From: system@SendSpamHere.ORG Sent: Friday, July 06, 2001 9:34 AM To: Info-VAX@Mvb.Saic.Com Subject: Re: exploitable buffer overflows in VMS possible? In article , koehler@encompasserve.org (Bob Koehler) writes: >In article <9i1dum$m8l$1@venus.telepac.pt>, "Robert A.M. van Lopik" writes: >> >> My question is: would this also be possible on Alpha/VMS? > >There is no reason it cannot be done. Correct. However, it is not easy. Due to the addressing scheme of Alpha code (base register) a linkage pointer to the data to be used in the ex- ploit in addition to the "new" return address needs to be implemented. I have done this sort of thing for system intercepts by implementing a pro- gram counter relative linkage section. Anybody with a fair understanding of the OpenVMS calling standard and Alpha assembler language could imple- ment this if a buffer overflow were discovered. What might make it dif- ficult is that Alpha code/data can be extensive and there may not be space enough to house such an exploit on the stack. Remember, it would have to be placed on the stack above the current SP. Privileged pages and guard pages above the stack may prohibit its usefulness. Writing in actual pro- gram space may be possible but may be thwarted too by the location of any shareable images activated in the program being exploited. Remember, the shareable address space typically isn't writeable even by the most priv- ileged of modes. If the running program isn't privileged, the exploit is not privileged to modify the page protections. ... and now, back to the discussions of the stupidity of Compaq's Alpha assassination. -- VAXman- OpenVMS APE certification number: AAA-0001 VAXman(at)TMESIS(dot)COM "And of course, I'm a genius, so people are naturally drawn to my fiery intellect. Their admiration overwhelms their envy!" -- Calvin & Hobbes