Re: DEFCON 16 and Hacking OpenVMS

---

• From: Bob Gezelter <gezelter@xxxxxxxxx>
• Date: Thu, 14 Aug 2008 07:48:38 -0700 (PDT)

---

On Aug 14, 10:18 am, davi...@xxxxxxxxxxxxxxxx wrote:

In article <d64369e8-572c-47ba-ab61-0769b3def...@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>, Bob Gezelter <gezel...@xxxxxxxxx> writes:

On Aug 14, 3:37 am, davi...@xxxxxxxxxxxxxxxx wrote:

In article <00A7E113.29A29...@xxxxxxxxxxxxxxxx>, VAXman- @SendSpamHere.ORG writes:

In article <995d1554-09f0-489d-904b-150a9ed48...@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>, jferraro <jferr...@xxxxxxxxx> writes:

On Aug 13, 9:17 am, Mark Daniel <mark.dan...@xxxxxxxxxx> wrote:

samp...@xxxxxxxxx wrote:

Default 8.3 install on an Alpha according to the presentation notes.
To reproduce this, apparently one is to enter exactly 511 characters
of input, then press the up arrow three times and wait - a core dump
follows.

I know you didn't make the claim but you should first test it out before
brandishing bullshit here.

I've tried to reproduce the claimed results from your posted instruction
and it does NOT produce a "core dump".

Hey don't shoot the messenger, people were interested in what was in
the presentation, I just relayed that information WITH THE CAVEAT THAT
I DIDN'T TEST IT. They had screenshots of the flaw and source code for
an exploit, based on that I assumed it's genuine even if we haven't
been able to reproduce it.

I too cannot reproduce it but this evening have only an ECOed V8.3 Alpha
on which to try. It too failed to fail in any way. Curiously, I just
happened to build an off-the-CD V8.3 Alpha only this morning in my
workplace (just a pastime unfortunately) and intended to try it there
and report tomorrow. Of course it could even be Alpha chip type
-specific (fail on an EV56 but not an EV67, etc.) making it more obscure
but none-the-less real even if less-than adequately documented. The
exploit might be more telling. Thanks for your ongoing reports.

I'm not trying to scaremonger or stir up shit, in fact I stated in my
original post that neither of these exploits seemed particularly earth
shattering.

Sampsa

--
Every year is getting shorter never seem to find the time.
Plans that either come to naught or half a page of scribbled lines
Hanging on in quiet desperation is the English way
The time is gone, the song is over,
Thought I'd something more to say.
[Mason, Waters, Wright, Gilmour; The Dark Side of the Moon]

$ sh sys
VMS/VAX V7.3-2 on node WOPR 13-AUG-2008 19:00:07.39 Uptime 372
19:22:37
<truncate..>

$ define test$logical aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-
_$ aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-
_$ aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-
_$ aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-
_$ aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-
_$ aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-
_$ aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-
_$ aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-
_$ aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-
_$ aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-
_$ aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-
_$ aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
%DCL-W-TKNOVF, command element is too long - shorten

That's not a "core dump" or any exploitable issue. That's merely an error
message stating you have exceeded the acceptable command length.

Plus you seem to be trying this out on a VAX 7.3x system when the reported
problem is with Alpha VMS 8.3

"
Default 8.3 install on an Alpha according to the presentation notes.
To reproduce this, apparently one is to enter exactly 511 characters
of input, then press the up arrow three times and wait - a core dump
follows.
"
I believe the other problem which was reported which was with Finger
was supposed to occur with VAX systems.

David Webb
Security team leader
CCSS
Middlesex University

--
VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)COM

.... pejorative statements of opinion are entitled to constitutional protection
no matter how extreme, vituperous, or vigorously expressed they may be. (NJSC)

Copr. 2008 Brian Schenkenberger. Publication of _this_ usenet article outside
of usenet _must_ include its contents in its entirety including this copyright
notice, disclaimer and quotations.

David,

A "core dump"? I hate to be a bit of a pedant, but do you mean "end of
users process and logout" or "system crash".

Frankly, a "bug" that causes a user to terminate his own process
(which can be done in any number of intended ways) is not a true
security vulnerability. A security vulnerability needs to affect
other users or the system as a whole.

"Suicide" is far different from "murder".

Bob,

your asking the wrong person. I and a number of others are just responding to
Sampsa's report of VMS vulnerabilities in the Defcon 16 slides.
The initial report from Sampsa said about this bug

"
2. A CLI buffer overflow on Alphas. Basically any input over
511 characters causes an overflow, it seems to be possible to
have a privileged process execute arbitrary code.
"

David Webb
Security team leader
CCSS
Middlesex University

- Bob Gezelter,http://www.rlgsc.com

David,

My apologies, I apparently clicked on the incorrect entry. I meant the
question for Tim Sneddon.

- Bob Gezelter, http://www.rlgsc.com
.

---

• Follow-Ups:
  • Re: DEFCON 16 and Hacking OpenVMS
    • From: Simon Clubley
  • Re: DEFCON 16 and Hacking OpenVMS
    • From: Simon Clubley
  • Re: DEFCON 16 and Hacking OpenVMS
    • From: Tim E. Sneddon

• References:
  • DEFCON 16 and Hacking OpenVMS
    • From: Mark Daniel
  • Re: DEFCON 16 and Hacking OpenVMS
    • From: patrick jankowiak
  • Re: DEFCON 16 and Hacking OpenVMS
    • From: William Webb
  • Re: DEFCON 16 and Hacking OpenVMS
    • From: patrick jankowiak
  • Re: DEFCON 16 and Hacking OpenVMS
    • From: sampsal
  • Re: DEFCON 16 and Hacking OpenVMS
    • From: david20
  • Re: DEFCON 16 and Hacking OpenVMS
    • From: sampsal
  • Re: DEFCON 16 and Hacking OpenVMS
    • From: patrick jankowiak
  • Re: DEFCON 16 and Hacking OpenVMS
    • From: sampsal
  • Re: DEFCON 16 and Hacking OpenVMS
    • From: Mark Daniel
  • Re: DEFCON 16 and Hacking OpenVMS
    • From: david20
  • Re: DEFCON 16 and Hacking OpenVMS
    • From: david20

• Prev by Date: Re: NFS - OpenVMS to OpenVMS
• Next by Date: Re: DEFCON 16 and Hacking OpenVMS
• Previous by thread: Re: DEFCON 16 and Hacking OpenVMS
• Next by thread: Re: DEFCON 16 and Hacking OpenVMS
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: DEFCON 16 and Hacking OpenVMS ... To reproduce this, apparently one is to enter exactly 511 characters ... then press the up arrow three times and wait - a core dump ... and report tomorrow. ... Of course it could even be Alpha chip type ... (comp.os.vms) Re: DEFCON 16 and Hacking OpenVMS ... apparently one is to enter exactly 511 characters ... then press the up arrow three times and wait - a core dump ... Of course it could even be Alpha chip type ... Sampsa's report of VMS vulnerabilities in the Defcon 16 slides. ... (comp.os.vms) Re: DEFCON 16 and Hacking OpenVMS ... To reproduce this, apparently one is to enter exactly 511 characters ... I too cannot reproduce it but this evening have only an ECOed V8.3 Alpha ... and report tomorrow. ... That's not a "core dump" or any exploitable issue. ... (comp.os.vms) Re: DEFCON 16 and Hacking OpenVMS ... then press the up arrow three times and wait - a core dump ... I've tried to reproduce the claimed results from your posted instruction ... I too cannot reproduce it but this evening have only an ECOed V8.3 Alpha ... and report tomorrow. ... (comp.os.vms) Re: the romance thepoetry ... window and report pregnancy to check if we're suitable for ... Women who reproduce for natural purposes by love of man and by ... consentual purpose must be eradicated. ... Ihave a degree in UK and no chilwelfare and used to do sex ... (comp.ai.philosophy)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• Mailing-Lists
• Newsgroups
• About
• Privacy
• Search
• Imprint

unix.derkeiler.com  > Newsgroups  > comp.os.vms  > 2008-08