DEFCON 16 and Hacking OpenVMS - VMS

This is a discussion on DEFCON 16 and Hacking OpenVMS - VMS ; Tom Linden wrote: > On Mon, 18 Aug 2008 07:09:11 -0700, Richard B. Gilbert > wrote: > >> bugs@signedness.org wrote: >>> On Aug 18, 12:09 pm, "Richard Maher" >>> wrote: >>>> Hi Heine, >>>> >>>> Well done! >>>> >>>> Regards ...

+ Reply to Thread
Page 12 of 35 FirstFirst ... 2 10 11 12 13 14 22 ... LastLast
Results 221 to 240 of 691

Thread: DEFCON 16 and Hacking OpenVMS

  1. Re: When the goin' gets tough! (Was Re: DEFCON 16 and Hacking OpenVMS** 8.3 Patch available **)

    Tom Linden wrote:
    > On Mon, 18 Aug 2008 07:09:11 -0700, Richard B. Gilbert
    > wrote:
    >
    >> bugs@signedness.org wrote:
    >>> On Aug 18, 12:09 pm, "Richard Maher"
    >>> wrote:
    >>>> Hi Heine,
    >>>>
    >>>> Well done!
    >>>>
    >>>> Regards Richard Maher
    >>>>
    >>>> PS. Not that it is important, but what I am sceptical about is how
    >>>> "bugs"
    >>>> found/stumbled-across/zeroed-in on this vulnerability! Can someone
    >>>> post the
    >>>> analogous equivalent on *nix? I mean a 20 year-old privilege
    >>>> vulnerability
    >>>> that occurs everyday in Windows/*nix yet no-one has found on VMS
    >>>> before,
    >>>> without the help of a few days "generic" hacking, or perhaps the
    >>>> help of a
    >>>> disgruntled deap-throat? Amazing! (511 bytes, uparrow 3 times, wave a
    >>>> dead-chicken over your head and howl at the moon - standard stuff for
    >>>> hackers?)
    >>>>
    >>> No disgruntled deap-throat, no dead chickens or magic wands... The
    >>> simple truth is very few people have bothered looking at VMS because
    >>> it is "secure". If nobody is looking for bugs then no bugs are found.
    >>> How many times have we heard "many eyes makes all bugs shallow"? Well
    >>> still we see really dumb bugs popping up in some of the most popular
    >>> open source applications so it is really that surprising that simple
    >>> bugs are found in an operating system that I would assume very few
    >>> have looked for bugs in since the 80s? (that being said, still a nice
    >>> find by cmn )
    >>> The finger client bugs are good examples, more or less anyone would
    >>> have found them if they bothered looking for security bugs. The
    >>> seriousness of format string vulnerabilities has been widely known for
    >>> almost 10 years and still there it is (of course it was probably +15
    >>> years since anybody had a serious go at owning VMS).. Speaking of 20
    >>> year old vulns, what about Shaun Colley's fingerd bug? Anyone remember
    >>> Morris worm? Almost exactly 20 year old bug...
    >>>

    >>
    >> Hell, yes! There may be some newbies around who haven't heard of it
    >> but I was there while it was happening. Fortunately, I was
    >> responsible only for some VMS systems which were not affected. Most
    >> of the Unix systems in the world were affected. For those newbies who
    >> missed it, Clifford Stoll wrote a very readable book, "The Cuckoo's
    >> Egg", that touches the subject briefly. I'd say it's a "must read"
    >> for anyone interested in system security. It's the only first person
    >> account that I know of but there may be others.
    >>
    >> VMS System Managers are probably aware of a list of forbidden
    >> passwords maintained by the system. 500 or so of the entries are
    >> Robert Morris' list of commonly used passwords! His worm used them to
    >> attempt to log on to his target systems. He also abused a buffer
    >> overflow vulnerability in the finger daemon. The systems the worm
    >> penetrated promptly started trying to subvert other systems. . . . It
    >> was an interesting two or three days for the Unix system
    >> administrators. VMS
    >> systems were largely unaffected.
    >>
    >> Difficult as it may be to believe, hackers are STILL exploiting buffer
    >> overflows. There is still a lot of code around that will cheerfully
    >> attempt to put ten pounds of **** in a five pound bag!

    >
    > Just curious, have you looked at z/os?
    >


    No, isn't that the IBM mainframe O/S these days? It has been many long
    years since I last used one.

  2. Re: When the goin' gets tough! (Was Re: DEFCON 16 and Hacking OpenVMS ** 8.3 Patch available **)

    In message ,
    "P. Sture" writes:
    >I think the key to this mystery is that a lot of us simply haven't used
    >finger on VMS. I know I have never enabled it on a VMS system, and
    >suspect that I am not alone.


    The really anal security types consider the mere fact that finger discloses
    valid usernames (and other information) a risk and discourage it being enabled
    on any system. I have a finger available locally, but not as a network
    service.

    When it comes to security holes, finger is definitely a 'usual suspect'. It
    seems everyone who creates a finger makes the same naive mistakes. I use a
    finger written in FORTRAN a long time ago.


    David L. Jones | Phone: (614) 271-6718
    Ohio State University | Internet:
    140 W. 19th St. | jonesd@ecr6.ohio-state.edu
    Columbus, OH 43210 | vman+@osu.edu

    Disclaimer: I'm looking for marbles all day long.

  3. Re: When the goin' gets tough! (Was Re: DEFCON 16 and Hacking OpenVMS ** 8.3 Patch available **)

    On Mon, 18 Aug 2008 07:24:14 -0700, Tom Linden wrote:

    > On Mon, 18 Aug 2008 07:09:11 -0700, Richard B. Gilbert
    > wrote:
    >
    >> bugs@signedness.org wrote:
    >>> On Aug 18, 12:09 pm, "Richard Maher"
    >>> wrote:
    >>>> Hi Heine,
    >>>>
    >>>> Well done!
    >>>>
    >>>> Regards Richard Maher
    >>>>
    >>>> PS. Not that it is important, but what I am sceptical about is how
    >>>> "bugs"
    >>>> found/stumbled-across/zeroed-in on this vulnerability! Can someone
    >>>> post the
    >>>> analogous equivalent on *nix? I mean a 20 year-old privilege
    >>>> vulnerability
    >>>> that occurs everyday in Windows/*nix yet no-one has found on VMS
    >>>> before,
    >>>> without the help of a few days "generic" hacking, or perhaps the help
    >>>> of a
    >>>> disgruntled deap-throat? Amazing! (511 bytes, uparrow 3 times, wave a
    >>>> dead-chicken over your head and howl at the moon - standard stuff for
    >>>> hackers?)
    >>>>
    >>> No disgruntled deap-throat, no dead chickens or magic wands... The
    >>> simple truth is very few people have bothered looking at VMS because
    >>> it is "secure". If nobody is looking for bugs then no bugs are found.
    >>> How many times have we heard "many eyes makes all bugs shallow"? Well
    >>> still we see really dumb bugs popping up in some of the most popular
    >>> open source applications so it is really that surprising that simple
    >>> bugs are found in an operating system that I would assume very few
    >>> have looked for bugs in since the 80s? (that being said, still a nice
    >>> find by cmn )
    >>> The finger client bugs are good examples, more or less anyone would
    >>> have found them if they bothered looking for security bugs. The
    >>> seriousness of format string vulnerabilities has been widely known for
    >>> almost 10 years and still there it is (of course it was probably +15
    >>> years since anybody had a serious go at owning VMS).. Speaking of 20
    >>> year old vulns, what about Shaun Colley's fingerd bug? Anyone remember
    >>> Morris worm? Almost exactly 20 year old bug...
    >>>

    >>
    >> Hell, yes! There may be some newbies around who haven't heard of it
    >> but I was there while it was happening. Fortunately, I was responsible
    >> only for some VMS systems which were not affected. Most of the Unix
    >> systems in the world were affected. For those newbies who missed it,
    >> Clifford Stoll wrote a very readable book, "The Cuckoo's Egg", that
    >> touches the subject briefly. I'd say it's a "must read" for anyone
    >> interested in system security. It's the only first person account that
    >> I know of but there may be others.
    >>
    >> VMS System Managers are probably aware of a list of forbidden passwords
    >> maintained by the system. 500 or so of the entries are Robert Morris'
    >> list of commonly used passwords! His worm used them to attempt to log
    >> on to his target systems. He also abused a buffer overflow
    >> vulnerability in the finger daemon. The systems the worm penetrated
    >> promptly started trying to subvert other systems. . . . It was an
    >> interesting two or three days for the Unix system administrators. VMS
    >> systems were largely unaffected.
    >>
    >> Difficult as it may be to believe, hackers are STILL exploiting buffer
    >> overflows. There is still a lot of code around that will cheerfully
    >> attempt to put ten pounds of **** in a five pound bag!

    >
    > Just curious, have you looked at z/os?
    >


    That was meant to be asked of Bugs, got out of sync.

    --
    PL/I for OpenVMS
    www.kednos.com

  4. Re: DEFCON 16 and Hacking OpenVMS

    In article , koehler@eisner.nospam.encompasserve.org (Bob Koehler) writes:
    >In article , "Tom Linden" writes:
    >>
    >> Well I have always disabled fingerd whether on Unix or VMS, but there
    >> may well be other avenues. Such exploits would not be possible had the
    >> code
    >> been written using a safe language like PL/I or Ada with apporpriate
    >> ON conditions.

    >
    > If I understand correctly, the exploit is not through the finger
    > server (fingerd), but the finger client. Is your finger client
    > disabled?
    >

    If the finger server is disabled then the finger client isn't installed with
    any privileges.



    David Webb
    Security team leader
    CCSS
    Middlesex University

  5. Re: When the goin' gets tough! (Was Re: DEFCON 16 and Hacking OpenVMS ** 8.3 Patch available **)

    In article , "Richard B. Gilbert" writes:
    >bugs@signedness.org wrote:
    >> On Aug 18, 12:09 pm, "Richard Maher"
    >> wrote:
    >> Speaking of 20
    >> year old vulns, what about Shaun Colley's fingerd bug? Anyone remember
    >> Morris worm? Almost exactly 20 year old bug...
    >>

    >
    >Hell, yes! There may be some newbies around who haven't heard of it but
    >I was there while it was happening. Fortunately, I was responsible only
    >for some VMS systems which were not affected. Most of the Unix systems
    >in the world were affected. For those newbies who missed it, Clifford
    >Stoll wrote a very readable book, "The Cuckoo's Egg", that touches the
    >subject briefly. I'd say it's a "must read" for anyone interested in
    >system security. It's the only first person account that I know of but
    >there may be others.
    >
    >VMS System Managers are probably aware of a list of forbidden passwords
    >maintained by the system. 500 or so of the entries are Robert Morris'
    >list of commonly used passwords! His worm used them to attempt to log
    >on to his target systems. He also abused a buffer overflow
    >vulnerability in the finger daemon. The systems the worm penetrated
    >promptly started trying to subvert other systems. . . . It was an
    >interesting two or three days for the Unix system administrators. VMS
    >systems were largely unaffected.
    >

    But of course VAX/VMS systems of that era had their own worms remember

    the Father XMAS worm

    see

    http://www.users.qwest.net/~eballen1/father_xmas.txt

    and of course WANK

    see

    http://en.wikipedia.org/wiki/WANK_(computer_worm)


    these relied on DECNET task and weak password vulnerabilities.


    David Webb
    Security team leader
    CCSS
    Middlesex University



    >Difficult as it may be to believe, hackers are STILL exploiting buffer
    >overflows. There is still a lot of code around that will cheerfully
    >attempt to put ten pounds of **** in a five pound bag!


  6. Re: DEFCON 16 and Hacking OpenVMS

    On Aug 18, 1:21*pm, VAXman- @SendSpamHere.ORG wrote:
    > In article , b...@signedness.org writes:
    >
    >
    >
    > >On Aug 17, 10:09 pm, VAXman- *@SendSpamHere.ORG wrote:

    >
    > >> >It was pointed to you that the codecs used in the videos are
    > >> >non-standard and cannot be watched by everyone. I also didn't even
    > >> >bother to download them.

    > >It is a VMWare recording for heavens sake (http://www.vmware.com)!
    > >If you have bothered to download the videos you would probably not
    > >have
    > >played around with DCL commands and asked about FILE.EXE in the first
    > >place.

    >
    > >> A cohesive explaination of reproducing the stack dump would have been
    > >> better than some video of a terminal session. *There was also a report
    > >> of no audio explaining what was happening in the video.

    > >It is a VMWare recording (http://www.vmware.com/), it has no sound.
    > >We used the videos in our presentation (and yes, we did actually
    > >talk while playing them).

    >
    > >> >Your introduction of FILE.EXE was absolutely confusing. This was not
    > >> >necessary. And reduced your credibility because it put the focus on the
    > >> >"file.exe" instead of on the actual vulnerability.

    >
    > >> Another valid point.

    > >Again, you did not watch the videos, i.e. you did not input all data
    > >before computing.

    >
    > >You continue to claim that we have done things wrong when trying to
    > >explain the vulnerability that you tried to wave away as a hoax. Your
    > >attitude strongly imply that this has nothing to do with terminology
    > >and codecs, but that your ego got bumped really hard, and you can not
    > >handle it.

    >
    > There's no need for you to be so condescending.
    >
    > It's not about ego. *I, and others here, were trying to determine if
    > this truly was a vulnerability. *The first reports were that this was
    > a vulnerability in the DCL CLI easily exploited with a buffer over-
    > flow. *The published instructions to cause the overflow did NOT pro-
    > duce the results reported. *_Your_ terminology was misleading -- not
    > the 'shellcode' thing either!
    >
    > As for your VIDEO... *I did, this past weekend, view the one called:
    > openvms_local_install_exploit.avi. *
    >
    > 1. You telnet into a VMS system.
    > * *(this command sting alone is confusing)
    > 2. delete PRIVS.TXT
    > 3. run FILE.EXE
    > 4. type PRIVS.TXT
    > * *(privs output)
    > 5. delete PRIVS.TXT
    > 6. then you run LOADCODE leaving a prompt SHELLCODE>>
    > 7. from this point you execute INSTALL... etc., etc., etc.
    >
    > To me, it looks like you wrote your own CLI which is being used in
    > the spawned subprocess. *Again, this obfuscates the reality.
    >
    > >There is a bug for you to analyze.

    >
    > One the missing bits were properly explained, I was able to produce the
    > stack dump.
    >
    > I've written my OWN 'shellcode' now. *I load about 150 bytes of code to
    > P1 via a supported and documented user invokable mechanism! *This code
    > sets the AUTHPRIVs in the PHD and it returns cleanly via a SYS$EXIT with
    > SS$_NORMAL. *All of this executed in a normal DECwindows terminal.
    >
    > NOW, had you, perhaps:
    >
    > 1. not changed your prompt
    > 2. executed INSTALL from DCL
    > 3. not returned the BADPARAM stack
    > 4. explained, after the long string of AAAs, about the unseen I/O
    >
    > there would have been more and immediate credence placed in your claim.
    >
    > My question still is *WHY* FILE.EXE when SHOW PROCESS/PRIVILEGES would
    > have sufficed??? *Your claim was something about output capturing. *I
    > fail to see why you can capture normal terminal I/O from a TYPE command
    > but not from SHOW PROCESS/PRIVILEGES. *This is the type of thing that's
    > caused much of the confusion, doubt and distrust here. *I have no issue
    > invoking my SHOW PROCESS/PRIVILEGES before and after loading my code to
    > P1. *I don't need to SPAWN a sub-process; albeit, for testing, I did to
    > allow quick cleanup of P1 space with a logout.
    >
    > And, for the record, I did not proclaim this to be a hoax. *However, in
    > light of your, and others, instuctions which were muddled, incomplete,
    > and riddled with misleading jargon, I would expect that the good folks
    > of comp.os.vms would be dubious.
    >
    > FWIW, I have been in contact with a number of people working independ-
    > ently on patches to thwart this attack. *Interim fixes until a patch or
    > fix is released by HP.
    >
    > --
    > VAXman- A Bored Certified VMS Kernel Mode Hacker * * *VAXman(at)TMESIS(dot)COM
    >
    > ... pejorative statements of opinion are entitled to constitutional protection
    > no matter how extreme, vituperous, or vigorously expressed they may be. (NJSC)
    >
    > Copr. 2008 Brian Schenkenberger. *Publication of _this_ usenet article outside
    > of usenet _must_ include its contents in its entirety including this copyright
    > notice, disclaimer and quotations.


    Well congratulations, now you pissed me off too and not just cmn..

    WE said nothing about DCL.. Our terminology misleading? Funny..
    because it is a security issue, it was presented at a security
    conference, everyone there seemed to get it, and other people in this
    group got it too... If you don't understand what shellcode means,
    don't google it, or ask and then make the wrong assumptions that is
    hardly our ****ing fault now is it?


    OH AND CONDESCENDING????? GIVE ME A ****ING BREAK! Remember the "1337
    haxOrz" Comment? What do you call that? Yeah we may not be old enough
    to remember the dinosaurs or having written code on punch cards...
    Well guess what, we still found and exploited multiple vulnerabilities
    in VMS.. even if we are not in the right little click of superior
    beings such as yourself..

    Then you say discussing how to "weaponize" this exploit is not a good
    idea for public discussion.... We seem to recall demands that we
    release our exploit.... Double standards??? Oh and talking about your
    shellcode is ok? oh wait... it can't be that you still are trying to
    prove that you are superior to us for using a different method, can
    it?

    Or as another poster so elegantly put it:-

    "It's amazing how many people can *now* get the egg to stand on its
    end once they've been shown how :-( Oh, but your egg stands so much
    prouder."



  7. Re: When the goin' gets tough! (Was Re: DEFCON 16 and Hacking OpenVMS** 8.3 Patch available **)

    On Aug 18, 4:23*pm, "Tom Linden" wrote:
    > On Mon, 18 Aug 2008 07:24:14 -0700, Tom Linden wrote:
    > > On Mon, 18 Aug 2008 07:09:11 -0700, Richard B. Gilbert *
    > > wrote:

    >
    > >> b...@signedness.org wrote:
    > >>> On Aug 18, 12:09 pm, "Richard Maher"
    > >>> wrote:
    > >>>> Hi Heine,

    >
    > >>>> Well done!

    >
    > >>>> Regards Richard Maher

    >
    > >>>> PS. Not that it is important, but what I am sceptical about is how *
    > >>>> "bugs"
    > >>>> found/stumbled-across/zeroed-in on this vulnerability! Can someone *
    > >>>> post the
    > >>>> analogous equivalent on *nix? I mean a 20 year-old privilege *
    > >>>> vulnerability
    > >>>> that occurs everyday in Windows/*nix yet no-one has found on VMS *
    > >>>> before,
    > >>>> without the help of a few days "generic" hacking, or perhaps the help *
    > >>>> of a
    > >>>> disgruntled deap-throat? Amazing! (511 bytes, uparrow 3 times, wave a
    > >>>> dead-chicken over your head and howl at the moon - standard stuff for
    > >>>> hackers?)

    >
    > >>> *No disgruntled deap-throat, no dead chickens or magic wands... The
    > >>> simple truth is very few people have bothered looking at VMS because
    > >>> it is "secure". If nobody is looking for bugs then no bugs are found.
    > >>> How many times have we heard "many eyes makes all bugs shallow"? Well
    > >>> still we see really dumb bugs popping up in some of the most popular
    > >>> open source applications so it is really that surprising that simple
    > >>> bugs are found in an operating system that I would assume very few
    > >>> have looked for bugs in since the 80s? (that being said, still a nice
    > >>> find by cmn )
    > >>> *The finger client bugs are good examples, more or less anyone would
    > >>> have found them if they bothered looking for security bugs. The
    > >>> seriousness of format string vulnerabilities has been widely known for
    > >>> almost 10 years and still there it is (of course it was probably +15
    > >>> years since anybody had a serious go at owning VMS).. Speaking of 20
    > >>> year old vulns, what about Shaun Colley's fingerd bug? Anyone remember
    > >>> Morris worm? Almost exactly 20 year old bug...

    >
    > >> Hell, yes! *There may be some newbies around who haven't heard of it*
    > >> but I was there while it was happening. *Fortunately, I was responsible *
    > >> only for some VMS systems which were not affected. *Most of the Unix*
    > >> systems in the world were affected. *For those newbies who missed it, *
    > >> Clifford Stoll wrote a very readable book, "The Cuckoo's Egg", that *
    > >> touches the subject briefly. *I'd say it's a "must read" for anyone *
    > >> interested in system security. *It's the only first person account that *
    > >> I know of but there may be others.

    >
    > >> VMS System Managers are probably aware of a list of forbidden passwords *
    > >> maintained by the system. *500 or so of the entries are Robert Morris' *
    > >> list of commonly used passwords! *His worm used them to attempt to log *
    > >> on to his target systems. *He also abused a buffer overflow *
    > >> vulnerability in the finger daemon. *The systems the worm penetrated*
    > >> promptly started trying to subvert other systems. . . . *It was an *
    > >> interesting two or three days for the Unix system administrators. *VMS
    > >> systems were largely unaffected.

    >
    > >> Difficult as it may be to believe, hackers are STILL exploiting buffer*
    > >> overflows. *There is still a lot of code around that will cheerfully*
    > >> attempt to put ten pounds of **** in a five pound bag!

    >
    > > Just curious, have you looked at z/os?

    >
    > That was meant to be asked of Bugs, got out of sync.
    >
    > --
    > PL/I for OpenVMSwww.kednos.com


    No, nobody asked us to look at it yet. Buying our own system to find
    bugs just for the fun of doing it would probably be a bit too
    expensive. It would be fun to try, so if someone got a spare machine
    let us know....




  8. VMware codec == VNC codec????

    On Aug 18, 5:00 am, b...@signedness.org wrote:
    > On Aug 18, 5:36 am, "Ken Robinson" wrote:
    >
    > > This has been a very interesting and informative (for the most part)
    > > thread. I believe that "bugs" has performed a very good service for
    > > VMS and should be thanked, not shouted down. I also think that he (and
    > > his organization) should be invited to the next OpenVMS Technical Boot
    > > Camp (assuming there is one) next May so he can talk directly to the
    > > VMS Engineers and Product managers. He should also be allowed to give
    > > a presentation on how to find these vulnerabilities. I would certainly
    > > go to a sessions like that.

    >
    > Thanks a lot for your support!
    > We will be more than happy to help out in any way that we can.
    >
    > > BTW, I couldn't see the videos even on a VMware server running CentOS
    > > 5.1. Also, downloading the necessary codec to my Windows XP laptop
    > > didn't help.

    >
    > Hmmz, we should probably look into converting these videos to a more
    > portable format.
    > I can not understand why VMWare uses some private codec.
    >
    > > Ken Robinson


    "> I can not understand why VMWare uses some private codec."

    Don't VMware internally use VNC technologies for their displays? And
    their (lossless) codec simply encodes/decodes those (VNC) graphics
    updates into a carry-around storage-type format rather than a VMware-
    internal (er sorry, VNC-native) format?

    http://www.vmware.com/support/kb/end...p?p_faqid=1246
    http://wiki.multimedia.cx/index.php?title=VMNC
    http://www.petri.co.il/virtual_using...are_server.htm

    And speaking of code review (as people rightly were, not too long ago
    in this thread), some readers may not be aware that VMware themselves
    recently suffered a bit of an embarrassment which probably ought to
    have been spotted by decent code review before it stopped people's
    VMware systems working on August 12th. Something to bear in mind next
    time the VMware evangelists explain how they're going to solve all the
    world's consolidation problems by *increasing* the quantity of PC-
    class software and PC-class processes in the enterprise, rather than
    by reducing the quantity. Mind you, any non-trivial software has
    hiccups occasionally, doesn't it? But that's another topic for another
    day in another place.

  9. Re: DEFCON 16 and Hacking OpenVMS

    In article <04770cca-13df-4103-9fc5-7f5b728f62e7@34g2000hsh.googlegroups.com>, bugs@signedness.org writes:
    >{...snip...}
    >Well congratulations, now you pissed me off too and not just cmn..


    I _was_ going to comment a few posts ago when your last slight begging
    for a second "**** off!" was posted but, and even moreso now, this one
    speaks _volumes_ to your claims that you brought this to light to make
    VMS more secure. It comes across more as a "thumb to the nose" wag at
    VMS, VMS security, and the people who have worked on it for 3 decades.



    >WE said nothing about DCL.. Our terminology misleading? Funny..
    >because it is a security issue, it was presented at a security
    >conference, everyone there seemed to get it, and other people in this
    >group got it too... If you don't understand what shellcode means,
    >don't google it, or ask and then make the wrong assumptions that is
    >hardly our ****ing fault now is it?


    You're reading in things into this. We were fed piecemeal about the
    sordid detail of what was exploitable. One of your comments was mis-
    leading...

    Bugs:
    "Since the PC is controlled in the CLI bug we simply jump to the
    address of a logical that contains the shellcode we want to run."



    >OH AND CONDESCENDING????? GIVE ME A ****ING BREAK! Remember the "1337
    >haxOrz" Comment? What do you call that? Yeah we may not be old enough
    >to remember the dinosaurs or having written code on punch cards...


    Counter to your slight. I should know your "standard" security jargon
    but you wont' use "standard" VMS jargon.



    >Well guess what, we still found and exploited multiple vulnerabilities
    >in VMS.. even if we are not in the right little click of superior
    >beings such as yourself..


    Again, volumes... you should have included a link to this:

    http://bestsmileys.com/tongs/21.gif



    >Then you say discussing how to "weaponize" this exploit is not a good
    >idea for public discussion.... We seem to recall demands that we
    >release our exploit.... Double standards??? Oh and talking about your


    I asked to have you release the exploit? Not!



    >shellcode is ok? oh wait... it can't be that you still are trying to
    >prove that you are superior to us for using a different method, can
    >it?


    You are warped. I used a simple scheme to prove that could be and IS
    realizable. I could care less about superiority; especially, with re-
    gards to what has proven to be a snot-nosed twit.



    >Or as another poster so elegantly put it:-
    >
    >"It's amazing how many people can *now* get the egg to stand on its
    >end once they've been shown how :-( Oh, but your egg stands so much
    >prouder."


    Who showed me how? Oh, I get it, that elided bit of information that
    Mr. Jones so kindly provided me. Really, all I wanted to see is how
    you elicited the initial crash dump. The report was: do this and it
    will crash. Well, it didn't. Oh, Carl would have enjoyed this...

    What I don't see is why you've taken to attacking me save for that 1
    or more of the quotations you attributed to me was misquoted in some
    prior post.


    --
    VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)COM

    .... pejorative statements of opinion are entitled to constitutional protection
    no matter how extreme, vituperous, or vigorously expressed they may be. (NJSC)

    Copr. 2008 Brian Schenkenberger. Publication of _this_ usenet article outside
    of usenet _must_ include its contents in its entirety including this copyright
    notice, disclaimer and quotations.

  10. Re: DEFCON 16 and Hacking OpenVMS

    In article , david20@alpha2.mdx.ac.uk writes:

    > If the finger server is disabled then the finger client isn't installed with
    > any privileges.


    On which stack? It seems odd to tie the client to the server in that
    way.


  11. Re: When the goin' gets tough! (Was Re: DEFCON 16 and Hacking OpenVMS ** 8.3 Patch available **)

    In article ,
    bugs@signedness.org writes:
    >
    > No disgruntled deap-throat, no dead chickens or magic wands... The
    > simple truth is very few people have bothered looking at VMS because
    > it is "secure".


    I think you mis-spelled that. It's "obscure", not "secure".

    bill

    --
    Bill Gunshannon | de-moc-ra-cy (di mok' ra see) n. Three wolves
    billg999@cs.scranton.edu | and a sheep voting on what's for dinner.
    University of Scranton |
    Scranton, Pennsylvania | #include

  12. Re: DEFCON 16 and Hacking OpenVMS

    In article ,
    "Main, Kerry" writes:
    >
    > I am not trying to pass judgement one way or another. And most in this
    > newsgroup would never state that OpenVMS is technically unhackable
    > and/or not susceptible to security issues.
    >


    Damn Kerry, they have been saying it as long as I have been here!!!

    bill

    --
    Bill Gunshannon | de-moc-ra-cy (di mok' ra see) n. Three wolves
    billg999@cs.scranton.edu | and a sheep voting on what's for dinner.
    University of Scranton |
    Scranton, Pennsylvania | #include

  13. Re: DEFCON 16 and Hacking OpenVMS

    In article , koehler@eisner.nospam.encompasserve.org (Bob Koehler) writes:
    >In article , david20@alpha2.mdx.ac.uk writes:
    >
    >> If the finger server is disabled then the finger client isn't installed with
    >> any privileges.

    >
    > On which stack? It seems odd to tie the client to the server in that
    > way.
    >

    $ ucx sh ver

    HP TCP/IP Services for OpenVMS Alpha Version V5.6
    on a COMPAQ AlphaServer DS20E 666 MHz running OpenVMS V8.3

    There isn't a separate option for enabling the finger client in
    TCPIP$CONFIG


    HP TCP/IP Services for OpenVMS Client Components Configuration Menu

    Configuration options:

    1 - DHCP Client Disabled Stopped
    2 - FTP Client Enabled Started
    3 - NFS Client Disabled Stopped
    4 - REXEC and RSH Disabled Stopped
    5 - RLOGIN Disabled Stopped
    6 - SMTP Disabled Stopped
    7 - SSH Client Enabled Started
    8 - TELNET Enabled Started
    9 - TELNETSYM Disabled Stopped

    A - Configure options 1 - 9
    [E] - Exit menu


    There is only the option to enable the FINGER SERVER


    HP TCP/IP Services for OpenVMS Server Components Configuration Menu

    Configuration options:

    1 - BIND Disabled Stopped 12 - NTP Enabled Started
    2 - BOOTP Disabled Stopped 13 - PC-NFS Disabled Stopped
    3 - DHCP Disabled Stopped 14 - POP Disabled Stopped
    4 - FINGER Disabled Stopped 15 - PORTMAPPER Disabled Stopped
    5 - FTP Enabled Started 16 - RLOGIN Enabled Started
    6 - IMAP Disabled Stopped 17 - RMT Disabled Stopped
    7 - LBROKER Disabled Stopped 18 - SNMP Disabled Stopped
    8 - LPR/LPD Disabled Stopped 19 - SSH Enabled Started
    9 - METRIC Disabled Stopped 20 - TELNET Enabled Started
    10 - NFS Disabled Stopped 21 - TFTP Disabled Stopped
    11 - LOCKD/STATD Disabled Stopped 22 - XDM Disabled Stopped


    $ sh sym finger
    FINGER == "$SYS$SYSTEM:TCPIP$FINGER.EXE"
    $ install
    INSTALL> list/full SYS$SYSTEM:TCPIP$FINGER.EXE
    %INSTALL-W-FAIL, failed to LIST entry for
    DISK$ALPHASYS:TCPIP$FINGER.EXE
    -INSTALL-E-NOKFEFND, Known File Entry not found
    INSTALL>

    If you

    enable & start the finger server service

    FINGER Configuration

    Service is defined in the SYSUAF.
    Service is defined in the TCPIP$SERVICE database.
    Service is not enabled.
    Service is stopped.

    FINGER configuration options:

    1 - Enable service on this node

    2 - Enable & Start service on this node

    [E] - Exit FINGER configuration

    Enter configuration option: 2
    %TCPIP-I-INFO, image SYS$SYSTEM:TCPIP$FINGER.EXE installed
    %TCPIP-I-INFO, image SYS$SYSTEM:TCPIP$FINGER_SERVER.EXE installed
    %TCPIP-I-INFO, service enabled
    %TCPIP-S-STARTDONE, TCPIP$FINGER startup completed
    Press key to continue ...

    Then the finger client is installed with privileges

    $ install
    INSTALL> list/full sys$system:tcpip$finger.exe

    DISK$ALPHASYS:.EXE
    TCPIP$FINGER;1 Open Hdr Shared Prv
    Entry access count = 0
    Current / Maximum shared = 1 / 0
    Global section count = 1
    Privileges = WORLD SYSPRV
    Authorized = WORLD SYSPRV


    I haven't checked but suspect this has been true for all previous versions of
    UCX/DEC TCPIP services



    David Webb
    Security team leader
    CCSS
    Middlesex University

  14. Re: When the goin' gets tough! (Was Re: DEFCON 16 and Hacking OpenVMS** 8.3 Patch available **)

    On Aug 18, 6:54 pm, billg...@cs.uofs.edu (Bill Gunshannon) wrote:
    > In article ,
    > b...@signedness.org writes:
    >
    >
    >
    > > No disgruntled deap-throat, no dead chickens or magic wands... The
    > > simple truth is very few people have bothered looking at VMS because
    > > it is "secure".

    >
    > I think you mis-spelled that. It's "obscure", not "secure".
    >
    > bill
    >
    > --
    > Bill Gunshannon | de-moc-ra-cy (di mok' ra see) n. Three wolves
    > billg...@cs.scranton.edu | and a sheep voting on what's for dinner.
    > University of Scranton |
    > Scranton, Pennsylvania | #include


    VMS these days may be obscure vs its heyday, but traditionally VMS
    *is* also relatively secure, especially when managed properly (default
    passwords and similar daftness taken as read). Things like
    descriptors, STR$ and $FAO and their friends when used properly make
    it harder for programs to do daft things which are relatively common
    in non-VMS environments, and some of these daft things can clearly be
    exploited.

    Other OSes could presumably have descriptors etc instead of whatever
    they use today (mostly MACRO-11 .ASCIZ relics???), but they mostly
    chose other options. Other OSes could also choose to have multiple
    classes of privileges and quotas, a proper event log and a proper
    audit log and a proper alarm log, but again mostly they choose not to
    (and yes I am moderately aware of SE Linux and think lots more people
    should be looking at it, but although it's way ahead of Windows, it
    still won't get near many of VMS's capabilities, and Windows will
    still outship it by the truckload).

    There's probably some significance to the fact that the code used in
    (one of) the current exploit(s) was derived from non-VMS code, the
    tool in the picture is rarely used in classic VMS environments, and
    the engineering group which owns the tool has been moved from
    continent to continent over the years (which in this case perhaps
    indicates a lack of upper-level "ownership" or understanding of the
    importance of the IP world, or to put it another way, it wasn't
    properly "integrated" (assimilated) into The VMS Engineering Way Of
    Things).

    Just because something is popular, or big in the market, doesn't mean
    it's *right* (just ask your sheep, or a selection of Vista users).

    My 2c.

  15. Re: When the goin' gets tough! (Was Re: DEFCON 16 and Hacking OpenVMS ** 8.3 Patch available **)

    On Mon, 18 Aug 2008 09:20:19 -0700, wrote:

    > On Aug 18, 4:23*pm, "Tom Linden" wrote:
    >> On Mon, 18 Aug 2008 07:24:14 -0700, Tom Linden
    >> wrote:
    >> > On Mon, 18 Aug 2008 07:09:11 -0700, Richard B. Gilbert *
    >> > wrote:

    >>
    >> >> b...@signedness.org wrote:
    >> >>> On Aug 18, 12:09 pm, "Richard Maher"
    >> >>> wrote:
    >> >>>> Hi Heine,

    >>
    >> >>>> Well done!

    >>
    >> >>>> Regards Richard Maher

    >>
    >> >>>> PS. Not that it is important, but what I am sceptical about is how

    >> *
    >> >>>> "bugs"
    >> >>>> found/stumbled-across/zeroed-in on this vulnerability! Can someone

    >> *
    >> >>>> post the
    >> >>>> analogous equivalent on *nix? I mean a 20 year-old privilege *
    >> >>>> vulnerability
    >> >>>> that occurs everyday in Windows/*nix yet no-one has found on VMS *
    >> >>>> before,
    >> >>>> without the help of a few days "generic" hacking, or perhaps the

    >> help *
    >> >>>> of a
    >> >>>> disgruntled deap-throat? Amazing! (511 bytes, uparrow 3 times,

    >> wave a
    >> >>>> dead-chicken over your head and howl at the moon - standard stuff

    >> for
    >> >>>> hackers?)

    >>
    >> >>> *No disgruntled deap-throat, no dead chickens or magic wands... The
    >> >>> simple truth is very few people have bothered looking at VMS because
    >> >>> it is "secure". If nobody is looking for bugs then no bugs are

    >> found.
    >> >>> How many times have we heard "many eyes makes all bugs shallow"?

    >> Well
    >> >>> still we see really dumb bugs popping up in some of the most popular
    >> >>> open source applications so it is really that surprising that simple
    >> >>> bugs are found in an operating system that I would assume very few
    >> >>> have looked for bugs in since the 80s? (that being said, still a

    >> nice
    >> >>> find by cmn )
    >> >>> *The finger client bugs are good examples, more or less anyone would
    >> >>> have found them if they bothered looking for security bugs. The
    >> >>> seriousness of format string vulnerabilities has been widely known

    >> for
    >> >>> almost 10 years and still there it is (of course it was probably +15
    >> >>> years since anybody had a serious go at owning VMS).. Speaking of 20
    >> >>> year old vulns, what about Shaun Colley's fingerd bug? Anyone

    >> remember
    >> >>> Morris worm? Almost exactly 20 year old bug...

    >>
    >> >> Hell, yes! *There may be some newbies around who haven't heard of it

    >> *
    >> >> but I was there while it was happening. *Fortunately, I was

    >> responsible *
    >> >> only for some VMS systems which were not affected. *Most of the Unix

    >> *
    >> >> systems in the world were affected. *For those newbies who missed

    >> it, *
    >> >> Clifford Stoll wrote a very readable book, "The Cuckoo's Egg", that *
    >> >> touches the subject briefly. *I'd say it's a "must read" for anyone *
    >> >> interested in system security. *It's the only first person account

    >> that *
    >> >> I know of but there may be others.

    >>
    >> >> VMS System Managers are probably aware of a list of forbidden

    >> passwords *
    >> >> maintained by the system. *500 or so of the entries are Robert

    >> Morris' *
    >> >> list of commonly used passwords! *His worm used them to attempt to

    >> log *
    >> >> on to his target systems. *He also abused a buffer overflow *
    >> >> vulnerability in the finger daemon. *The systems the worm penetrated

    >> *
    >> >> promptly started trying to subvert other systems. . . . *It was an *
    >> >> interesting two or three days for the Unix system administrators.

    >> *VMS
    >> >> systems were largely unaffected.

    >>
    >> >> Difficult as it may be to believe, hackers are STILL exploiting

    >> buffer *
    >> >> overflows. *There is still a lot of code around that will cheerfully

    >> *
    >> >> attempt to put ten pounds of **** in a five pound bag!

    >>
    >> > Just curious, have you looked at z/os?

    >>
    >> That was meant to be asked of Bugs, got out of sync.
    >>
    >> --
    >> PL/I for OpenVMSwww.kednos.com

    >
    > No, nobody asked us to look at it yet. Buying our own system to find
    > bugs just for the fun of doing it would probably be a bit too
    > expensive. It would be fun to try, so if someone got a spare machine
    > let us know....
    >
    >
    >

    You could run the Hercules emulator, I bet you might even get IBM to loan
    you a copy of z/os. The reason I asked was to compare with VMS since the
    two are often compared in terms of security, the difference is in the
    implementation in which IBM uses a string safe language, with stringrange
    checking as an inherenty part of the language, PLS.


    --
    PL/I for OpenVMS
    www.kednos.com

  16. Re: When the goin' gets tough! (Was Re: DEFCON 16 and Hacking OpenVMS** 8.3 Patch available **)

    On Aug 18, 7:59 pm, "Tom Linden" wrote:
    > On Mon, 18 Aug 2008 09:20:19 -0700, wrote:
    > > On Aug 18, 4:23 pm, "Tom Linden" wrote:
    > >> On Mon, 18 Aug 2008 07:24:14 -0700, Tom Linden
    > >> wrote:
    > >> > On Mon, 18 Aug 2008 07:09:11 -0700, Richard B. Gilbert
    > >> > wrote:

    >
    > >> >> b...@signedness.org wrote:
    > >> >>> On Aug 18, 12:09 pm, "Richard Maher"
    > >> >>> wrote:
    > >> >>>> Hi Heine,

    >
    > >> >>>> Well done!

    >
    > >> >>>> Regards Richard Maher

    >
    > >> >>>> PS. Not that it is important, but what I am sceptical about is how
    > >>
    > >> >>>> "bugs"
    > >> >>>> found/stumbled-across/zeroed-in on this vulnerability! Can someone
    > >>
    > >> >>>> post the
    > >> >>>> analogous equivalent on *nix? I mean a 20 year-old privilege
    > >> >>>> vulnerability
    > >> >>>> that occurs everyday in Windows/*nix yet no-one has found on VMS
    > >> >>>> before,
    > >> >>>> without the help of a few days "generic" hacking, or perhaps the
    > >> help
    > >> >>>> of a
    > >> >>>> disgruntled deap-throat? Amazing! (511 bytes, uparrow 3 times,
    > >> wave a
    > >> >>>> dead-chicken over your head and howl at the moon - standard stuff
    > >> for
    > >> >>>> hackers?)

    >
    > >> >>> No disgruntled deap-throat, no dead chickens or magic wands... The
    > >> >>> simple truth is very few people have bothered looking at VMS because
    > >> >>> it is "secure". If nobody is looking for bugs then no bugs are
    > >> found.
    > >> >>> How many times have we heard "many eyes makes all bugs shallow"?
    > >> Well
    > >> >>> still we see really dumb bugs popping up in some of the most popular
    > >> >>> open source applications so it is really that surprising that simple
    > >> >>> bugs are found in an operating system that I would assume very few
    > >> >>> have looked for bugs in since the 80s? (that being said, still a
    > >> nice
    > >> >>> find by cmn )
    > >> >>> The finger client bugs are good examples, more or less anyone would
    > >> >>> have found them if they bothered looking for security bugs. The
    > >> >>> seriousness of format string vulnerabilities has been widely known
    > >> for
    > >> >>> almost 10 years and still there it is (of course it was probably +15
    > >> >>> years since anybody had a serious go at owning VMS).. Speaking of 20
    > >> >>> year old vulns, what about Shaun Colley's fingerd bug? Anyone
    > >> remember
    > >> >>> Morris worm? Almost exactly 20 year old bug...

    >
    > >> >> Hell, yes! There may be some newbies around who haven't heard of it
    > >>
    > >> >> but I was there while it was happening. Fortunately, I was
    > >> responsible
    > >> >> only for some VMS systems which were not affected. Most of the Unix
    > >>
    > >> >> systems in the world were affected. For those newbies who missed
    > >> it,
    > >> >> Clifford Stoll wrote a very readable book, "The Cuckoo's Egg", that
    > >> >> touches the subject briefly. I'd say it's a "must read" for anyone
    > >> >> interested in system security. It's the only first person account
    > >> that
    > >> >> I know of but there may be others.

    >
    > >> >> VMS System Managers are probably aware of a list of forbidden
    > >> passwords
    > >> >> maintained by the system. 500 or so of the entries are Robert
    > >> Morris'
    > >> >> list of commonly used passwords! His worm used them to attempt to
    > >> log
    > >> >> on to his target systems. He also abused a buffer overflow
    > >> >> vulnerability in the finger daemon. The systems the worm penetrated
    > >>
    > >> >> promptly started trying to subvert other systems. . . . It was an
    > >> >> interesting two or three days for the Unix system administrators.
    > >> VMS
    > >> >> systems were largely unaffected.

    >
    > >> >> Difficult as it may be to believe, hackers are STILL exploiting
    > >> buffer
    > >> >> overflows. There is still a lot of code around that will cheerfully
    > >>
    > >> >> attempt to put ten pounds of **** in a five pound bag!

    >
    > >> > Just curious, have you looked at z/os?

    >
    > >> That was meant to be asked of Bugs, got out of sync.

    >
    > >> --
    > >> PL/I for OpenVMSwww.kednos.com

    >
    > > No, nobody asked us to look at it yet. Buying our own system to find
    > > bugs just for the fun of doing it would probably be a bit too
    > > expensive. It would be fun to try, so if someone got a spare machine
    > > let us know....

    >
    > You could run the Hercules emulator, I bet you might even get IBM to loan
    > you a copy of z/os. The reason I asked was to compare with VMS since the
    > two are often compared in terms of security, the difference is in the
    > implementation in which IBM uses a string safe language, with stringrange
    > checking as an inherenty part of the language, PLS.
    >
    > --
    > PL/I for OpenVMSwww.kednos.com


    "a string safe language, with stringrange checking as an inherenty
    part of the language"

    You mean like VMS languages/compilers with built-in descriptor support
    for string variables (BASIC, Fortran, Pascal, others?) have had pretty
    much since they were invented, and still have? Should I have included
    VMS PL/I on that list (I'm thinking yes, but not confident)?

  17. Re: When the goin' gets tough! (Was Re: DEFCON 16 and Hacking OpenVMS** 8.3 Patch available **)

    On Aug 18, 2:59 pm, "Tom Linden" wrote:
    > On Mon, 18 Aug 2008 09:20:19 -0700, wrote:
    > > On Aug 18, 4:23 pm, "Tom Linden" wrote:
    > >> On Mon, 18 Aug 2008 07:24:14 -0700, Tom Linden
    > >> wrote:
    > >> > On Mon, 18 Aug 2008 07:09:11 -0700, Richard B. Gilbert
    > >> > wrote:

    >
    > >> >> b...@signedness.org wrote:
    > >> >>> On Aug 18, 12:09 pm, "Richard Maher"
    > >> >>> wrote:
    > >> >>>> Hi Heine,

    >
    > >> >>>> Well done!

    >
    > >> >>>> Regards Richard Maher

    >
    > >> >>>> PS. Not that it is important, but what I am sceptical about is how
    > >>
    > >> >>>> "bugs"
    > >> >>>> found/stumbled-across/zeroed-in on this vulnerability! Can someone
    > >>
    > >> >>>> post the
    > >> >>>> analogous equivalent on *nix? I mean a 20 year-old privilege
    > >> >>>> vulnerability
    > >> >>>> that occurs everyday in Windows/*nix yet no-one has found on VMS
    > >> >>>> before,
    > >> >>>> without the help of a few days "generic" hacking, or perhaps the
    > >> help
    > >> >>>> of a
    > >> >>>> disgruntled deap-throat? Amazing! (511 bytes, uparrow 3 times,
    > >> wave a
    > >> >>>> dead-chicken over your head and howl at the moon - standard stuff
    > >> for
    > >> >>>> hackers?)

    >
    > >> >>> No disgruntled deap-throat, no dead chickens or magic wands... The
    > >> >>> simple truth is very few people have bothered looking at VMS because
    > >> >>> it is "secure". If nobody is looking for bugs then no bugs are
    > >> found.
    > >> >>> How many times have we heard "many eyes makes all bugs shallow"?
    > >> Well
    > >> >>> still we see really dumb bugs popping up in some of the most popular
    > >> >>> open source applications so it is really that surprising that simple
    > >> >>> bugs are found in an operating system that I would assume very few
    > >> >>> have looked for bugs in since the 80s? (that being said, still a
    > >> nice
    > >> >>> find by cmn )
    > >> >>> The finger client bugs are good examples, more or less anyone would
    > >> >>> have found them if they bothered looking for security bugs. The
    > >> >>> seriousness of format string vulnerabilities has been widely known
    > >> for
    > >> >>> almost 10 years and still there it is (of course it was probably +15
    > >> >>> years since anybody had a serious go at owning VMS).. Speaking of 20
    > >> >>> year old vulns, what about Shaun Colley's fingerd bug? Anyone
    > >> remember
    > >> >>> Morris worm? Almost exactly 20 year old bug...

    >
    > >> >> Hell, yes! There may be some newbies around who haven't heard of it
    > >>
    > >> >> but I was there while it was happening. Fortunately, I was
    > >> responsible
    > >> >> only for some VMS systems which were not affected. Most of the Unix
    > >>
    > >> >> systems in the world were affected. For those newbies who missed
    > >> it,
    > >> >> Clifford Stoll wrote a very readable book, "The Cuckoo's Egg", that
    > >> >> touches the subject briefly. I'd say it's a "must read" for anyone
    > >> >> interested in system security. It's the only first person account
    > >> that
    > >> >> I know of but there may be others.

    >
    > >> >> VMS System Managers are probably aware of a list of forbidden
    > >> passwords
    > >> >> maintained by the system. 500 or so of the entries are Robert
    > >> Morris'
    > >> >> list of commonly used passwords! His worm used them to attempt to
    > >> log
    > >> >> on to his target systems. He also abused a buffer overflow
    > >> >> vulnerability in the finger daemon. The systems the worm penetrated
    > >>
    > >> >> promptly started trying to subvert other systems. . . . It was an
    > >> >> interesting two or three days for the Unix system administrators.
    > >> VMS
    > >> >> systems were largely unaffected.

    >
    > >> >> Difficult as it may be to believe, hackers are STILL exploiting
    > >> buffer
    > >> >> overflows. There is still a lot of code around that will cheerfully
    > >>
    > >> >> attempt to put ten pounds of **** in a five pound bag!

    >
    > >> > Just curious, have you looked at z/os?

    >
    > >> That was meant to be asked of Bugs, got out of sync.

    >
    > >> --
    > >> PL/I for OpenVMSwww.kednos.com

    >
    > > No, nobody asked us to look at it yet. Buying our own system to find
    > > bugs just for the fun of doing it would probably be a bit too
    > > expensive. It would be fun to try, so if someone got a spare machine
    > > let us know....

    >
    > You could run the Hercules emulator, I bet you might even get IBM to loan
    > you a copy of z/os. The reason I asked was to compare with VMS since the
    > two are often compared in terms of security, the difference is in the
    > implementation in which IBM uses a string safe language, with stringrange
    > checking as an inherenty part of the language, PLS.
    >
    > --
    > PL/I for OpenVMSwww.kednos.com


    I've been attempting to land an "academic version" of z/os, which
    apparently exist - as shown here:

    http://en.wikipedia.org/wiki/Image:Z...ome_screen.png



  18. Re: That dome in Florence (was::Re: DEFCON 16 and Hacking OpenVMS)

    In article , "Richard Maher" writes:
    >It's amazing how many people can *now* get the egg to stand on its end once
    >they've been shown how :-( Oh, but your egg stands so much prouder.


    I realize you've got some hair up your ass for VMS or VMS management or
    what have you. I do not, however, understand what I've done to you to
    warrant your ilk and disparagement? My ENTIRE contribution to this has
    stemmed from trying to get a reported "CLI" stack dump to occur using
    the scant and flawed description provided. FWIW, HP has this patched
    and I've received an email from Andy G. about it. The bug has NOTHING
    to do with the CLI, BTW.

    Now, if you want to side with Mr. bugs and his common everyday security
    lexicon, go ahead and do so. However, the tossing about of terminology
    rooted in unixdom in a VMS forum using the coherence of a Kerouac novel
    does not indicate that I was shown how to exploit this bug. The *only*
    thing I was missing was the SET TERMINAL/UNKNOWN. The causes the escape
    in the UP-ARROW (doesn't matter how many, the *first* escape is what is
    import) to not be interpretted by the terminal driver but is, instead,
    passes along.

    The video, to me, explains nothing. I see AAAs being typed while some
    'shellcode' has launched the INSTALL utility. Have YOU watched them?

    FWIW, their method obfuscated a very very very simple implementation.
    There's no need for the FILE.EXE red-herring; there's no need to write
    a command interpreter to run INSTALL; there's no reason they could NOT
    have cleanly returned from injecting their code. They somehow figured
    out HOW to feign a linkage pointer (and I'd wager I know WHERE they've
    learned that technique ) from a code address. This is on an Alpha
    and one cannot invoke a system routine (SYS$CREPRC as they've reported
    or any code for that matter) without a linkage pointer. If they COULD
    figure that out, the should have been able to figure out a very simple
    clean implementation that would have CLEARLY implemented the problem.

    At least, I'm vindicated by Mr. Robinson's post about the video codec.
    I doubt, however, that "bugs" will come back and apologise to me for
    his outlash.

    --
    VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)COM

    .... pejorative statements of opinion are entitled to constitutional protection
    no matter how extreme, vituperous, or vigorously expressed they may be. (NJSC)

    Copr. 2008 Brian Schenkenberger. Publication of _this_ usenet article outside
    of usenet _must_ include its contents in its entirety including this copyright
    notice, disclaimer and quotations.

  19. Re: DEFCON 16 and Hacking OpenVMS

    On Mon, Aug 18, 2008 at 1:59 PM, Bill Gunshannon wrote:
    >
    > In article ,
    > "Main, Kerry" writes:
    > >
    > > I am not trying to pass judgement one way or another. And most in this
    > > newsgroup would never state that OpenVMS is technically unhackable
    > > and/or not susceptible to security issues.
    > >

    >
    > Damn Kerry, they have been saying it as long as I have been here!!!
    >
    > bill
    >
    > --
    > Bill Gunshannon | de-moc-ra-cy (di mok' ra see) n. Three wolves
    > billg999@cs.scranton.edu | and a sheep voting on what's for dinner.
    > University of Scranton |
    > Scranton, Pennsylvania | #include



    One of my favorite IT Security quotes:

    "Anybody who says his system is bulletproof is either a liar or stupid."

    Winn Schwartau

    WWWebb

  20. Re: When the goin' gets tough! (Was Re: DEFCON 16 and Hacking OpenVMS ** 8.3 Patch available **)

    On Mon, 18 Aug 2008 12:08:49 -0700, wrote:

    > On Aug 18, 7:59 pm, "Tom Linden" wrote:
    >> On Mon, 18 Aug 2008 09:20:19 -0700, wrote:
    >> > On Aug 18, 4:23 pm, "Tom Linden" wrote:
    >> >> On Mon, 18 Aug 2008 07:24:14 -0700, Tom Linden
    >> >> wrote:
    >> >> > On Mon, 18 Aug 2008 07:09:11 -0700, Richard B. Gilbert
    >> >> > wrote:

    >>
    >> >> >> b...@signedness.org wrote:
    >> >> >>> On Aug 18, 12:09 pm, "Richard Maher"

    >>
    >> >> >>> wrote:
    >> >> >>>> Hi Heine,

    >>
    >> >> >>>> Well done!

    >>
    >> >> >>>> Regards Richard Maher

    >>
    >> >> >>>> PS. Not that it is important, but what I am sceptical about is

    >> how
    >> >>
    >> >> >>>> "bugs"
    >> >> >>>> found/stumbled-across/zeroed-in on this vulnerability! Can

    >> someone
    >> >>
    >> >> >>>> post the
    >> >> >>>> analogous equivalent on *nix? I mean a 20 year-old privilege
    >> >> >>>> vulnerability
    >> >> >>>> that occurs everyday in Windows/*nix yet no-one has found on VMS
    >> >> >>>> before,
    >> >> >>>> without the help of a few days "generic" hacking, or perhaps the
    >> >> help
    >> >> >>>> of a
    >> >> >>>> disgruntled deap-throat? Amazing! (511 bytes, uparrow 3 times,
    >> >> wave a
    >> >> >>>> dead-chicken over your head and howl at the moon - standard

    >> stuff
    >> >> for
    >> >> >>>> hackers?)

    >>
    >> >> >>> No disgruntled deap-throat, no dead chickens or magic wands...

    >> The
    >> >> >>> simple truth is very few people have bothered looking at VMS

    >> because
    >> >> >>> it is "secure". If nobody is looking for bugs then no bugs are
    >> >> found.
    >> >> >>> How many times have we heard "many eyes makes all bugs shallow"?
    >> >> Well
    >> >> >>> still we see really dumb bugs popping up in some of the most

    >> popular
    >> >> >>> open source applications so it is really that surprising that

    >> simple
    >> >> >>> bugs are found in an operating system that I would assume very

    >> few
    >> >> >>> have looked for bugs in since the 80s? (that being said, still a
    >> >> nice
    >> >> >>> find by cmn )
    >> >> >>> The finger client bugs are good examples, more or less anyone

    >> would
    >> >> >>> have found them if they bothered looking for security bugs. The
    >> >> >>> seriousness of format string vulnerabilities has been widely

    >> known
    >> >> for
    >> >> >>> almost 10 years and still there it is (of course it was probably

    >> +15
    >> >> >>> years since anybody had a serious go at owning VMS).. Speaking

    >> of 20
    >> >> >>> year old vulns, what about Shaun Colley's fingerd bug? Anyone
    >> >> remember
    >> >> >>> Morris worm? Almost exactly 20 year old bug...

    >>
    >> >> >> Hell, yes! There may be some newbies around who haven't heard of

    >> it
    >> >>
    >> >> >> but I was there while it was happening. Fortunately, I was
    >> >> responsible
    >> >> >> only for some VMS systems which were not affected. Most of the

    >> Unix
    >> >>
    >> >> >> systems in the world were affected. For those newbies who missed
    >> >> it,
    >> >> >> Clifford Stoll wrote a very readable book, "The Cuckoo's Egg",

    >> that
    >> >> >> touches the subject briefly. I'd say it's a "must read" for

    >> anyone
    >> >> >> interested in system security. It's the only first person account
    >> >> that
    >> >> >> I know of but there may be others.

    >>
    >> >> >> VMS System Managers are probably aware of a list of forbidden
    >> >> passwords
    >> >> >> maintained by the system. 500 or so of the entries are Robert
    >> >> Morris'
    >> >> >> list of commonly used passwords! His worm used them to attempt to
    >> >> log
    >> >> >> on to his target systems. He also abused a buffer overflow
    >> >> >> vulnerability in the finger daemon. The systems the worm

    >> penetrated
    >> >>
    >> >> >> promptly started trying to subvert other systems. . . . It was an
    >> >> >> interesting two or three days for the Unix system administrators.
    >> >> VMS
    >> >> >> systems were largely unaffected.

    >>
    >> >> >> Difficult as it may be to believe, hackers are STILL exploiting
    >> >> buffer
    >> >> >> overflows. There is still a lot of code around that will

    >> cheerfully
    >> >>
    >> >> >> attempt to put ten pounds of **** in a five pound bag!

    >>
    >> >> > Just curious, have you looked at z/os?

    >>
    >> >> That was meant to be asked of Bugs, got out of sync.

    >>
    >> >> --
    >> >> PL/I for OpenVMSwww.kednos.com

    >>
    >> > No, nobody asked us to look at it yet. Buying our own system to find
    >> > bugs just for the fun of doing it would probably be a bit too
    >> > expensive. It would be fun to try, so if someone got a spare machine
    >> > let us know....

    >>
    >> You could run the Hercules emulator, I bet you might even get IBM to
    >> loan
    >> you a copy of z/os. The reason I asked was to compare with VMS since
    >> the
    >> two are often compared in terms of security, the difference is in the
    >> implementation in which IBM uses a string safe language, with
    >> stringrange
    >> checking as an inherenty part of the language, PLS.
    >>
    >> --
    >> PL/I for OpenVMSwww.kednos.com

    >
    > "a string safe language, with stringrange checking as an inherenty
    > part of the language"
    >
    > You mean like VMS languages/compilers with built-in descriptor support
    > for string variables (BASIC, Fortran, Pascal, others?) have had pretty
    > much since they were invented, and still have? Should I have included
    > VMS PL/I on that list (I'm thinking yes, but not confident)?


    Close, but a bit more, e.g.,
    In your code you would include following which is inherited by all
    contained
    scopes to which you would jump (pushing a new stack frame) upon the
    condition
    being signaled.
    ....
    ON SUBSCRIPTRANGE BEGIN;

    END;

    ON SUBSCRIPTRANGE BEGIN;

    END;

    ....

    etc.
    descriptors, or dope vectors are used by the compiler, the programmer
    doesn't
    have to explicitly use them, making coding a bit more streamlined. In PL/I
    you can code your own signals, called condtions, which is a valid data
    type.

    END returns to statement following where condition was signaled.
    --
    PL/I for OpenVMS
    www.kednos.com

+ Reply to Thread
Page 12 of 35 FirstFirst ... 2 10 11 12 13 14 22 ... LastLast