INFO-VAX Fri, 15 Aug 2008 Volume 2008 : Issue 445 Contents: Re: Avoid printing of SYS$ANNOUNCE ? Re: Avoid printing of SYS$ANNOUNCE ? Re: DEFCON 16 and Hacking OpenVMS Re: DEFCON 16 and Hacking OpenVMS Re: DEFCON 16 and Hacking OpenVMS Re: DEFCON 16 and Hacking OpenVMS Re: DEFCON 16 and Hacking OpenVMS Re: DEFCON 16 and Hacking OpenVMS Re: DEFCON 16 and Hacking OpenVMS Re: DEFCON 16 and Hacking OpenVMS Re: DEFCON 16 and Hacking OpenVMS Re: DEFCON 16 and Hacking OpenVMS Re: DEFCON 16 and Hacking OpenVMS Re: DEFCON 16 and Hacking OpenVMS Re: DEFCON 16 and Hacking OpenVMS Re: DEFCON 16 and Hacking OpenVMS Re: DEFCON 16 and Hacking OpenVMS Re: DEFCON 16 and Hacking OpenVMS Re: DSPP & OpenVMS Re: DSPP & OpenVMS Re: DSPP & OpenVMS Re: DSPP & OpenVMS Re: DSPP & OpenVMS Re: Example: VMS to Web Browser "push" technology Re: Help needed with / confused by AST routine (VAX,COBOL) Re: NFS - OpenVMS to OpenVMS Re: NFS - OpenVMS to OpenVMS Re: NFS - OpenVMS to OpenVMS OT: noVMS Alphas... Re: OT: noVMS Alphas... Re: OT: noVMS Alphas... Re: What to do now with a DEC Server 3000? Re: What to do now with a DEC Server 3000? Re: What to do now with a DEC Server 3000? Re: What to do now with a DEC Server 3000? Re: What to do now with a DEC Server 3000? Re: What to do now with a DEC Server 3000? Re: What to do now with a DEC Server 3000? ---------------------------------------------------------------------- Date: Fri, 15 Aug 2008 10:05:45 -0400 From: none Subject: Re: Avoid printing of SYS$ANNOUNCE ? Message-ID: On Thu, 14 Aug 2008 22:23:26 +0000 (UTC), moroney@world.std.spaamtrap.com (Michael Moroney) wrote: > >Related question: Is there a way to disable the "logged out" message at >the end when a process is logged out? Actually I know an answer to this, >$ STOP/ID=0. But that seems so crude, is there _another_ way to do that? For your second question, EOJ works as well as stop/id=0. ------------------------------ Date: Fri, 15 Aug 2008 17:57:48 +0000 (UTC) From: moroney@world.std.spaamtrap.com (Michael Moroney) Subject: Re: Avoid printing of SYS$ANNOUNCE ? Message-ID: none writes: >On Thu, 14 Aug 2008 22:23:26 +0000 (UTC), >moroney@world.std.spaamtrap.com (Michael Moroney) wrote: >> >>Related question: Is there a way to disable the "logged out" message at >>the end when a process is logged out? Actually I know an answer to this, >>$ STOP/ID=0. But that seems so crude, is there _another_ way to do that? >For your second question, EOJ works as well as stop/id=0. I get the usual logout message from $ EOJ. ------------------------------ Date: Fri, 15 Aug 2008 01:27:35 -0700 (PDT) From: sampsal@gmail.com Subject: Re: DEFCON 16 and Hacking OpenVMS Message-ID: <9b6cde05-affa-4ebe-a55f-1237d2de2008@a1g2000hsb.googlegroups.com> Verified (finally got my VMS box up): $ show sys/noproc OpenVMS V8.3 on node CHIMPY 15-AUG-2008 09:27:20.73 Uptime 0 23:14:17 $ type .plan %n $ show sys/noproc OpenVMS V8.3 on node CHIMPY 15-AUG-2008 09:27:25.34 Uptime 0 23:14:21 $ finger sampsa Login name: SAMPSA In real life: SAMPSA LAINE Account: SAMPSA Directory: SYS$SYSDEVICE: [SAMPSA] Last login: Fri 15-AUG-2008 09:26:39 No unread mail %SYSTEM-F-ACCVIO, access violation, reason mask=04, virtual address=0000000000000000, PC=FFFFFFFF80BA3BA4, PS=0000001B Improperly handled condition, image exit forced. Signal arguments: Number = 0000000000000005 Name = 000000000000000C 0000000000000004 0000000000000000 FFFFFFFF80BA3BA4 000000000000001B Register dump: R0 = 0000000000000000 R1 = 0000000000000049 R2 = 000000007BEEDCD0 R3 = 000000007AE26940 R4 = 0000000000000000 R5 = 0000000000000000 R6 = 000000007AE26928 R7 = FFFFFFFFFFFFFFFF R8 = 000000007BF628E8 R9 = 0000000000050011 R10 = 00000000000202D0 R11 = 0000000000000000 R12 = 0000000000116C88 R13 = 0000000000000000 R14 = 0000000000000053 R15 = 0000000000116BC8 R16 = 0000000000050011 R17 = 000000007AE26DB0 R18 = 000000007AE26DB0 R19 = 000000007AE26930 R20 = 0000000000000008 R21 = 0000000000000000 R22 = 0000000000000000 R23 = 0000000000000000 R24 = 0000000000000000 R25 = FFFFFFFFFFFFEC96 R26 = 0000000000000001 R27 = FFFFFFFF80BA36D0 R28 = FFFFFFFF80BA3B30 R29 = 000000007AE26880 SP = 000000007AE26880 PC = FFFFFFFF80BA3BA4 PS = 000000000000001B ------------------------------ Date: Fri, 15 Aug 2008 06:33:00 -0400 From: bradhamilton Subject: Re: DEFCON 16 and Hacking OpenVMS Message-ID: <48A55B5C.60807@comcast.net> sampsal@gmail.com wrote: > Verified (finally got my VMS box up): > > $ show sys/noproc > OpenVMS V8.3 on node CHIMPY 15-AUG-2008 09:27:20.73 Uptime 0 > 23:14:17 > $ type .plan > %n > $ show sys/noproc > OpenVMS V8.3 on node CHIMPY 15-AUG-2008 09:27:25.34 Uptime 0 > 23:14:21 > $ finger sampsa > Login name: SAMPSA In real life: SAMPSA LAINE > Account: SAMPSA Directory: SYS$SYSDEVICE: > [SAMPSA] > Last login: Fri 15-AUG-2008 09:26:39 > No unread mail > %SYSTEM-F-ACCVIO, access violation, reason mask=04, virtual > address=0000000000000000, PC=FFFFFFFF80BA3BA4, PS=0000001B OK, now *please*, someone show us how to "properly" format the .plan (plan.txt) file to produce this result. :-) [...] ------------------------------ Date: 15 Aug 2008 11:02:24 GMT From: burley@Encompasserve.org (Graham Burley) Subject: Re: DEFCON 16 and Hacking OpenVMS Message-ID: <48a5623f$0$90270$14726298@news.sunsite.dk> In article <48A55B5C.60807@comcast.net>, bradhamilton writes: >OK, now *please*, someone show us how to "properly" format the .plan >(plan.txt) file to produce this result. And which finger (TCP/IP Services, Multinet, ...) ------------------------------ Date: Fri, 15 Aug 2008 11:16:35 GMT From: VAXman- @SendSpamHere.ORG Subject: Re: DEFCON 16 and Hacking OpenVMS Message-ID: <00A7E22F.50A18696@SendSpamHere.ORG> In article <48A4DDE7.3020506@comcast.net>, bradhamilton writes: >bugs@signedness.org wrote: >[...] >> >> LOL >> The bug is not in DCL, and if you care to watch the videos you will >> see that an arbitrary program can be run with higher privileges. >> As an example we wrote FILE.EXE (since we can not get any output to >> the terminal from 'show proc/priv' when exploiting) which simply >> writes the privileges of the current process to PRIVS.TXT. >> We first execute FILE.EXE from the shell to show that the user has the >> default privileges. >> FILE.EXE is then executed with higher privileges from the program that >> we are exploiting (install, tcpip and telnet, but there are others as >> well). >> >> Oh, and you need the vmware codecs installed to watch the videos. >> >> Cheers, >> signedness.org > >Thanks for the additional information. I was curious as to why you ran >FILE.EXE, as opposed to a simple "show proc/priv" before and after your >exploit. > >I can see that you have gained privilege after the "exploit", but the >"exploit" itself seems to be another EXE (SHELLCODE?) itself. Why all >the "mystery"? Without the source code, we can't "see" what's going on, >and reproduce it ourselves; we are left to trusting that you are not >playing some kind of bizarre, behind-the-scenes tricks to pretend that >you are elevating privileges. Sorry to be so mistrustful, but that's >just a common attitude here. > >I was able to "view" the videos on a linux laptop using "Movie Player". > I tried to view the videos on an XP box, but both Media Player and >Quicktime show dark screens, as reported by Brian. Media player claims >that a codec is corrupt (I assume that this is the vmware codec referred >to above). VLC gives be a white screen with [cmn@fc6 ~]$ , and then runs for 1:06 with nothing else. -- VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)COM ... pejorative statements of opinion are entitled to constitutional protection no matter how extreme, vituperous, or vigorously expressed they may be. (NJSC) Copr. 2008 Brian Schenkenberger. Publication of _this_ usenet article outside of usenet _must_ include its contents in its entirety including this copyright notice, disclaimer and quotations. ------------------------------ Date: Fri, 15 Aug 2008 04:26:51 -0700 (PDT) From: bugs@signedness.org Subject: Re: DEFCON 16 and Hacking OpenVMS Message-ID: On Aug 15, 4:37 am, patrick jankowiak wrote: > Mark Daniel wrote: > > Tim E. Sneddon wrote: > >> VAXman- @SendSpamHere.ORG wrote: > > >>> In article > >>> <9781c047-761a-4923-9aab-8c1a32ff7...@x35g2000hsb.googlegroups.com>, > >>> samp...@gmail.com writes: > > >>>>> I would have thought a CLI overflow to have been tried by at least > >>>>> a few > >>>>> at DEFCON9 because the system automagically created service-rich us= er > >>>>> accounts with of course DCL which the hackers were then free to abu= se. > > >>>>> We were not scrutinizing buffers however and any such overflow may = in > >>>>> our case have done nothing harmful (by luck or design). I think it = was > >>>>> version 7.1-? if it makes a difference. Did the gentleman specify a= ny > >>>>> versions? > > >>>> Default 8.3 install on an Alpha according to the presentation notes. > >>>> To reproduce this, apparently one is to enter exactly 511 characters > >>>> of input, then press the up arrow three times and wait - a core dump > >>>> follows. > > >>> I know you didn't make the claim but you should first test it out bef= ore > >>> brandishing bullshit here. > > >>> I've tried to reproduce the claimed results from your posted instruct= ion > >>> and it does NOT produce a "core dump". > > >> This isn't entirely bullshit. I reported it, case number AH800710. > > >> I saw the original post regarding the "execution of priviledged code" > >> and was tempted to reply, but I didn't bother. However, I am now :-) > > >> The issue never allowed execution of priv. code (certainly not as > >> far as I could see). The issue was simply a miss calculation in the > >> RECALL ring buffer that resulted in an access violation. This seemed > >> to coincide with the extension of the DCL command line buffer. Yes, > >> the process does crash. Yes, it was a pain. However, it happened so > >> infrequently and never actually did anything serious that I didn't > >> report it for the first few months. > > >> The version of VMS is also incorrect. I reported the problem under > >> OpenVMS Alpha V7.3-2 in June, 2004. > > > Little point in me reporting that I couldn't produce anything resemblin= g > > the (albeit sketchy) description of the 'exploit' on my off-the-CD V8.3 > > installation. This is a quoted-copy (to help circumvent wrapping) of > > that test: > > >> $ product show hist > >> ------------------------------------ ----------- ----------- --- > >> ----------- > >> PRODUCT KIT TYPE OPERATION VAL DATE > >> ------------------------------------ ----------- ----------- --- > >> ----------- > >> CPQ AXPVMS CDSA V2.2-271 Full LP Install (C) > >> 13-AUG-2008 > >> DEC AXPVMS DECNET_OSI V8.3 Full LP Install (C) > >> 13-AUG-2008 > >> DEC AXPVMS DWMOTIF V1.6 Full LP Install (C) > >> 13-AUG-2008 > >> DEC AXPVMS DWMOTIF_SUPPORT V8.3 Full LP Install (U) > >> 13-AUG-2008 > >> DEC AXPVMS OPENVMS V8.3 Platform Install (U) > >> 13-AUG-2008 > >> DEC AXPVMS TCPIP V5.6-9 Full LP Install (C) > >> 13-AUG-2008 > >> DEC AXPVMS VMS V8.3 Oper System Install (U) > >> 13-AUG-2008 > >> HP AXPVMS AVAIL_MAN_BASE V8.3 Full LP Install (U) > >> 13-AUG-2008 > >> HP AXPVMS KERBEROS V3.0-103 Full LP Install (C) > >> 13-AUG-2008 > >> HP AXPVMS SSL V1.3-281 Full LP Install (C) > >> 13-AUG-2008 > >> HP AXPVMS TDC_RT V2.2-107 Full LP Install (C) > >> 13-AUG-2008 > >> ------------------------------------ ----------- ----------- --- > >> ----------- > >> 11 items found > > >> $ show cpu/full > > >> System: WASD, AlphaServer DS20 500 MHz > > >> SMP execlet =3D 3 : Disabled : Uniprocessing. > >> Config tree =3D None > >> Primary CPU =3D 0 > >> HWRPB CPUs =3D 2 > >> Page Size =3D 8192 > >> Revision Code =3D > >> Serial Number =3D S391400466 > >> Default CPU Capabilities: > >> System: QUORUM RUN > >> Default Process Capabilities: > >> System: QUORUM RUN > > >> CPU 0 State: RUN CPUDB: 81C18000 Handle: * None = * > >> Process: FTA7:SYSTEM PID: 0000045C > >> Capabilities: > >> System: PRIMARY QUORUM RUN RAD0 > >> Slot Context: 84970180 > >> CPU - State..........: RC, PA, PP, CV, PV, PMV, PL > >> Type...........: EV6 (21264), Pass 2.3 > >> Speed..........: 500 Mhz > >> Variation......: VAX FP, IEEE FP, Primary Eligible > >> Serial Number..: > >> Revision.......: > >> Halt Request...: 0 > >> Software Comp..: 0.0 > >> PALCODE - Revision Code..: 1.98-01 > >> Compatibility..: 79 > >> Max Shared CPUs: 2 > >> Memory Space..: Physical =3D 00000000.00000000 Lengt= h =3D 0 > >> Scratch Space..: Physical =3D 00000000.00000000 Lengt= h =3D 0 > >> Bindings: * None * > >> Fastpath: > >> PKC0 > >> BG0 > >> Features: > >> Autostart - Enabled. > >> Fastpath - Selection enabled as Preferred CPU. > > >> $ typ test.com > >> $ write sys$output 79 * 6 + 37 > >> $ write sys$output f$fao("!79*A") > >> $ write sys$output f$fao("!79*B") > >> $ write sys$output f$fao("!79*C") > >> $ write sys$output f$fao("!79*D") > >> $ write sys$output f$fao("!79*E") > >> $ write sys$output f$fao("!79*F") > >> $ write sys$output f$fao("!37*G") > >> $ @test.com > >> 511 > >> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= AAAAAAAAA > > >> BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB= BBBBBBBBB > > >> CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC= CCCCCCCCC > > >> DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD= DDDDDDDDD > > >> EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE= EEEEEEEEE > > >> FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF= FFFFFFFFF > > >> GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG > > > I then cut and paste the 511 characters (line-by-line) into the CLI and > > used the cursor keys to no result. > > >> Tim. > > > -- > > "And I am not frightened of dying, any time will do, I > > don't mind. Why should I be frightened of dying? > > There's no reason for it, you've gotta go sometime." > > "If you can hear this whispering you are dying." > > "I never said I was frightened of dying." > > [Wright; The Dark Side of the Moon] > > I'm running that version on the Alpha out in the lab. I used a > privileged acct. and I am using a 132 column terminal width. (never mind > the system time, I just did this now.) > > $ show sys > OpenVMS V7.3-2 on node WIZ 16-DEC-2005 11:52:17.01 Uptime 29 02:28:59 > > $ > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= AAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB > BBBBBBBBBBBBBBBBBBBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC= CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDDDDDDDDDDD > DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDEEEEEEEEEEEEEEEEEEE= EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE > EFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF= FFFFFFFGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG > > up three times, and down three times, nothing.. but this shows now: > $ > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= AAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB > BBBBBBBBBBBBBBBBBBBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC= CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDDDDDDDDDDD > DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDEEEEEEEEEEEEEEEEEEE= EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE > $ > DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDEEEEEEEEEEEEEEEEEEE= EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE > $ > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= AAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB > $ > DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDEEEEEEEEEEEEEEEEEEE= EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE > $ > > Nothing more.. so finally I ran the up arrow till all the commands were > gone, and held it a bit, then down arrow till the same, holding it a bit > as well, and did this a few times and got this: > > $ > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= AAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB > BBBBBBBBBBBBBBBBBBBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC= CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDDDDDDDDDDD > DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDEEEEEEEEEEEEEEEEEEE= EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE > $ > DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDEEEEEEEEEEEEEEEEEEE= EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE > $ > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= AAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB > $ > DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDEEEEEEEEEEEEEEEEEEE= EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE > $ > DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDEEEEEEEEEEEEEEEEEEE= EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE > $ > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= AAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB > $ > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= AAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB > $ > DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDEEEEEEEEEEEEEEEEEEE= EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE > $ > DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDEEEEEEEEEEEEEEEEEEE= EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE > $ > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= AAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB > $ > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= AAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB > $ ... > > read more =BB You have all the information that you need to reproduce this vulnerability on a vulnerable system. If you watch the video you can see that the bug is triggered from the prompt of the vulnerable program (like for example INSTALL>). ------------------------------ Date: Fri, 15 Aug 2008 04:30:01 -0700 (PDT) From: bugs@signedness.org Subject: Re: DEFCON 16 and Hacking OpenVMS Message-ID: On Aug 15, 1:11 pm, VAXman- @SendSpamHere.ORG wrote: > In article <6e77d46c-8fd3-4b11-be3b-64f53ae45...@y38g2000hsy.googlegroups.com>, b...@signedness.org writes:>{...snip...} > >LOL > >The bug is not in DCL, and if you care to watch the videos you will > >see that an arbitrary program can be run with higher privileges. > >As an example we wrote FILE.EXE (since we can not get any output to > > __________________________________^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^>the terminal from 'show proc/priv' when exploiting) which simply > > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > > WHy not? > > >writes the privileges of the current process to PRIVS.TXT. > >We first execute FILE.EXE from the shell to show that the user has the > >default privileges. > >FILE.EXE is then executed with higher privileges from the program that > >we are exploiting (install, tcpip and telnet, but there are others as > >well). > > >Oh, and you need the vmware codecs installed to watch the videos. > > Why not .MPG which doesn't require the download of some questionable > software from some site on the internet? Because this is recorded from vmware, and the resulting file is an .avi file. You can recode it yourself if you feel that it is a problem. Unfortunately the codec for vmware vary in quality. If you run the movie on a Linux box with vmware installed it should display just fine. ------------------------------ Date: Fri, 15 Aug 2008 04:33:21 -0700 (PDT) From: bugs@signedness.org Subject: Re: DEFCON 16 and Hacking OpenVMS Message-ID: On Aug 15, 1:11 pm, VAXman- @SendSpamHere.ORG wrote: > In article <6e77d46c-8fd3-4b11-be3b-64f53ae45...@y38g2000hsy.googlegroups.com>, b...@signedness.org writes:>{...snip...} > >LOL > >The bug is not in DCL, and if you care to watch the videos you will > >see that an arbitrary program can be run with higher privileges. > >As an example we wrote FILE.EXE (since we can not get any output to > > __________________________________^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^>the terminal from 'show proc/priv' when exploiting) which simply > > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > > WHy not? > > >writes the privileges of the current process to PRIVS.TXT. > >We first execute FILE.EXE from the shell to show that the user has the > >default privileges. > >FILE.EXE is then executed with higher privileges from the program that > >we are exploiting (install, tcpip and telnet, but there are others as > >well). > > >Oh, and you need the vmware codecs installed to watch the videos. > > Why not .MPG which doesn't require the download of some questionable > software from some site on the internet? > > -- > VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)COM > > ... pejorative statements of opinion are entitled to constitutional protection > no matter how extreme, vituperous, or vigorously expressed they may be. (NJSC) > > Copr. 2008 Brian Schenkenberger. Publication of _this_ usenet article outside > of usenet _must_ include its contents in its entirety including this copyright > notice, disclaimer and quotations. As we have mentioned earlier we have no output stream to write the output of 'show proc/priv' to when executing the shellcode. That is the reason for using the FILE.EXE program. ------------------------------ Date: Fri, 15 Aug 2008 05:11:32 -0700 (PDT) From: bugs@signedness.org Subject: Re: DEFCON 16 and Hacking OpenVMS Message-ID: <50f78810-9630-4a1d-aad4-91f071bab9ad@d45g2000hsc.googlegroups.com> On Aug 15, 1:42 pm, VAXman- @SendSpamHere.ORG wrote: > In article , b...@signedness.org writes: > > >On Aug 15, 3:03=A0am, patrick jankowiak wrote: > >> Forgive me, but all this "enter exactly 511 characters and press the up > >> arrow three times" business reminds me of the old Dick Van Dyke episode > >> schtick that started with a telephone call and ended with "..then swing > >> the bag over your head and scream like a chicken" > > >> Vaxman -please e-mail me your shipment receiving address.. I am a couple > >> years remiss in sending you something. > > >> Patrick J > > >We are not going to release the exploits for some time.. Seven "%n" > >should be more than enough to hit something you cant write to and > >crash the finger client (provided that HP has not patched it, we have > >not heard from them in weeks even though we asked for updates) > > I don't run finger but I enabled it to see what you are on about. > I get nothing but a stream of %n%n%n%n%n%n back. > > > > >System service numbers seems to move around between releases (like > >windows system calls), since all our payloads assumes 8.3 (alpha) and > >7.3 (vax) it would probably just mean that we get another bunch of > >replies saying "it only crashes the binary and won't get "SYSTEM"". > >Another thing is that at least the VAX shellcode was written purely > >for demo purposes and got my username hardcoded into it (uses a system > >service to enable all privs on my account) > > >If anybody is in or around London I'd be happy to settle whether or > >not we are bullshitting with a live demo at a dc4420 meeting or > >similar event.. > > >The alpha exploits uses the sys$creprc system service to execute the > >file FILE.EXE that happens to show the privs of the process. The > >reason we took that route instead of spawning a new "shell" with > >higher privs is that it was easier to test/debug. > > Why SYS$CREPRC to get privs? Why not SYS$GETJPI? > > >btw for those of you who doubt us, check this out > >http://www.securityfocus.com/archive/1/495207either we set a new > >trend making it fashionable to bullshit about OpenVMS bugs or maybe it > > Multinet! > > -- > VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)COM > > ... pejorative statements of opinion are entitled to constitutional protection > no matter how extreme, vituperous, or vigorously expressed they may be. (NJSC) > > Copr. 2008 Brian Schenkenberger. Publication of _this_ usenet article outside > of usenet _must_ include its contents in its entirety including this copyright > notice, disclaimer and quotations. Why SYS$CREPRC to get privs? Why not SYS$GETJPI? SYS$CREPRC is used in the shellcode to allow for arbitrary programs to be run with inherited privileges. SYS$GETJPI is used by the FILE.EXE program to _get_ privileges and print them to a file. That should be obvious to any OpenVMS user. ------------------------------ Date: Fri, 15 Aug 2008 06:29:51 -0700 (PDT) From: sampsal@gmail.com Subject: Re: DEFCON 16 and Hacking OpenVMS Message-ID: On Aug 15, 2:10=A0pm, VAXman- @SendSpamHere.ORG wrote: > OK. =A0I'm most confused. =A0How do you invoke SYS$CREPRC from DCL? =A0 > > Also, I just scanned all of DCL and the only SYS$CREPRC in it is in > the SPAWN command. =A0Are you spawning the FILE.EXE program? =A0You've > been incessantly terse explaining this. I think you might be confused (not saying you are) by the term "shellcode". It means the machine code payload of the exploit, typically used to launch a shell, not some kind of DCL script, therefore the SYS$CREPRC call is made from machine code, not DCL. Sampsa ------------------------------ Date: Fri, 15 Aug 2008 07:12:25 -0700 (PDT) From: sampsal@gmail.com Subject: Re: DEFCON 16 and Hacking OpenVMS Message-ID: On Aug 15, 2:40=A0pm, VAXman- @SendSpamHere.ORG wrote: > In article , samp...@gmail.com writes: > >It means the machine code payload of the exploit, typically used to > >launch a shell, > >not some kind of DCL script, therefore the SYS$CREPRC call is made > >from > >machine code, not DCL. > > And where does this come into play in the 511 characters and 3 up arrows? I think what they do (more or less) is to inject some shellcode into a logical before running the exploit, then insert some other code after the overflow that executes the code in the logical. Signedness guys care to comment, I didn't see the demo, just have the notes second hand? Sampsa ------------------------------ Date: Fri, 15 Aug 2008 07:14:18 -0700 (PDT) From: sampsal@gmail.com Subject: Re: DEFCON 16 and Hacking OpenVMS Message-ID: <124aa8bb-bf74-46cf-81e1-cd60e2ae09a1@e53g2000hsa.googlegroups.com> On Aug 15, 3:04=A0pm, "Richard B. Gilbert" wrote: > Ten years ago, the code base was FULL of those little mistakes. =A0DEC > could have saved a lot of money and pain by buying a WORKING TCP/IP > stack from TGV or Wollongong. Interesting, especially considering they're still popping up (mind you, in fairly obscure tools such as the FINGER client). I wonder what the general state of that codebase is nowadays. Sampsa ------------------------------ Date: Fri, 15 Aug 2008 07:48:44 -0700 (PDT) From: sampsal@gmail.com Subject: Re: DEFCON 16 and Hacking OpenVMS Message-ID: On Aug 15, 3:35=A0pm, "R.A.Omond" wrote: > samp...@gmail.com wrote: > Y'know ... I may be a newbie in this VMS thingy (a mere 26.5 years...) > but I actually didn't understand what that is meant to mean. > > I'm a skeptic and proud of it, but I'm beginning to suspect that > this is all a hoax. Ok, I'll have a go at making that more understandable: 1. The input (=3Dshellcode) after the overflow will be executed by the process with elevated privileges 2. There are quite a few input restrictions in what can be fed in through the CLI, making any meaningful attack difficult through just placing some shellcode after the overflow. 3. It is possible to execute shellcode stored in logicals, however. 4. Therefore the code injected after the overflow executes some other code stored in a logical. Sampsa ------------------------------ Date: Fri, 15 Aug 2008 08:12:36 -0700 (PDT) From: johnwallace4@yahoo.co.uk Subject: Re: DEFCON 16 and Hacking OpenVMS Message-ID: <39d2789b-134a-4c0b-a840-3b6e5fa199fe@x41g2000hsb.googlegroups.com> On Aug 15, 3:35 pm, "R.A.Omond" wrote: > samp...@gmail.com wrote: > > [...snip...] > > I think what they do (more or less) is to inject some shellcode into a > > logical before running the exploit, then insert some other code after > > the overflow that executes the code in the logical. Signedness guys > > care to comment, I didn't see the demo, just have the notes second > > hand? > > Y'know ... I may be a newbie in this VMS thingy (a mere 26.5 years...) > but I actually didn't understand what that is meant to mean. > > I'm a skeptic and proud of it, but I'm beginning to suspect that > this is all a hoax. I've only been on VMS (and Unixes) since 1985 so I am not worthy, and am risking teaching you how to suck eggs... The general principle being referred to in the extract you quote is that these exploits work by finding some OS-managed storage which is writable by users and can potentially be executed later, preferably by code with elevated privileges. So, for example, the name and/or contents of a logical are in writable storage, and although that storage isn't normally intended to hold code, if the memory management subsystem doesn't prevent it being treated as code, then it can be treated as code. So, you put some string of values in there somehow that you want executed later, and all that's left to do is getting control transferred to that code. The classic mechanism for this unintended transfer of control is the stack based buffer overflow scribbling over a return address. Here an unchecked copy into a limited-size buffer is allowed to deposit more data than the item can hold (which is why STR$this and DSC$that and associated RTL routines are a NICE idea, one day maybe Billco and UNIX will catch on to it). In the right circumstances, the excess data goes far enough up(down?) the stack to overwrite the original return address on the stack. Then all you have to do is work out how to get the address of your "shell code" (?) written on to the stack in exactly the right place to be interpreted as a return address when the function in the picture returns to the caller (or in this case, "returns" to the shell code). If all this is done correctly you don't see an ACCVIO, you just end up with unintended code being silently executed, potentially in the context of an exploitable program. I haven't watched the videos but the ACCVIOs here aren't what I'd expect to see as part of a successful exploit; they are what I'd expect to see as the result of a bit of traditional broken UNIX code with a traditional off-by-one or similar schoolboy error (like the ones I still make :)). I'm entirely happy that these things can be done in general, especially on commodity OSes, and may even be possible on VMS, especially on apps with a UNIX heritage which haven't been kept up to date. I'm reserving judgement on whether I've seen proof. ------------------------------ Date: Fri, 15 Aug 2008 08:51:02 -0700 From: "Tom Linden" Subject: Re: DEFCON 16 and Hacking OpenVMS Message-ID: On Fri, 15 Aug 2008 04:02:24 -0700, Graham Burley wrote: > In article <48A55B5C.60807@comcast.net>, bradhamilton > writes: > >> OK, now *please*, someone show us how to "properly" format the .plan >> (plan.txt) file to produce this result. > > And which finger (TCP/IP Services, Multinet, ...) > Previous post indicated multinet http://www.securityfocus.com/archive/1/495207 -- PL/I for OpenVMS www.kednos.com ------------------------------ Date: Fri, 15 Aug 2008 08:55:22 -0700 (PDT) From: sampsal@gmail.com Subject: Re: DEFCON 16 and Hacking OpenVMS Message-ID: <3494d5fa-8787-424c-81a6-248c82cbc1b4@a1g2000hsb.googlegroups.com> On Aug 15, 4:51=A0pm, "Tom Linden" wrote: > Previous post indicated multinethttp://www.securityfocus.com/archive/1/49= 5207 > > -- > PL/I for OpenVMSwww.kednos.com That's a different flaw, I've verified the client bug on a stock OpenVMS 8.3 install with TCPIP V5.6-9ECO2. Sampsa ------------------------------ Date: 15 Aug 2008 17:00:39 GMT From: burley@Encompasserve.org (Graham Burley) Subject: Re: DEFCON 16 and Hacking OpenVMS Message-ID: <48a5b636$0$90266$14726298@news.sunsite.dk> > In article , "Tom Linden" writes: >> And which finger (TCP/IP Services, Multinet, ...) >> >Previous post indicated multinet >http://www.securityfocus.com/archive/1/495207 That finger bug's been fixed, Process released the FINGER-010_A052 patch for Multinet on 8th August. This appears to be something else. ------------------------------ Date: Fri, 15 Aug 2008 11:51:05 GMT From: VAXman- @SendSpamHere.ORG Subject: Re: DSPP & OpenVMS Message-ID: <00A7E234.2282A65E@SendSpamHere.ORG> In article <8660a3a10808142123y6bd344c5ydde2f7ec6225f37@mail.gmail.com>, "William Webb" writes: >{...snip...} >Perhaps you just don't know the right people at HP to ask. For technical questions, I ask engineering. As for the rest of HP, since they took over I have felt isolated. I have no adea where to turn to and I've posted more than a few episodes of my dealings with HP here. Remem- ber me trying to get the rack mount kit for my Itanium? ... which Proliant model is that Itanium server??? I used to get source listings too. I'd faxed (what a crazy mechanism that is) off my CC info to the point of con- tact about 2 or 3 years ago. I never received any source listings update nor have I been contacted SINCE to renew the update! Where does one go? I was trying to get V8.3-1H1 for testing purposes. Several email off to the DSPP folks went unanswered. I did finally get a response yesterday. Apparently, as a DSPP, I can order media from the DSPP site. Thankfully, the email guided me through the site to where I'd order it. I would never have found it otherwise. The problem, as I see it, is that HP wants only to deal with the million dollar corps and not the million cent ISVs. -- VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)COM ... pejorative statements of opinion are entitled to constitutional protection no matter how extreme, vituperous, or vigorously expressed they may be. (NJSC) Copr. 2008 Brian Schenkenberger. Publication of _this_ usenet article outside of usenet _must_ include its contents in its entirety including this copyright notice, disclaimer and quotations. ------------------------------ Date: 15 Aug 2008 07:44:00 -0500 From: clubley@remove_me.eisner.decus.org-Earth.UFP (Simon Clubley) Subject: Re: DSPP & OpenVMS Message-ID: In article <00A7E234.2282A65E@SendSpamHere.ORG>, VAXman- @SendSpamHere.ORG writes: > The problem, as I see it, is that HP wants only to deal with the million > dollar corps and not the million cent ISVs. > That is very true. It seems that even though HP told me that they wanted to deal with me directly even when just buying one Alpha or IA64, the reality is very different. I'm currently trying to get configuration, pricing and licensing information out of HP UK for a IA64 or Alpha server after been pointed to the HP UK team from elsewhere within HP. Technical presales were excellent, but even though the sales people within HP have had the hard work done from them by the presales team, they still can't be bothered to put together a quote for me, even though it's been promised several times now. :-( Simon. -- Simon Clubley, clubley@remove_me.eisner.decus.org-Earth.UFP Microsoft: Bringing you 1980's technology to a 21st century world ------------------------------ Date: Fri, 15 Aug 2008 09:05:20 -0400 From: "Ken Robinson" Subject: Re: DSPP & OpenVMS Message-ID: <7dd80f60808150605s20d1e47ei1f56b18f14405c9a@mail.gmail.com> On Fri, Aug 15, 2008 at 8:44 AM, Simon Clubley wrote: > In article <00A7E234.2282A65E@SendSpamHere.ORG>, VAXman- @SendSpamHere.ORG writes: >> The problem, as I see it, is that HP wants only to deal with the million >> dollar corps and not the million cent ISVs. >> > > That is very true. It seems that even though HP told me that they wanted to > deal with me directly even when just buying one Alpha or IA64, the reality > is very different. > > I'm currently trying to get configuration, pricing and licensing information > out of HP UK for a IA64 or Alpha server after been pointed to the HP UK team > from elsewhere within HP. Have you looked at the HP Product Bulletin at . It's a downloadable PC application that includes Quickspecs and prices. I don't know if it works in the UK. Ken ------------------------------ Date: Fri, 15 Aug 2008 06:41:42 -0700 (PDT) From: Mike R Subject: Re: DSPP & OpenVMS Message-ID: <653f8e7d-fcc1-44ca-a711-9b2d159eb9fd@f63g2000hsf.googlegroups.com> On Aug 15, 3:44=A0pm, clubley@remove_me.eisner.decus.org-Earth.UFP (Simon Clubley) wrote: > In article <00A7E234.2282A...@SendSpamHere.ORG>, =A0 VAXman- =A0@SendSpam= Here.ORG writes: > > Technical presales were excellent, but even though the sales people withi= n > HP have had the hard work done from them by the presales team, they still > can't be bothered to put together a quote for me, even though it's been > promised several times now. :-( > As a longtime DEC (ex-)customer, and with some experience within Dec/ Compaq/HP allow me to recommend: 1. Find the non-responsive person's manager 2. Contact same 3. If results are unsatisfactory, goto 1. Give up only after 3-4 iterations. Mike http://alpha.mike-r.com > Simon. > > -- > Simon Clubley, clubley@remove_me.eisner.decus.org-Earth.UFP > Microsoft: Bringing you 1980's technology to a 21st century world ------------------------------ Date: Fri, 15 Aug 2008 10:12:01 -0400 From: "Richard B. Gilbert" Subject: Re: DSPP & OpenVMS Message-ID: Mike R wrote: > On Aug 15, 3:44 pm, clubley@remove_me.eisner.decus.org-Earth.UFP > (Simon Clubley) wrote: >> In article <00A7E234.2282A...@SendSpamHere.ORG>, VAXman- @SendSpamHere.ORG writes: >> > >> Technical presales were excellent, but even though the sales people within >> HP have had the hard work done from them by the presales team, they still >> can't be bothered to put together a quote for me, even though it's been >> promised several times now. :-( >> > > As a longtime DEC (ex-)customer, and with some experience within Dec/ > Compaq/HP allow me to recommend: > > 1. Find the non-responsive person's manager > 2. Contact same > 3. If results are unsatisfactory, goto 1. Give up only after 3-4 > iterations. > Remember when you could just ask to speak with the "Manager on Duty"?? Those were the "good old days"! ------------------------------ Date: 15 Aug 2008 11:15:40 GMT From: burley@Encompasserve.org (Graham Burley) Subject: Re: Example: VMS to Web Browser "push" technology Message-ID: <48a5655c$0$90270$14726298@news.sunsite.dk> In article , "Richard Maher" writes: > [snip] Yes I do undertand the difference between push and pull, an I'm not a fan of polling either. The example was just that - an example. It seems to have provided you with an opportunity to discuss the benefits of push, that's no bad thing. As far as I can see, your push demo simply demonstrates that a java applet can receive and display UDP messages. Neat idea, but there's work to do (as you've described already in this thread) to produce a real world implementation. At the moment this seems to have nothing to do with Tier3, except that you might use this approach in conjunction with it. If you were using Tier3, and had an active TCP connection between client and server, why wouldn't you just push the messages down that connection? > But getting back to Graham's example, maybe he wanted to reply to Jan-Erik > as a solution to his "factory dashboard" requirement (and fair-enough too). Perhaps it is. I make no apologies for the quick and dirty example, that's one of the benefits (and drawbacks) of working with a web server. I think it's good that WASD has addressed issues like the process creation overhead, for stuff like this. If I was seriously thinking of doing this I would use WASDs CGIplus or RTEs to avoid the image activation and startup overheads completely. ------------------------------ Date: Fri, 15 Aug 2008 08:45:22 -0700 From: "Tom Linden" Subject: Re: Help needed with / confused by AST routine (VAX,COBOL) Message-ID: On Thu, 14 Aug 2008 22:14:31 -0700, Wilm Boerhout wrote: > on 14-8-2008 23:23 Richard Maher wrote... > > [snip] > >> PS. You can use a small MACRO file to achieve compile-time >> initialization of >> MIS if you're into that? > > Thanks for joining Richard. I inherited this COBOL program recently > (it's 20 years old now) and am still struggling with the finer details > of the language. Apparently, an EXTERNAL data area cannnot be > initialized by VALUE clauses. What would your macro look like? Why do you need macro? You could certainly do it with a small PL/I program without any executable statements using the INITIAL attribute on the declaration External implies static, of course, which precludes reentrancy. If that is an issue you may need to rethink the design. > /Wilm -- PL/I for OpenVMS www.kednos.com ------------------------------ Date: 15 Aug 2008 07:30:30 -0500 From: koehler@eisner.nospam.encompasserve.org (Bob Koehler) Subject: Re: NFS - OpenVMS to OpenVMS Message-ID: In article <305337c0-16c2-469d-9a3e-7791baf000f0@w7g2000hsa.googlegroups.com>, Ingi writes: > > Hi and thank you for your answer. > > The reason why I'm looking at NFS is because a DECdfs based solution > requires DECnet (please correct me if I'm wrong). I'm not sure whether DECdfs runs over DECnet, or its own protocol, but VMScluster I know is its own protocol and is exactly what VMS savvy folks would use. It's also what the other poster asked about. > Because the dev-env is a single-node solution, wouldn't clustering > be a little overkill ? (it would naturally give us the possibility to > add other nodes/disks but then again we dont need that). Clustering gives you everything the NFS gives you, and more. In this case it gives you everything you've said you need, with none of the problems inherint in NFS. Do you have a clustering license? If BACKUP/ZIP/... meets your needs, then I would not put down extra money for clustering in this case. ------------------------------ Date: 15 Aug 2008 07:33:35 -0500 From: koehler@eisner.nospam.encompasserve.org (Bob Koehler) Subject: Re: NFS - OpenVMS to OpenVMS Message-ID: <0qaghCUqTRrk@eisner.encompasserve.org> In article <7be0035c-5625-4373-9c2b-f21f55804830@w7g2000hsa.googlegroups.com>, Ingi writes: > > But we're going to create a cluster w. TCP/IP only, that will give > us mountable disks between the nodes over the network. We'll also be > using 'backup/zip/ftp' so hello DCL here I come, hopefully I will > never ever: If you're connecting two systems with NFS, fine. But beware of using the word "cluster" around here when that's all you've done. And soon, HP tells us, you'll be able to VMScluster over IP, but if you're not allowed to DECnet over IP, you may not be allowed to VMScluster over IP. ------------------------------ Date: Fri, 15 Aug 2008 06:39:33 -0700 (PDT) From: johnwallace4@yahoo.co.uk Subject: Re: NFS - OpenVMS to OpenVMS Message-ID: <471e00f9-6ab3-4219-abb0-1c0477ae3120@k13g2000hse.googlegroups.com> On Aug 14, 1:31 pm, Ingi wrote: > Hi all > > I'm working on migrating source code from Alpha to Itanium. The > source code is in CMS on a single node Alpha. The new dev-env. Itanium > will also be a single node. Both the Alpha and Itanium only have TCP/ > IP installed, that is NO DECnet and that is not an option either (at > least for now). > > I've been trying to NFS export the source-code-disk from the Alpha > and mounting it on the Itanium. The TCP/IP Services versions are: > > HP TCP/IP Services for OpenVMS Alpha Version V5.5 - ECO 1 > on an AlphaServer ES45 Model 2 running OpenVMS V8.2 > > HP TCP/IP Services for OpenVMS Industry Standard 64 Version V5.6 - > ECO 2 > on an HP rx1620 (1.60GHz/3.0MB) running OpenVMS E8.3-1H1 > > On the Alpha I have the source-code disk mapped as '/src' and > exported to the Itanium only. > > Pathname Logical File System > /src ALPHA$DKB2: > > File System Host name > /src ia64.somedomain > > I have a NFS proxy for my user and the system account as: > VMS User_name Type User_ID Group_ID Host_name > > USER OND 40 2 ia64.somedomain > SYSTEM OND 1 4 ia64.somedomain > > I only have proxies setup on the Alpha, it is sometimes mentioned in > the documentation that proxies should be set up on the NFS-client side > as well, but I haven't figured out why that should be neccessary. Both > the NFS and PORTMAPPER server components are started on the Alpha and > on the Itanium only the NFS Client client component is started. > > I'm mounting the source-code-disk using the following command: > $tcpip mount src: src src: /path="/src" /host=alpha /structure=5 / > system > > OPCOM says: > %%%%%%%%%%% OPCOM 14-AUG-2008 13:58:59.15 %%%%%%%%%%% > Message from user TCPIP$NFS on ALPHA > %TCPIP-S-NFS_MNTSUC, mounted file system /src > -TCPIP-S-NFS_CLIENT, uid=40 gid=2 host_name = ia64.somedomain > > Now to my questions. > > 1) How can I get the same 'logical'/diskname on the client instead > of new DNFSn: at every mount ? (I've tried /PROCESSOR=SAME:DNFS20 > without success) > > 2) Has anyone similar setup and is will to share setup hints etc ? > > 3) I've also been trying to mount the disk onto Linux but I always > get the 'permission' denied when accessing the mount. The mountpoint > on Linux looks like: > 'drwxr-x--x 2 nobody nogroup 512 2008-08-14 13:07 src/' > > I have had a proxy setup for my Linux user but the 'uid' has always > showed up as 0 in OPCOM. > > %%%%%%%%%%% OPCOM 13-AUG-2008 19:47:56.98 %%%%%%%%%%% > Message from user TCPIP$NFS on ALPHA > %TCPIP-S-NFS_MNTSUC, mounted file system /src > -TCPIP-S-NFS_CLIENT, uid=0 gid=1002 host_name = linux.somedomain > > USER OND 1001 1002 > linux.somedomain > > From /etc/fstab > alpha:/src /mnt/alpha/src nfs > rw,user,rsize=8192,wsize=8192,nolock,proto=udp,hard,intr,nfsvers=3 0 0 > > Has anyone a workaround for that ? > > 4) I've been reading chapter 22 (NFS Server) and chapter 23 (NFS > Client) atleast a dozen times, but I dont seem to be able to > understand the 'noproxy_id/noproxy_gid' stuff. I someone willing to > share some light on that. > > Regards > - Ingi Have you (and other folks replying so far) looked at and dismissed a "solution" based on host-based Infoserver technologies? Or is it something you're not aware of ? I don't know much about the host-based implementations myself, except to say that on the wire it is neither DECnet nor IP, it is just a non-routable LAN-based protocol used to serve (and access) block devices (cf NFS DFS etc which serve *files*). The Infoserver "local area disk" protocol is not very related to the clustering protocols. Once you've got a block level protocol of this nature your OS can layer whatever file system over it (and thus whatever security/authentication/etc) as is convenient; in your case the usual VMS stuff would seem appropriate. I don't know what resources are available (docs, howtos, etc) either, but if you're still stuck for ideas you could start at http://64.223.189.234/node/285 and see where it leads. Apologies if this is an unhelpful idea. ------------------------------ Date: Fri, 15 Aug 2008 09:25:44 -0700 (PDT) From: johnwallace4@yahoo.co.uk Subject: OT: noVMS Alphas... Message-ID: <69ade953-3196-457c-bb5a-0093d51d9ada@k13g2000hse.googlegroups.com> On Aug 15, 4:48 pm, "Tom Linden" wrote: > On Thu, 14 Aug 2008 23:58:03 -0700, H Vlems wrote: > > On 14 aug, 19:33, "***** charles" wrote: > >> > > >> > The only difference is the damage done to the white box firmware to > >> > prevent them booting VMS or Tru64. > >> > A very simple procedure remedies this defect :-) > >> > One note however: DEC/HP/Compaq will never service nor support a white > >> > box Alpha that runs VMS or Tru64. > > >> I would be inclined to do this if I could get it to insall/run OpenVMS. > >> When I was in school "a long time ago" the computer science dept. > >> had a vax cluster and I have used VMS before. Might be interesting. > >> If you have the customization procedure to turn a white box into a > >> blue box please point. > > >> thanks, > >> charles..... > > > The procedure is outlined here:http://home.zonnet.nl/hvlemsand go to > > White Box Alphas > > It is really quite simple, all you need to do is add two lines to the > > nvram memory . > > Hans > > Don't try this with an XL266. They actually crippled the 21064A cpu so you > could load SRM. > > -- > PL/I for OpenVMSwww.kednos.com Not entirely correct. The Celebris XL266 (or whatever they called the PCBU variant of the AlphaStation 400) had a "half flash", big enough to hold AlphaBIOS *or* SRM console, but not both at the same time. If you could reflash it, you could change OS and it work work (assuming the graphics, SCSI, etc worked under both OSes). Whether this was commercially allowed is a separate question. Not clear whether this "half flash" was anything more than just a manufacturing penny- pinching measure in the days when flash memory was a bit more expensive than it is today. There were crippled Alpha CPU chips, e.g. some of the 21164/EV5 chips licenced by Samsung, maybe 21164PC, can't remember, which reportedly had a VMS-specific memory management component missing (again, I can't remember exactly what). This meant they could run NT, or could run Tru64 (and SRM underneath), but could not ever run VMS. Some motherboards based on them were called PC164SX. I have the remains of a prototype of one of these somewhere, untouched for years; if anyone is interested it's in Birmingham England. 21164PC product brief (1997, <50Watt): http://h18002.www1.hp.com/alphaserver/technology/literature/164pcpb.pdf ------------------------------ Date: Fri, 15 Aug 2008 17:32:02 +0000 (UTC) From: moroney@world.std.spaamtrap.com (Michael Moroney) Subject: Re: OT: noVMS Alphas... Message-ID: johnwallace4@yahoo.co.uk writes: >> Don't try this with an XL266. They actually crippled the 21064A cpu so you >> could load SRM. >Not entirely correct. The Celebris XL266 (or whatever they called the >PCBU variant of the AlphaStation 400) had a "half flash", big enough >to hold AlphaBIOS *or* SRM console, but not both at the same time. If >you could reflash it, you could change OS and it work work (assuming >the graphics, SCSI, etc worked under both OSes). They also did this with the Alphastation 200s, all but the early ones. You had to reflash to go between SRM and AlphaBIOS. I believe they provided sockets on the board so you could add the flash chips if you wanted to. >There were crippled Alpha CPU chips, e.g. some of the 21164/EV5 chips >licenced by Samsung, maybe 21164PC, can't remember, which reportedly >had a VMS-specific memory management component missing (again, I can't >remember exactly what). This meant they could run NT, or could run >Tru64 (and SRM underneath), but could not ever run VMS. Also the Alpha 21066 chip. ------------------------------ Date: Fri, 15 Aug 2008 10:43:58 -0700 (PDT) From: Rich Jordan Subject: Re: OT: noVMS Alphas... Message-ID: <1fa55b58-a59b-48b8-ad60-558cbb0422d7@b1g2000hsg.googlegroups.com> On Aug 15, 12:32=A0pm, moro...@world.std.spaamtrap.com (Michael Moroney) wrote: > johnwalla...@yahoo.co.uk writes: > >> Don't try this with an XL266. =A0They actually crippled the 21064A cpu= so you > >> could load SRM. > >Not entirely correct. The Celebris XL266 (or whatever they called the > >PCBU variant of the AlphaStation 400) had a "half flash", big enough > >to hold AlphaBIOS *or* SRM console, but not both at the same time. If > >you could reflash it, you could change OS and it work work (assuming > >the graphics, SCSI, etc worked under both OSes). > > They also did this with the Alphastation 200s, all but the early ones. > You had to reflash to go between SRM and AlphaBIOS. =A0I believe they > provided sockets on the board so you could add the flash chips if you > wanted to. > > >There were crippled Alpha CPU chips, e.g. some of the 21164/EV5 chips > >licenced by Samsung, maybe 21164PC, can't remember, which reportedly > >had a VMS-specific memory management component missing (again, I can't > >remember exactly what). This meant they could run NT, or could run > >Tru64 (and SRM underneath), but could not ever run VMS. > > Also the Alpha 21066 chip. Confirmed on the AS200 half-flash. I upgraded my Onsale.com unit to full flash years ago just by plugging in the appropriate chips. I also upgraded from 166 to 233 MHz; one new crystal (hard to find!), one CPU snagged from a Cabriolet MLB, and a couple of switch settings. Sadly the switch setting docs were missing from the later perfect-bound AS200 manuals, but they were in the earlier loose leaf binders. Knocked about 15% off my Setiathome unit times. Now I never run NT on the poor box any more and ARC is a happily fading memory. However the OP indicated he was ending up at the ">>>" prompt, so half flash or not, he has SRM loaded. Rich ------------------------------ Date: Thu, 14 Aug 2008 23:58:03 -0700 (PDT) From: H Vlems Subject: Re: What to do now with a DEC Server 3000? Message-ID: <96b08460-c4c5-4a22-93e1-526ea092c234@m3g2000hsc.googlegroups.com> On 14 aug, 19:33, "***** charles" wrote: > > > > The only difference is the damage done to the white box firmware to > > prevent them booting VMS or Tru64. > > A very simple procedure remedies this defect :-) > > One note however: DEC/HP/Compaq will never service nor support a white > > box Alpha that runs VMS or Tru64. > > I would be inclined to do this if I could get it to insall/run OpenVMS. > When I was in school "a long time ago" the computer science dept. > had a vax cluster and I have used VMS before. Might be interesting. > If you have the customization procedure to turn a white box into a > blue box please point. > > thanks, > charles..... The procedure is outlined here: http://home.zonnet.nl/hvlems and go to White Box Alphas It is really quite simple, all you need to do is add two lines to the nvram memory . Hans ------------------------------ Date: 15 Aug 2008 07:07:32 -0500 From: koehler@eisner.nospam.encompasserve.org (Bob Koehler) Subject: Re: What to do now with a DEC Server 3000? Message-ID: <4$3kjoABf4Qg@eisner.encompasserve.org> In article , "***** charles" writes: > > 1. on the front it says DIGITAL Server 3000 and on the back > the model number is FR-K7F4W-AB I haven't been able to > determine if this is supposed to be NT only or not I don't recall any NT-only systems until after the 3000 series. > > 2. What do most of the people who have one of these things have on them > OS wise? Linux, BSD, OpenVMS, DigitalUnix or whatever? In my house, if it can run VMS, it does run VMS. > 3. How do I update to the last BIOS or however you say it in the dec world? > I understand there is a V5.8 out. There are downloadable NVRAM updates. You boot the NVRAM CD, which can be burned from the updates, or I think in some cases you can MOP boot over the network, the run the update utility. You may have to slide off the cover and change the read/write jumper. IMHO, I'd start finding all this stuff by looking at the FAQ. http://www.hoffmanlabs.org is a good place to look for the FAQ. ------------------------------ Date: 15 Aug 2008 07:10:29 -0500 From: koehler@eisner.nospam.encompasserve.org (Bob Koehler) Subject: Re: What to do now with a DEC Server 3000? Message-ID: On Aug 13, 4:15 pm, "***** charles" wrote: > Hi, this seems to be the right group. I came across a DEC Server 3000 > FR-K7F4W-AB with a 500MHz alpha chip and one stick of 128M of ram and I > don't know how big the hard drive is yet. also try comp.sys.dec ------------------------------ Date: 15 Aug 2008 07:11:25 -0500 From: koehler@eisner.nospam.encompasserve.org (Bob Koehler) Subject: Re: What to do now with a DEC Server 3000? Message-ID: <1Rq5TBzGUSPT@eisner.encompasserve.org> In article , "Richard B. Gilbert" writes: > > Better or worse is a question that could be, and has been, argued for > years!!! OpenVMS is VERY different from Unix/Linux. Some of us love > it. I don't recall that we've converted many Unix/Linux people to VMS! I do. But I also recall many who haven't "seen the light". ------------------------------ Date: 15 Aug 2008 07:12:58 -0500 From: koehler@eisner.nospam.encompasserve.org (Bob Koehler) Subject: Re: What to do now with a DEC Server 3000? Message-ID: In article <48a3e355$0$90274$14726298@news.sunsite.dk>, "R.A.Omond" writes: > Are you saying that you still have SETI running on VMS ? > I was under the impression that since the arrival of BOINC this was > no longer possible. You can still run SETI, but since the arrival of BIONC no one may be looking at the results. ------------------------------ Date: Fri, 15 Aug 2008 09:17:03 -0500 (CDT) From: sms@antinode.info (Steven M. Schweda) Subject: Re: What to do now with a DEC Server 3000? Message-ID: <08081509170312_20200492@antinode.info> From: koehler@eisner.nospam.encompasserve.org (Bob Koehler) > In article <48a3e355$0$90274$14726298@news.sunsite.dk>, "R.A.Omond" writes: > > > Are you saying that you still have SETI running on VMS ? > > I was under the impression that since the arrival of BOINC this was > > no longer possible. > > You can still run SETI, but since the arrival of BIONC no one may > be looking at the results. Yeah, _if_ you have your own radio telescope to provide the input data, so that you can produce those results at which no one will look. I tried to adapt BOINC when it bacame a SETI@home requirement, but found too many non-trivial shortcomings in the VMS C RTL (shmget, et al.) and C++ standard library IOStreams (G_FLOAT on Alpha, IEEE on IA64) to overcome. Apparently, no one uses (used?) C++ for floating-point work on both hardware types, and expected to share the data. (Building cURL with IEEE_FLOAT was easy enough, as I recall.) Someone with greater character might have kept at it, but when I got to the C++ library problem on Alpha, I threw in the towel. (Now that I have a zx2000, I suppose that all I'd need to do would be to write the shared-memory infrastructure, and then I could advance to the next, still-unknown brick wall.) ------------------------------------------------------------------------ Steven M. Schweda sms@antinode-info 382 South Warwick Street (+1) 651-699-9818 Saint Paul MN 55105-2547 ------------------------------ Date: Fri, 15 Aug 2008 08:48:44 -0700 From: "Tom Linden" Subject: Re: What to do now with a DEC Server 3000? Message-ID: On Thu, 14 Aug 2008 23:58:03 -0700, H Vlems wrote: > On 14 aug, 19:33, "***** charles" wrote: >> >> >> > The only difference is the damage done to the white box firmware to >> > prevent them booting VMS or Tru64. >> > A very simple procedure remedies this defect :-) >> > One note however: DEC/HP/Compaq will never service nor support a white >> > box Alpha that runs VMS or Tru64. >> >> I would be inclined to do this if I could get it to insall/run OpenVMS. >> When I was in school "a long time ago" the computer science dept. >> had a vax cluster and I have used VMS before. Might be interesting. >> If you have the customization procedure to turn a white box into a >> blue box please point. >> >> thanks, >> charles..... > > The procedure is outlined here: http://home.zonnet.nl/hvlems and go to > White Box Alphas > It is really quite simple, all you need to do is add two lines to the > nvram memory . > Hans Don't try this with an XL266. They actually crippled the 21064A cpu so you could load SRM. -- PL/I for OpenVMS www.kednos.com ------------------------------ End of INFO-VAX 2008.445 ************************