INFO-VAX Sun, 17 Aug 2008 Volume 2008 : Issue 449 Contents: RE: Avoid printing of SYS$ANNOUNCE ? Re: DEFCON 16 and Hacking OpenVMS Re: DEFCON 16 and Hacking OpenVMS Re: DEFCON 16 and Hacking OpenVMS Re: DEFCON 16 and Hacking OpenVMS Re: DEFCON 16 and Hacking OpenVMS Re: DEFCON 16 and Hacking OpenVMS Re: DEFCON 16 and Hacking OpenVMS Re: DEFCON 16 and Hacking OpenVMS RE: DEFCON 16 and Hacking OpenVMS Re: DEFCON 16 and Hacking OpenVMS Re: DEFCON 16 and Hacking OpenVMS Re: DEFCON 16 and Hacking OpenVMS RE: DEFCON 16 and Hacking OpenVMS RE: DEFCON 16 and Hacking OpenVMS Re: DEFCON 16 and Hacking OpenVMS Re: DSPP & OpenVMS Re: OpenVMS in the media - National Grid Control Centre, Britain from Re: OT: Central Repository - File Distribution Question (AIX) ---------------------------------------------------------------------- Date: 17 Aug 2008 14:40:50 GMT From: DAVISM@ecr6.ohio-state.edu (Michael T. Davis) Subject: RE: Avoid printing of SYS$ANNOUNCE ? Message-ID: In article , moroney@world.std.spaamtrap.com (Michael Moroney) writes: >I used the SYSMAN ALF feature to set up a hardwired terminal line to >automatically log into a captive account (no Username: prompt) that >automatically runs an application when someone presses return on the >terminal. There are UAF flags to do things like disable the SYS$WELCOME >message, but none for disabling SYS$ANNOUNCE. (Since SYS$ANNOUNCE >normally gets displayed before the Username: prompt, it makes sense >that there can't be a NOANNOUNCE flag). > >Does anyone know of a way to disable the display of SYS$ANNOUNCE on a >terminal-by-terminal basis? > >Related question: Is there a way to disable the "logged out" message at >the end when a process is logged out? Actually I know an answer to this, >$ STOP/ID=0. But that seems so crude, is there _another_ way to do that? ...Not sure how to deal with your LOGOUT/EOJ issue. As far as suppressing SYS$WELCOME goes, though, the common way to handle this is to rig up a dynamic message. Do a Google search for "SYS$WELCOME" and "mailbox" against the comp.os.vms newsgroup and you should find references to this. Regards, Mike -- | Systems Specialist: CBE,MSE Michael T. Davis (Mike) | Departmental Networking/Computing http://www.ecr6.ohio-state.edu/~davism/ | The Ohio State University | 197 Watts, (614) 292-6928 ------------------------------ Date: Sat, 16 Aug 2008 23:23:35 -0700 (PDT) From: Hein RMS van den Heuvel Subject: Re: DEFCON 16 and Hacking OpenVMS Message-ID: <9dd4c436-6506-40a8-a87e-7226ea5841a7@y21g2000hsf.googlegroups.com> On Aug 16, 8:22=A0pm, Roger Ivie wrote: > On 2008-08-16, John Santos wrote: > > > What I don't understand is do both the Finger bug and the 511-byte DCL > > command bug induce the same vulnerability, or are they two different > > things? 2 unrelated problems Minor details... >> and the 511-byte DCL command bug ... Nit picking... It is not DCL bug, but a problem a common input / parsing routine can run into. > The command recall bug sounds like a garden-variety buffer overflow. Nit picking... It is not a command recall bug. That's just one way of starting an escape sequence at an 'inconvenient' point in time. A simple as byte 512 followed by random text can do the same. fwiw... by pasting in just the right random text, even without a special telnet, I can make it look at an RMS buffer which in turn I can load with 30+ kb of arbitrary data/instructions. Hein. ------------------------------ Date: Sun, 17 Aug 2008 03:38:31 -0700 (PDT) From: bugs@signedness.org Subject: Re: DEFCON 16 and Hacking OpenVMS Message-ID: On Aug 17, 11:43 am, JF Mezei wrote: > b...@signedness.org wrote: > > Well, we are not the ones telling others to "fuck off", are we? > > So who is the ass around here? > > I don"t recall anyone telling you to fuck off. Perhaps you have not read the whole thread: On Aug 15, 9:24 pm, VAXman- @SendSpamHere.ORG wrote: [...] > Yeah, I know nothing about VMS. Please, oh great one, teach me your > weirding way. > > Fuck off! [...] Does that refresh your memory? Seems kind of hostile if you ask me. We expect an apology for this. > You came to a VMS > newsgroup, announced some vulnerability that you could not explain in > VMS terms. No, we came to an VMS group that already discussed the vulnerabilities that we found and claimed that they were lies and a hoax. So we provided you with videos of working PoC exploits to clarify that this for sure was a real thing. Unfortunately that did not help. We are sorry that we assumed that you guys knew what shellcode was, it is a common used description in SECURITY which obviously is not an area that you are interested of. It is laughable that there are still people working with security in IT that does not know what shellcode is. That imply that someone have buried is head in sand for the past 15 years. > It is like you talking chinese to an american. You insisted > in using terms like "shellcode" even after people told you they didn't > understand what that meant. There was attempts to try to clarify this, for example by Simon Clubley: On Aug 15, 8:14 pm, clubley@remove_me.eisner.decus.org-Earth.UFP (Simon Clubley) wrote: > I think that Brian may be thinking that shellcode is a series of DCL > commands instead of machine code. I think it's already been pointed > out on this thread already what the definition of shellcode is in the > context that you are using it, but Wikipedia has a writeup in case > Brian missed the earlier message: > > http://en.wikipedia.org/wiki/Shellcode But people are obviously to stubborn to even attempt to understand or even try to look it up (google for shellcode +security would have been enough for anyone). [...] > If you had said: > > if you enter 511 bytes, add a couple of escape sequenmces (like 3 > uparrows) followed by 4 bytes, then the application will branch to the > address indicated by those 4 bytes, this would have been understood very > quickly by everyone, even if they couldn't reproduce it. LOL That is exactly what we did, except that we used "address to jump to" and "return address" instead of "followed by four bytes". I'm not even going to quote that post. But that was obviously not clear enough, since we are not VMS-people, and theirfore can not be fully trusted: On Aug 15, 9:24 pm, VAXman- @SendSpamHere.ORG wrote: [...] > Send me your so called "shellcode" and FILE.EXE then along with some > instuctions other than typing 511 characters and 3 up-arrows. [...] VAXman did not even bother to watch the videos, he continued to mess with DCL even though we nicely pointed out that the bug was located elsewhere. He also did not listen to us when we explained why FILE.EXE is used. > Your own binary code is irrelevant here. People here would understand > that if you can specify an address to branch, you could get the program > to branch to your own code. It is not irrelevant when trying to describe what the exploit actually does, obviously there are people that have a great trouble understanding the basics of the exploit since questions with trivial answers has been repeated all over the thread. With trivial we mean questions that could easily have been looked up using for example google. But that of course, requires a will to learn and understand new things, and that is probably not the main issue for some of you here. We are NOT VMS people, and we have never claimed to be that either. In fact, we know very little about the system itself, we find vulnerabilities and write PoC code to proof that the vulnerabilities exist. The reason for this is to make the digital world a little safer for everybody. Obviously that is not what everybody wants. Instead of taking a piss on people trying to secure your system you should perhaps be a bit humble and TRY to understand so that problems can be solved. Telling people to "fuck off" and call them liars is not the way to go when they actually try to HELP you SECURE YOUR SYSTEM. ------------------------------ Date: Sun, 17 Aug 2008 05:01:55 -0700 (PDT) From: bugs@signedness.org Subject: Re: DEFCON 16 and Hacking OpenVMS Message-ID: <68f56a51-2532-4fc8-9965-4f95067031ac@a70g2000hsh.googlegroups.com> On Aug 17, 11:54=A0am, davi...@alpha2.mdx.ac.uk wrote: > In article , b...@signedness.org writes: > > > > >On Aug 17, 11:43 am, JF Mezei wrote: > >> b...@signedness.org wrote: > >> > Well, =A0we are not the ones telling others to "fuck off", are we? > >> > So who is the ass around here? > > >> I don"t recall anyone telling you to fuck off. > > >Perhaps you have not read the whole thread: > > >On Aug 15, 9:24 pm, VAXman- =A0@SendSpamHere.ORG wrote: > >[...] > >> Yeah, I know nothing about VMS. =A0Please, oh great one, teach me your > >> weirding way. > > >> Fuck off! > >[...] > > >Does that refresh your memory? > >Seems kind of hostile if you ask me. > >We expect an apology for this. > > >> You came to a VMS > >> newsgroup, announced some vulnerability that you could not explain in > >> VMS terms. > >No, we came to an VMS group that already discussed the vulnerabilities > >that we found and claimed that they were lies and a hoax. > >So we provided you with videos of working PoC exploits to clarify that > >this > >for sure was a real thing. Unfortunately that did not help. > > >We are sorry that we assumed that you guys > >knew what shellcode was, it is a common used description in SECURITY > >which obviously is not an area that you are interested of. > >It is laughable that there are still people working with security > >in IT that does not know what shellcode is. > >That imply that someone have buried is head in > >sand for the past 15 years. > > This is NOT a security group. You have been receiving responses from both > people who know security terminology and people who don't. > > David Webb > Security team leader > CCSS > Middlesex University > > > > >> It is like you talking chinese to an american. You insisted > >> in using terms like "shellcode" even after people told you they didn't > >> understand what that meant. > >There was attempts to try to clarify this, for example by Simon > >Clubley: > > >On Aug 15, 8:14 pm, clubley@remove_me.eisner.decus.org-Earth.UFP > >(Simon Clubley) wrote: > >> I think that Brian may be thinking that shellcode is a series of DCL > >> commands instead of machine code. I think it's already been pointed > >> out on this thread already what the definition of shellcode is in the > >> context that you are using it, but Wikipedia has a writeup in case > >> Brian missed the earlier message: > > >> =A0 =A0 =A0 =A0http://en.wikipedia.org/wiki/Shellcode > > >But people are obviously to stubborn > >to even attempt to understand or even try to look it up > >(google for shellcode +security would have been enough for anyone). > >[...] > > >> If you had said: > > >> if you enter 511 bytes, add a couple of escape sequenmces (like 3 > >> uparrows) followed by 4 bytes, then the application will branch to the > >> address indicated by those 4 bytes, this would have been understood ve= ry > >> quickly by everyone, even if they couldn't reproduce it. > >LOL > >That is exactly what we did, except that we used "address to jump to" > >and > >"return address" instead of "followed by four bytes". I'm not even > >going > >to quote that post. > > >But that was obviously not clear enough, since we are not VMS-people, > >and theirfore can not be fully trusted: > > >On Aug 15, 9:24 pm, VAXman- =A0@SendSpamHere.ORG wrote: > >[...] > >> Send me your so called "shellcode" and FILE.EXE then along with some > >> instuctions other than typing 511 characters and 3 up-arrows. > >[...] > > >VAXman did not even bother to watch the videos, he continued to > >mess with DCL even though we nicely pointed out that the bug > >was located elsewhere. He also did not listen to us when we explained > >why FILE.EXE is used. > > >> Your own binary code is irrelevant here. People here would understand > >> that if you can specify an address to branch, you could get the progra= m > >> to branch to your own code. > > >It is not irrelevant when trying to describe what the exploit actually > >does, > >obviously there are people that have a great trouble understanding the > >basics of the exploit since questions with trivial answers has been > >repeated > >all over the thread. > > >With trivial we mean questions that could easily have been looked up > >using > >for example google. But that of course, requires a will to learn and > >understand > >new things, and that is probably not the main issue for some of you > >here. > > >We are NOT VMS people, and we have never claimed to be that either. > >In fact, we know very little about the system itself, we find > >vulnerabilities and write PoC code to proof that the vulnerabilities > >exist. > > >The reason for this is to make the digital world a little safer for > >everybody. > >Obviously that is not what everybody wants. Instead of taking a piss > >on > >people trying to secure your system you should perhaps be a bit humble > >and TRY to understand so that problems can be solved. > >Telling people to "fuck off" and call them liars is not the way to go > >when they actually try to HELP you SECURE YOUR SYSTEM.- Hide quoted text= - > > - Show quoted text -- Hide quoted text - > > - Show quoted text - We never thought it was a security group.. We DID however present some of our VMS security findings at a SECURITY conference.. When we got back home, someone pointed us to this thread, where people who had not even seen the presentation or the materials were saying it was bullshit, that it was probably a hoax, more or less calling us liars, calling us assholes, and telling us to go fuck ourselves and complaining about the use of "shellcode" (using SECURITY terminology to describe a SECURITY vulnerability!!! how dare they?!).... Oh and the fact that the group is not composed of security people or people with the faintest idea about software exploitation did not stop them from adding to the confusion (just read various writeups about it, including hoffmanlabs...) AND accusing us of being bullshitting liars did it? FYI, We found the first few EXPLOITABLE bugs literally with only a few hours of experience with VMS so we can't really understand what this ELITISM among VMS users is about and would think you'd appreciate help killing off a few painfully obvious bugs (AND THERE ARE STILL LOADS OF THEM). BTW out of curiousity on which installations have you seen finger installed without privs? On my VAX 7.3 install it got WORLD and SYSPRV, and I'm pretty sure 8.3 on Alpha at least installs it with SYSPRV.. ------------------------------ Date: Sun, 17 Aug 2008 06:22:14 -0700 (PDT) From: bugs@signedness.org Subject: Re: DEFCON 16 and Hacking OpenVMS Message-ID: <7ca2dc6e-91e2-4a4c-97f2-202cae307cf9@k7g2000hsd.googlegroups.com> On Aug 17, 2:57 pm, VAXman- @SendSpamHere.ORG wrote: > Is the 1337 haxOrz offended? We get offended by people telling us to fuck off, yes. Especially when we secure their systems FOR FREE. > I never called you a liar. The "fuck off" was in response to your > initiated insult. It was not an insult, it was a recommendation for you to read up on the topic. Even though you are "Mr VMS Kernel H4%0r" you still lack quite a bit of knowledge in the area of writing exploits. ;) > Once I was able to actually get the 511 character stack dump to occur, > I had your "exploit" worked out. And, I don't see why you couldn't use > SHOW PROC/PRIV... I did. We never said that it was not possible, we just did not solve it that way. We just owned the system in a way that worked for a PoC. After all, we are not VMS people and far from 31337 VMS Kernel H4%0rz. > I am also aware of where, in the VMS source, this problem occurs now. Cool. Would be nice with a "thank you" since we obviously secured your system (FOR FREE). ------------------------------ Date: Sun, 17 Aug 2008 06:28:57 -0700 (PDT) From: sampsal@gmail.com Subject: Re: DEFCON 16 and Hacking OpenVMS Message-ID: <9242f78b-9a87-44f3-a8ea-80ecebed5a36@25g2000hsx.googlegroups.com> On Aug 17, 1:58=A0pm, davi...@alpha2.mdx.ac.uk wrote: > Those who knew anything about security were simply asking for more detail= s > since the description given by Sampsa, who was at that time the only pers= on with > access to the slides from the security conference, was extremely vague. In my defense, I'd just like to say that my intention was never to mislead anyone, merely relay the information that I'd seen in the slides. I did not know what the copyright/distribution issues (if any) were with the slides, so I didn't feel able to post them anywhere public as they weren't mine to post. I was just trying to let the guys here on comp.os.vms know (from a very high level summary) what was shown at DEFCON. Sorry for any trouble caused. Sampsa ------------------------------ Date: Sun, 17 Aug 2008 07:03:44 -0700 (PDT) From: bugs@signedness.org Subject: Re: DEFCON 16 and Hacking OpenVMS Message-ID: <12d071a1-fbf6-4fc0-ba5b-3ac790b8576b@c65g2000hsa.googlegroups.com> On Aug 17, 1:57=A0pm, VAXman- @SendSpamHere.ORG wrote: > In article , b...@signedness.org writes: > > > > > > >On Aug 17, 11:43 am, JF Mezei wrote: > >> b...@signedness.org wrote: > >> > Well, =A0we are not the ones telling others to "fuck off", are we? > >> > So who is the ass around here? > > >> I don"t recall anyone telling you to fuck off. > > >Perhaps you have not read the whole thread: > > >On Aug 15, 9:24 pm, VAXman- =A0@SendSpamHere.ORG wrote: > >[...] > >> Yeah, I know nothing about VMS. =A0Please, oh great one, teach me your > >> weirding way. > > >> Fuck off! > >[...] > > >Does that refresh your memory? > >Seems kind of hostile if you ask me. > >We expect an apology for this. > > Is the 1337 haxOrz offended? > > > > > > >> You came to a VMS > >> newsgroup, announced some vulnerability that you could not explain in > >> VMS terms. > >No, we came to an VMS group that already discussed the vulnerabilities > >that we found and claimed that they were lies and a hoax. > >So we provided you with videos of working PoC exploits to clarify that > >this > >for sure was a real thing. Unfortunately that did not help. > > >We are sorry that we assumed that you guys > >knew what shellcode was, it is a common used description in SECURITY > >which obviously is not an area that you are interested of. > >It is laughable that there are still people working with security > >in IT that does not know what shellcode is. > >That imply that someone have buried is head in > >sand for the past 15 years. > > >> It is like you talking chinese to an american. You insisted > >> in using terms like "shellcode" even after people told you they didn't > >> understand what that meant. > >There was attempts to try to clarify this, for example by Simon > >Clubley: > > >On Aug 15, 8:14 pm, clubley@remove_me.eisner.decus.org-Earth.UFP > >(Simon Clubley) wrote: > >> I think that Brian may be thinking that shellcode is a series of DCL > >> commands instead of machine code. I think it's already been pointed > >> out on this thread already what the definition of shellcode is in the > >> context that you are using it, but Wikipedia has a writeup in case > >> Brian missed the earlier message: > > >> =A0 =A0 =A0 =A0http://en.wikipedia.org/wiki/Shellcode > > >But people are obviously to stubborn > >to even attempt to understand or even try to look it up > >(google for shellcode +security would have been enough for anyone). > >[...] > > We get unix folks here all the time referring to DCL "shells" and writing > shell code or scripts. =A0One of the initial reports was that typing in 5= 11 > characters followed by UP arrows at the DCL prompt caused a stack dump. > > > > > > >> If you had said: > > >> if you enter 511 bytes, add a couple of escape sequenmces (like 3 > >> uparrows) followed by 4 bytes, then the application will branch to the > >> address indicated by those 4 bytes, this would have been understood ve= ry > >> quickly by everyone, even if they couldn't reproduce it. > >LOL > >That is exactly what we did, except that we used "address to jump to" > >and > >"return address" instead of "followed by four bytes". I'm not even > >going > >to quote that post. > > >But that was obviously not clear enough, since we are not VMS-people, > >and theirfore can not be fully trusted: > > >On Aug 15, 9:24 pm, VAXman- =A0@SendSpamHere.ORG wrote: > >[...] > >> Send me your so called "shellcode" and FILE.EXE then along with some > >> instuctions other than typing 511 characters and 3 up-arrows. > >[...] > > >VAXman did not even bother to watch the videos, he continued to > >mess with DCL even though we nicely pointed out that the bug > >was located elsewhere. He also did not listen to us when we explained > >why FILE.EXE is used. > > Yes I did... to the point of point of a couple of characters in []s. > I'm not downloading software off the net because you instruct me due > to some codec your recording software uses. =A0If you were clearly in- > tersted in the goals of making systems more secure, you could have > converted your video to a common format that did NOT require that I > download some "quationable" software from the net. > > >With trivial we mean questions that could easily have been looked up > >using > >for example google. But that of course, requires a will to learn and > >understand > >new things, and that is probably not the main issue for some of you > >here. > > Leading one in the wrong direction with obfuscated terminology wouldn't > likely render a clearer understanding by Googling it. =A0In your defense, > Sampal's description and the lack of reproducability by others here was > clouding the view more than clarifying. > > >We are NOT VMS people, and we have never claimed to be that either. > >In fact, we know very little about the system itself, we find > >vulnerabilities and write PoC code to proof that the vulnerabilities > >exist. > > >The reason for this is to make the digital world a little safer for > >everybody. > > A laudable goal. =A0Thanks. > > >Obviously that is not what everybody wants. Instead of taking a piss > >on > >people trying to secure your system you should perhaps be a bit humble > >and TRY to understand so that problems can be solved. > >Telling people to "fuck off" and call them liars is not the way to go > >when they actually try to HELP you SECURE YOUR SYSTEM. > > I never called you a liar. =A0The "fuck off" was in response to your > initiated insult. > > The great many people here have systems and data on said systems that > they wish to secure and protect. =A0The first thing to do in such cases > it to know what exploits we need to secure ourselves and our systems > from. > > Once I was able to actually get the 511 character stack dump to occur, > I had your "exploit" worked out. =A0And, I don't see why you couldn't use > SHOW PROC/PRIV... I did. > > I am also aware of where, in the VMS source, this problem occurs now. > > -- > VAXman- A Bored Certified VMS Kernel Mode Hacker =A0 =A0 =A0VAXman(at)TME= SIS(dot)COM > > ... pejorative statements of opinion are entitled to constitutional prote= ction > no matter how extreme, vituperous, or vigorously expressed they may be. (= NJSC) > > Copr. 2008 Brian Schenkenberger. =A0Publication of _this_ usenet article = outside > of usenet _must_ include its contents in its entirety including this copy= right > notice, disclaimer and quotations.- Hide quoted text - > > - Show quoted text -- Hide quoted text - > > - Show quoted text -- Hide quoted text - > > - Show quoted text - Is the 1337 haxOrz offended? 1337 haxOrz?? Is that an attempt to wind us up? ;) As previously stated on multiple occasions we found it trivial to break OpenVMS without any prior experience of the operating system.. Maybe I'm reading this wrong and you think that finding exploitable security bugs in VMS some sort of achievement, but then I recommend you go look for some yourself and learn for yourself that it is not. If people do this and don't blindly trust the myth of VMS being damn near unbreakable, everybody will be better off and then maybe we have achieved something with our exploits... And no we are not the least bit offended, why would we be? We did what we set out to do, got the exploits and hopefully made a point that old "truths" (like VMS security being hard to break) should be questioned. The "questionable" software is from vmware, they are listed on the NYSE under the VMW symbol http://finance.google.co.uk/finance?client=3Dob&q= =3DNYSE:VMW they also happen to be the leader in the virtualization market so they are pretty ok I think... The obfuscated terminology? Is that the "shellcode"? I just checked and as far as I can see if you google "shellcode" every result from the first 10 pages (I stopped after 10) uses shellcode to mean exploit payload. What is this insult you are talking about? One of the other presenters suggesting you get a book on software exploitation? I fail to see how thats an insult. I certainly would not be offended if you asked me to get a book on VMS if I was serious about discussing anything else in VMS than the vulnerabilities we found. As previously mentioned, the reason we wrote the shellcode we did was because it was easier to debug and a somewhat more generic approach than say write code to modify sysuaf, since the same code can be reused for vulnerabilities where you don't have privs to modify sysuaf etc. Of course we could have spawned a new instance of DCL and done a "show proc/priv" but we didn't, the code we have now should be pretty reusable for remote exploitation without having to write a full "bind shell shellcode" (yeah yeah I know terminology again.. but its easy enough to google.) In the VAX exploit we used SYS $SETUAI() and do a show proc/priv in the video btw. We sincerely interested in what approch you took in your shellcode, care to share that information? Also if you have any good tricks to share on how to determine the system services numbers at runtime from your shellcode? That would be interesting. ------------------------------ Date: Sun, 17 Aug 2008 08:18:14 -0700 (PDT) From: bugs@signedness.org Subject: Re: DEFCON 16 and Hacking OpenVMS Message-ID: <760613fd-0816-43a6-8342-d511488928d8@k37g2000hsf.googlegroups.com> On Aug 17, 2:28=A0pm, samp...@gmail.com wrote: > On Aug 17, 1:58=A0pm, davi...@alpha2.mdx.ac.uk wrote: > > > Those who knew anything about security were simply asking for more deta= ils > > since the description given by Sampsa, who was at that time the only pe= rson with > > access to the slides from the security conference, was extremely vague. > > In my defense, I'd just like to say that my intention was never to > mislead anyone, merely relay the information that I'd seen in the > slides. I did not know what the copyright/distribution issues (if any) > were with the slides, so I didn't feel able to post them anywhere > public as they weren't mine to post. > > I was just trying to let the guys here on comp.os.vms know (from a > very high level summary) what was shown at DEFCON. Sorry for any > trouble caused. > > Sampsa I think I speak for all the presenters when I say we don't have a problem with you posting the information you did. In fact I think you were one of the first people here to "get it". Congratulations on that and thanks for trying to explain it to others. What annoys us are useless comments from other people such as:- "I'm convinced bugs wouldn't recognize a VMS security flaw if it danced naked on his head and sang "Happy Days Are Here Again"" and other thoroughly useless comments hinting at it all being fake and bullshit and people spreading incorrect "facts" and adding to the general confusion, for example saying only VAX is affected by the .plan attack, or that memory can only be read with the format string bug. PS. To the person that made the comment quoted above, care to put you money where your mouth is? ;) ------------------------------ Date: Sun, 17 Aug 2008 08:21:21 -0700 (PDT) From: bugs@signedness.org Subject: Re: DEFCON 16 and Hacking OpenVMS Message-ID: <896abe31-1281-45e8-af3c-767d465ac696@34g2000hsh.googlegroups.com> On Aug 17, 3:28 pm, samp...@gmail.com wrote: > On Aug 17, 1:58 pm, davi...@alpha2.mdx.ac.uk wrote: > > > Those who knew anything about security were simply asking for more details > > since the description given by Sampsa, who was at that time the only person with > > access to the slides from the security conference, was extremely vague. > > In my defense, I'd just like to say that my intention was never to > mislead anyone, merely relay the information that I'd seen in the > slides. I did not know what the copyright/distribution issues (if any) > were with the slides, so I didn't feel able to post them anywhere > public as they weren't mine to post. > > I was just trying to let the guys here on comp.os.vms know (from a > very high level summary) what was shown at DEFCON. Sorry for any > trouble caused. > > Sampsa Thank you for trying to share the knowledge. And btw, the slides on the CD is a bit old, we will put the latest ones on the web when we have done the other talk. > ------------------------------ Date: Sun, 17 Aug 2008 15:31:55 +0000 From: "Main, Kerry" Subject: RE: DEFCON 16 and Hacking OpenVMS Message-ID: > -----Original Message----- > From: FrankS [mailto:sapienza@noesys.com] > Sent: August 15, 2008 8:54 PM > To: Info-VAX@Mvb.Saic.Com > Subject: Re: DEFCON 16 and Hacking OpenVMS > > On Aug 12, 9:58 am, samp...@gmail.com wrote: > > 2. A CLI buffer overflow on Alphas. Basically any input over 511 > > characters causes an overflow, it seems to be possible to have a > > privileged process execute arbitrary code. > > As an interested observer, I was able to duplicate this problem on my > DS10L running OpenVMS v7.3-2. I am a little behind in patches on this > machine. I tried the same thing on a system which is up-to-date and > could not duplicate the problem. > I am a tad behind in trying to understand this thread, but based on what you stated above, is it fair to say that this is a bug which is only found on a 5 year old version of OpenVMS (V7.3-2 released 2003) system which does not have all the latest V7.3-2 patches applied? What am I missing here? Thanks in advance, Regards Kerry Main Senior Consultant HP Services Canada Voice: 613-254-8911 Fax: 613-591-4477 kerryDOTmainAThpDOTcom (remove the DOT's and AT) OpenVMS - the secure, multi-site OS that just works. ------------------------------ Date: Sun, 17 Aug 2008 16:43:16 +0100 From: "R.A.Omond" Subject: Re: DEFCON 16 and Hacking OpenVMS Message-ID: <48a84718$0$90262$14726298@news.sunsite.dk> Main, Kerry wrote: > > [...snip...] > I am a tad behind in trying to understand this thread, but based on > what you stated above, is it fair to say that this is a bug which is > only found on a 5 year old version of OpenVMS (V7.3-2 released 2003) > system which does not have all the latest V7.3-2 patches applied? > > What am I missing here? Kerry, I think you'd be best to stop digging ... ------------------------------ Date: Sun, 17 Aug 2008 08:59:55 -0700 (PDT) From: bugs@signedness.org Subject: Re: DEFCON 16 and Hacking OpenVMS Message-ID: <583720ca-87ef-4643-8776-5f3e515f8865@m45g2000hsb.googlegroups.com> On Aug 17, 4:31=A0pm, "Main, Kerry" wrote: > > -----Original Message----- > > From: FrankS [mailto:sapie...@noesys.com] > > Sent: August 15, 2008 8:54 PM > > To: Info-...@Mvb.Saic.Com > > Subject: Re: DEFCON 16 and Hacking OpenVMS > > > On Aug 12, 9:58 am, samp...@gmail.com wrote: > > > 2. A CLI buffer overflow on Alphas. Basically any input over 511 > > > characters causes an overflow, it seems to be possible to have a > > > privileged process execute arbitrary code. > > > As an interested observer, I was able to duplicate this problem on my > > DS10L running OpenVMS v7.3-2. =A0I am a little behind in patches on thi= s > > machine. =A0I tried the same thing on a system which is up-to-date and > > could not duplicate the problem. > > I am a tad behind in trying to understand this thread, but based on > what you stated above, is it fair to say that this is a bug which is > only found on a 5 year old version of OpenVMS (V7.3-2 released 2003) > system which does not have all the latest V7.3-2 patches applied? > > What am I missing here? > > Thanks in advance, > > Regards > > Kerry Main > Senior Consultant > HP Services Canada > Voice: 613-254-8911 > Fax: 613-591-4477 > kerryDOTmainAThpDOTcom > (remove the DOT's and AT) > > OpenVMS - the secure, multi-site OS that just works.- Hide quoted text - > > - Show quoted text - Well no, it works on 8.3 too. We who discovered these problems are NOT VMS people, and had a very limited number of systems to test it on, but 8.3 and 7.3 have been confirmed, but most likely all supported versions of VMS are affected. IMHO, the interesting thing about all of this is not the bugs themselves, but that I think it is the first time "memory corruption" bugs been exploited publically on VMS. Hopefully the VMS community don't brush this off as one time thing and reevaluate VMS's reputation as virtually unhackable. I think it would be really interesting to see what bugs people who does not struggle to change directories (like we do :)) would come up with if they only accepted that VMS isn't immune and looked for vulnerabilities... ------------------------------ Date: Sun, 17 Aug 2008 09:06:55 -0700 (PDT) From: FrankS Subject: Re: DEFCON 16 and Hacking OpenVMS Message-ID: <3816474c-f6a7-440c-893e-76a29ded60a6@y21g2000hsf.googlegroups.com> On Aug 17, 11:31=A0am, "Main, Kerry" wrote: > I am a tad behind in trying to understand this thread, but based on > what you stated above, is it fair to say that this is a bug which is > only found on a 5 year old version of OpenVMS (V7.3-2 released 2003) > system which does not have all the latest V7.3-2 patches applied? > > What am I missing here? You're missing a lot. It is a vulnerability in v8.x as well, as someone else (David Webb?) has posted in the mix of messages here. It also occurs in OpenVMS Alpha v7.3-2 *with* all current patches applied. And, in case you're heading down an argument that systems need to be kept at current version levels: You, me, and everyone else knows that not all OpenVMS sites can or will (for various reasons) bring their installations current. IMHO, it should definitely be addressed by OpenVMS engineering. Sooner rather than later. ------------------------------ Date: Sun, 17 Aug 2008 16:28:05 +0000 (UTC) From: david20@alpha2.mdx.ac.uk Subject: RE: DEFCON 16 and Hacking OpenVMS Message-ID: In article , "Main, Kerry" writes: >> -----Original Message----- >> From: FrankS [mailto:sapienza@noesys.com] >> Sent: August 15, 2008 8:54 PM >> To: Info-VAX@Mvb.Saic.Com >> Subject: Re: DEFCON 16 and Hacking OpenVMS >> >> On Aug 12, 9:58 am, samp...@gmail.com wrote: >> > 2. A CLI buffer overflow on Alphas. Basically any input over 511 >> > characters causes an overflow, it seems to be possible to have a >> > privileged process execute arbitrary code. >> >> As an interested observer, I was able to duplicate this problem on my >> DS10L running OpenVMS v7.3-2. I am a little behind in patches on this >> machine. I tried the same thing on a system which is up-to-date and >> could not duplicate the problem. >> > > >I am a tad behind in trying to understand this thread, but based on >what you stated above, is it fair to say that this is a bug which is >only found on a 5 year old version of OpenVMS (V7.3-2 released 2003) >system which does not have all the latest V7.3-2 patches applied? > >What am I missing here? > No the access violation has been replicated on Alpha VMS 8.3 systems. You need to be running an image which has it's own embedded commandline interface such as INSTALL. Before running INSTALL set your terminal to device type unknown ie SET TERM/UNKNOWN Run INSTALL from a non-privileged account INSTALL> paste in 511 characters INSTALL>123456789012345678901234567890.....123456789012345678901 then without hitting return press the up-arrow key 3 times and then type @@@@ then wait a few seconds you should then see an access violation %SYSTEM-F-ACCVIO, access violation, reason mask=00, virtual address=0000000040404040, PC=0000000040404040, PS=0000001B Improperly handled condition, image exit forced. Signal arguments: Number = 0000000000000005 Name = 000000000000000C 0000000000010000 0000000040404040 0000000040404040 000000000000001B Register dump: R0 = 0000000000000001 R1 = 0000000000001000 R2 = 0000000000010840 Where the 40404040 address corresponds to the @@@@ characters entered. If instead of @@@@ you put in AAAA you will see the address change to %SYSTEM-F-ACCVIO, access violation, reason mask=00, virtual address=0000000041414140, PC=0000000041414140, PS=0000001B Improperly handled condition, image exit forced. Signal arguments: Number = 0000000000000005 Name = 000000000000000C 0000000000010000 0000000041414140 0000000041414140 000000000000001B hence using this bug you can control which address is branched to and hence if you set things up correctly could get your own code to execute. Since Install is by default w:re but is installed with privileges DISK$ALPHASYS:.EXE INSTALL;1 Open Prv Entry access count = 487 Current / Maximum shared = 2 / 2 Privileges = CMKRNL PRMGBL SYSGBL SHMEM AUDIT Authorized = CMKRNL PRMGBL SYSGBL SHMEM AUDIT this is a nasty security hole. For Install a limited work-around would probably be to remove the w:re access since I can't see why any non-privileged user needs to access install. For other images with the same problem it may not be so simple. David Webb Security team leader CCSS Middlesex University >Thanks in advance, > >Regards > >Kerry Main >Senior Consultant >HP Services Canada >Voice: 613-254-8911 >Fax: 613-591-4477 >kerryDOTmainAThpDOTcom >(remove the DOT's and AT) > >OpenVMS - the secure, multi-site OS that just works. > > > > > ------------------------------ Date: Sun, 17 Aug 2008 16:53:19 +0000 From: "Main, Kerry" Subject: RE: DEFCON 16 and Hacking OpenVMS Message-ID: > -----Original Message----- > From: FrankS [mailto:sapienza@noesys.com] > Sent: August 17, 2008 12:07 PM > To: Info-VAX@Mvb.Saic.Com > Subject: Re: DEFCON 16 and Hacking OpenVMS > > On Aug 17, 11:31 am, "Main, Kerry" wrote: > > I am a tad behind in trying to understand this thread, but based on > > what you stated above, is it fair to say that this is a bug which is > > only found on a 5 year old version of OpenVMS (V7.3-2 released 2003) > > system which does not have all the latest V7.3-2 patches applied? > > > > What am I missing here? > > You're missing a lot. > > It is a vulnerability in v8.x as well, as someone else (David Webb?) > has posted in the mix of messages here. > > It also occurs in OpenVMS Alpha v7.3-2 *with* all current patches > applied. > > And, in case you're heading down an argument that systems need to be > kept at current version levels: You, me, and everyone else knows that > not all OpenVMS sites can or will (for various reasons) bring their > installations current. > > IMHO, it should definitely be addressed by OpenVMS engineering. > Sooner rather than later. I am not trying to pass judgement one way or another. And most in this newsgroup would never state that OpenVMS is technically unhackable and/or not susceptible to security issues. Simply that it is much more difficult than most of the other OS's. There is no OS on the planet that can say it is totally immune to security concerns. Based on your earlier reply, you stated you could reproduce it with a V7.3-2 system that was behind in patches, but not on a V7.3-2 system that was current. That was what my reply was asking about. > As an interested observer, I was able to duplicate this problem on my > DS10L running OpenVMS v7.3-2. I am a little behind in patches on this > machine. I tried the same thing on a system which is up-to-date and > could not duplicate the problem. And as far as OpenVMS versions being current, of course there are always App/financial/technical restrictions as to not always being at current versions - again, that is common to all OS platforms. Again, I am not passing judgement one way or another. Just trying to understand what the issues are and will try the methods suggested on my home systems. Regards Kerry Main Senior Consultant HP Services Canada Voice: 613-254-8911 Fax: 613-591-4477 kerryDOTmainAThpDOTcom (remove the DOT's and AT) OpenVMS - the secure, multi-site OS that just works. ------------------------------ Date: Mon, 18 Aug 2008 03:10:40 +0930 From: Mark Daniel Subject: Re: DEFCON 16 and Hacking OpenVMS Message-ID: <00b85e2f$0$770$c3e8da3@news.astraweb.com> Main, Kerry wrote: >>-----Original Message----- >>From: FrankS [mailto:sapienza@noesys.com] >>Sent: August 15, 2008 8:54 PM >>To: Info-VAX@Mvb.Saic.Com >>Subject: Re: DEFCON 16 and Hacking OpenVMS >> >>On Aug 12, 9:58 am, samp...@gmail.com wrote: >> >>>2. A CLI buffer overflow on Alphas. Basically any input over 511 >>>characters causes an overflow, it seems to be possible to have a >>>privileged process execute arbitrary code. >> >>As an interested observer, I was able to duplicate this problem on my >>DS10L running OpenVMS v7.3-2. I am a little behind in patches on this >>machine. I tried the same thing on a system which is up-to-date and >>could not duplicate the problem. >> > > > > I am a tad behind in trying to understand this thread, but based on > what you stated above, is it fair to say that this is a bug which is > only found on a 5 year old version of OpenVMS (V7.3-2 released 2003) > system which does not have all the latest V7.3-2 patches applied? Interestingly, it reproduces readily on a up-to-date Alpha but NOT on an up-to-date Itanium: HP rx2600 (900MHz/1.5MB), OpenVMS I64 V8.3-1H1. (Update history pasted as quotation to help circumvent wrapping.) > ------------------------------------ ----------- ----------- --- ----------- > PRODUCT KIT TYPE OPERATION VAL DATE > ------------------------------------ ----------- ----------- --- ----------- > HP I64VMS VMS831H1I_ACC V1.0 Patch Install Val 13-AUG-2008 > HP I64VMS VMS831H1I_ACRTL V2.0 Patch Install Val 13-AUG-2008 > HP I64VMS VMS831H1I_COPY V1.0 Patch Install Val 13-AUG-2008 > HP I64VMS VMS831H1I_EFI V1.0 Patch Install Val 13-AUG-2008 > HP I64VMS VMS831H1I_FIBRE_SCSI V2.0 Patch Install Val 13-AUG-2008 > HP I64VMS VMS831H1I_ICAP V1.0 Patch Install Val 13-AUG-2008 > HP I64VMS VMS831H1I_MANAGE V2.0 Patch Install Val 13-AUG-2008 > HP I64VMS VMS831H1I_RMS V2.0 Patch Install Val 13-AUG-2008 > HP I64VMS VMS831H1I_SYS V2.0 Patch Install Val 13-AUG-2008 > HP I64VMS VMS831H1I_AMACRO2K V1.0 Patch Install Val 13-AUG-2008 > HP I64VMS VMS831H1I_PCSI V1.0 Patch Install Val 13-AUG-2008 > HP I64VMS VMS831H1I_UPDATE V1.0 Patch Install Val 13-AUG-2008 > HP I64VMS AVAIL_MAN_BASE V8.3-1H1 Full LP Install (U) 13-AUG-2008 > HP I64VMS CDSA V2.3-306 Full LP Install Val 13-AUG-2008 > HP I64VMS DECNET_PLUS V8.3-1H1 Full LP Install Val 13-AUG-2008 > HP I64VMS DWMOTIF_SUPPORT V8.3-1H1 Full LP Install (U) 13-AUG-2008 > HP I64VMS KERBEROS V3.1-152 Full LP Install Val 13-AUG-2008 > HP I64VMS OPENVMS V8.3-1H1 Platform Install Sys 13-AUG-2008 > HP I64VMS TDC_RT V2.3-1 Full LP Install Val 13-AUG-2008 > HP I64VMS VMS V8.3-1H1 Oper System Install Sys 13-AUG-2008 > HP I64VMS WBEMCIM V2.61-A070728 Full LP Install Val 13-AUG-2008 > HP I64VMS WBEMPROVIDERS V1.5-31 Full LP Install Val 13-AUG-2008 ... $ set term/dev=unknown $ install INSTALL> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD DDDDDEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE EEEEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG %CLI-W-IVVERB, unrecognized command verb - check validity and spelling \AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCD DDDDDDDDDDDDDDD INSTALL> *EXIT* Note that the IVVERB occurs without further input, after a slight pause, after the three up-arrows and four at symbols (i.e. behaviour seems similar, just a different outcome). > What am I missing here? > > Thanks in advance, > > Regards > > Kerry Main > Senior Consultant > HP Services Canada > Voice: 613-254-8911 > Fax: 613-591-4477 > kerryDOTmainAThpDOTcom > (remove the DOT's and AT) > > OpenVMS - the secure, multi-site OS that just works. Might be time to massage the signature before someone make a contrary suggestion ;-) -- All that you touch All that you see All that you taste All you feel. All that you love All that you hate All you distrust All you save. All that you give All that you deal All that you buy, beg, borrow or steal. All you create All you destroy All that you do All that you say. All that you eat And everyone you meet All that you slight And everyone you fight. All that is now All that is gone All that's to come and everything under the sun is in tune but the sun is eclipsed by the moon. [Waters; The Dark Side of the Moon] ------------------------------ Date: Sun, 17 Aug 2008 10:43:48 -0700 (PDT) From: Mike R Subject: Re: DSPP & OpenVMS Message-ID: <8c86f242-5220-44f1-8bdb-f548b20b3e3a@k30g2000hse.googlegroups.com> On Aug 16, 4:17=A0pm, "William Webb" wrote: > On Fri, Aug 15, 2008 at 9:39 PM, Richard B. Gilbert > wrote: > > > > > William Webb wrote: > > >> On Fri, Aug 15, 2008 at 10:12 AM, Richard B. Gilbert < > >> rgilber...@comcast.net > wrote: > > >> =A0 =A0Mike R wrote: > > >> =A0 =A0 =A0 =A0On Aug 15, 3:44 pm, clubley@remove_me.eisner.decus.org-= Earth.UFP > >> =A0 =A0 =A0 =A0(Simon Clubley) wrote: > > >> =A0 =A0 =A0 =A0 =A0 =A0In article <00A7E234.2282A...@SendSpamHere.ORG>= , =A0 VAXman- > >> =A0 =A0 =A0 =A0 =A0 =A0 @SendSpamHere.ORG writes: > > >> =A0 =A0 =A0 =A0 > > >> =A0 =A0 =A0 =A0 =A0 =A0Technical presales were excellent, but even tho= ugh the sales > >> =A0 =A0 =A0 =A0 =A0 =A0people within > >> =A0 =A0 =A0 =A0 =A0 =A0HP have had the hard work done from them by the= presales > >> =A0 =A0 =A0 =A0 =A0 =A0team, they still > >> =A0 =A0 =A0 =A0 =A0 =A0can't be bothered to put together a quote for m= e, even > >> =A0 =A0 =A0 =A0 =A0 =A0though it's been > >> =A0 =A0 =A0 =A0 =A0 =A0promised several times now. :-( > > >> =A0 =A0 =A0 =A0As a longtime DEC (ex-)customer, and with some experien= ce within > >> =A0 =A0 =A0 =A0Dec/ > >> =A0 =A0 =A0 =A0Compaq/HP allow me to recommend: > > >> =A0 =A0 =A0 =A01. Find the non-responsive person's manager > >> =A0 =A0 =A0 =A02. Contact same > >> =A0 =A0 =A0 =A03. If results are unsatisfactory, goto 1. Give up only = after 3-4 > >> =A0 =A0 =A0 =A0iterations. > > >> =A0 =A0Remember when you could just ask to speak with the "Manager on = Duty"?? > >> =A0 =A0Those were the "good old days"! > > >> You still can, if you have the right level of support. > > > The last time I tried, the person I was talking to hadn't a clue what I= was > > talking about. =A0H-P person rather than DEC/Compaq person. =A0I eventu= ally got > > through to someone who knew what I was talking about and was able to ki= ck > > the right butts to get my problem solved. > > Another of the magic words is "escalate". =A0Even if the person you're > speaking with has no familiarity with the MOD concept, if you keep repeat= ing > "escalate", eventually you'll get where you need to be. > > WWwebb Note: In HP terminology the meanings of "escalate" and "elevate" are the reverse of what they used to be in DEC. So if "escalate" does not work for you, try "elevate" HP Glossary: escalate - move to a higher managerial level - great if youve got LOTS of time elevate - move to a more qualified technical level Mike http://alpha.mike-r.com ------------------------------ Date: Sun, 17 Aug 2008 15:33:04 +0200 From: "P. Sture" Subject: Re: OpenVMS in the media - National Grid Control Centre, Britain from Message-ID: In article <48A3639B.20207@comcast.net>, bradhamilton wrote: > ou can still use your DECUS membership number to register hobbyist > licenses - the folks at the hobbyist site still honor "old" DECus > numbers. If you need to know what your DECUS number is, log on to > EISNER:: - show process/all will show you your account number, which is > your DECUS number. I didn't realise that was there. Thanks for the tip. -- Paul Sture ------------------------------ Date: Sun, 17 Aug 2008 05:12:24 -0500 From: David J Dachtera Subject: Re: OT: Central Repository - File Distribution Question (AIX) Message-ID: <48A7F988.3B16C026@spam.comcast.net> Michael Austin wrote: > > David J Dachtera wrote: > > Apologies for the OT post. I know some of my fellow VMSers also deal > > with AIX. > > > > What are other AIX sites using to keep scripts, cron jobs, printer > > definitions, etc. in-sync across multiple LPARs? We have 10 LPARs right > > now, not counting a NIM server which has yet to be built. > > > > When I've asked in other fora, about the only response I got involved > > RSYNC. We don't want to deal with NFS on that scale, so I'm looking for > > something uses RSH, SSH, RCP, SCP or ??? instead (preferably some SSL > > implementaion). > > > > The Central Repository could be on Windows or UN*X - doesn't matter to > > us. > > > > Anyone have any ideas? > > > > D.J.D. > > create a user that exist on all hosts, set up rsa/dsa keys (in the > $HOME/.ssh directory) copy all of the public keys to a file called > $HOME/.ssh/authorized_keys (specified in the sshd config file) > > then > > scp $file $host:$PATH > > Secure and does not require passwords if you have set every thing up > properly. Well, that would be at the heart of it. I'd still need the automation around it to approximate the functionality we have with SET ENVIRONMENT in SYSMAN. D.J.D. ------------------------------ End of INFO-VAX 2008.449 ************************