

Before I go on, let me say that I agree with you, and I want all VMS developers out there to know that they can call out to any old shareable image in inner-mode from a UWSS with (at least spoofing) impunity. But, Iâ m sure, weâ d all like to see it written down first. What can you do to help us?

Here are some seemingly relevant rules that Iâ m aware of: -

1) Never make subroutine calls to other shareable images from kernel or executive mode This is (now) bullet point 5 at http://h71000.www7.hp.com/doc/82FINAL/5841/5841pro_087.html#writing_priv_sec
2) $help/message NOSHRIMG The â user-actionâ part is best :-)
3) sys$examples:uwss.c (spit!)
** protected shareable images aren't allowed to call other shareable
** images, unless they too are installed protected.

So Can you see my dilema?

My own testing observations are not entirely consistent either :-( If you see the attached UWWS_2.TXT and if you â $define/process/super daily_planet foo.barâ before running clarke_kent it simply has no effect whatsoever â cos VMS will only consider /SYS/EXEC. This is great news! The sort of behaviour one achieves by installing the main image /PRIV=(NOALL).

But when I take a copy of LIBRTL to my local area and define LIBRTL to point to it I get the PRIVINSTALL error. (Curiously enough it blames HONEY_POT and not LIBRTL?)

So whatâ s going on??? Why is VMS using a non /SYS/EXEC logical name for LIBRTL?

The second shareable is called PHONE_BOOTH â cos in earlier testing it too was a UWSS.

So once again, I can only beg you, please show me â Themâ rules!

Just so as you know, Stephen Hoffman doesnâ t agree with you, and I quote: -

[
:Is it safe to call other shareables from inner mode whether they be
:protected or not? (as long as they're installed (protected?))
No.
]
[
:Is it safe to call $getuai from EXEC mode?
> AFAIK, no.
]
Donâ t worry! Iâ m on your side, and what does he know anyway :-)

Cheers Richard

PS. Also attached is the thread with my questions and Hoffâ s replies from Jan, 2002. Copied from Google for your info.
0 Kudos
Reply
Richard J Maher
Trusted Contributor

‎03-05-2006 12:11 AM

‎03-05-2006 12:11 AM

Re: John Gillings' VMS Tech Journal V7 Faking Shareables Problem

Here's that Jan, 2002 discussion from comp.os.vms that I spoke about. FYI.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.