DEFCON 16 and Hacking OpenVMS - VMS

This is a discussion on DEFCON 16 and Hacking OpenVMS - VMS ; http://www.defcon.org/html/defcon-16...ers.html#Oberg is due to be presented this Sunday, Aug 10th 2008 Does anyone know ... o whether there will be anyone from the VMS community at this event; o the content of this presentation; o whether the 'proceedings' will be ...

+ Reply to Thread
Page 1 of 35 1 2 3 11 ... LastLast
Results 1 to 20 of 691

Thread: DEFCON 16 and Hacking OpenVMS

  1. DEFCON 16 and Hacking OpenVMS

    http://www.defcon.org/html/defcon-16...ers.html#Oberg

    is due to be presented this Sunday, Aug 10th 2008

    Does anyone know ...

    o whether there will be anyone from the VMS community at this event;

    o the content of this presentation;

    o whether the 'proceedings' will be published?

    The abstract is protraying the potential exploits as novel and so would
    make an interesting read.

    --
    Ticking away the moments that make up a dull day
    You fritter and waste the hours in an offhand way.
    Kicking around on a piece of ground in your home town
    Waiting for someone or something to show you the way.
    [Mason, Waters, Wright, Gilmour; The Dark Side of the Moon]

  2. Re: DEFCON 16 and Hacking OpenVMS

    Mark Daniel wrote:
    > http://www.defcon.org/html/defcon-16...ers.html#Oberg
    >
    > is due to be presented this Sunday, Aug 10th 2008
    >
    > Does anyone know ...
    >
    > o whether there will be anyone from the VMS community at this event;
    >
    > o the content of this presentation;
    >
    > o whether the 'proceedings' will be published?
    >
    > The abstract is protraying the potential exploits as novel and so would
    > make an interesting read.


    You might want to ask the question over at the Deathrow cluster - there
    are likely to be some attendees from that group.


  3. Re: DEFCON 16 and Hacking OpenVMS

    bradhamilton wrote:
    > Mark Daniel wrote:
    >
    >> http://www.defcon.org/html/defcon-16...ers.html#Oberg
    >>
    >> is due to be presented this Sunday, Aug 10th 2008
    >>
    >> Does anyone know ...
    >>
    >> o whether there will be anyone from the VMS community at this event;
    >>
    >> o the content of this presentation;
    >>
    >> o whether the 'proceedings' will be published?
    >>
    >> The abstract is protraying the potential exploits as novel and so
    >> would make an interesting read.

    >
    >
    > You might want to ask the question over at the Deathrow cluster - there
    > are likely to be some attendees from that group.


    I could also post on the relevant ITRC forum but VMS vulnerabilities
    likely would be considered off-topic and it end up expunged!

    --
    Tired of lying in the sunshine staying home to watch the rain.
    You are young and life is long and there is time to kill today.
    And then one day you find ten years have got behind you.
    No one told you when to run, you missed the starting gun.
    [Mason, Waters, Wright, Gilmour; The Dark Side of the Moon]

  4. Re: DEFCON 16 and Hacking OpenVMS

    There's apparently an overflow flat in Multinet's Fingerd as well:

    http://seclists.org/bugtraq/2008/Aug/0056.html


  5. Re: DEFCON 16 and Hacking OpenVMS

    sampsal@gmail.com wrote:
    > There's apparently an overflow flat in Multinet's Fingerd as well:
    >
    > http://seclists.org/bugtraq/2008/Aug/0056.html


    This appears to behave as described on at least VAX VMS V7.3 MultiNet
    V5.1 Rev A-X but not on Alpha VMS V8.3 V5.2 Rev A-X or I64 VMS V8.3 V5.2
    Rev A-X (three platforms I have access to).

    $ echo `perl -e 'print "a"x1000'` | nc -v host.name 79
    Connection to host.name 79 port [tcp/finger] succeeded!

    I guess we can assume the 'group of lads' would be keeping an occasional
    eye on c.o.v. :-)

    --
    So you run and you run to catch up with the sun but it's sinking
    Racing around to come up behind you again.
    The sun is the same in a relative way but you're older,
    Shorter of breath and one day closer to death.
    [Mason, Waters, Wright, Gilmour; The Dark Side of the Moon]

  6. Re: DEFCON 16 and Hacking OpenVMS

    On Wed, Aug 6, 2008 at 8:10 AM, Mark Daniel wrote:

    > http://www.defcon.org/html/defcon-16...ers.html#Oberg
    >
    > is due to be presented this Sunday, Aug 10th 2008
    >
    > Does anyone know ...
    >
    > o whether there will be anyone from the VMS community at this event;
    >
    > o the content of this presentation;
    >
    > o whether the 'proceedings' will be published?
    >
    > The abstract is protraying the potential exploits as novel and so would
    > make an interesting read.
    >
    > --
    > Ticking away the moments that make up a dull day
    > You fritter and waste the hours in an offhand way.
    > Kicking around on a piece of ground in your home town
    > Waiting for someone or something to show you the way.
    > [Mason, Waters, Wright, Gilmour; The Dark Side of the Moon]
    >



    The last "black hat" stuff I read (and it was a while ago) was quite
    outdated and went back to the days when SYSTEM, FIELD, etc had default
    passwords set at installation time.

    That's no longer the case, and has been for some time.

    WWWebb


  7. Re: DEFCON 16 and Hacking OpenVMS

    Mark Daniel wrote:
    > http://www.defcon.org/html/defcon-16...ers.html#Oberg
    >
    > is due to be presented this Sunday, Aug 10th 2008
    >
    > Does anyone know ...
    >
    > o whether there will be anyone from the VMS community at this event;
    >
    > o the content of this presentation;
    >
    > o whether the 'proceedings' will be published?
    >
    > The abstract is protraying the potential exploits as novel and so would
    > make an interesting read.


    I will wait for this weekend, like some of us, but in the meantime, I
    will note that one of the presenters claims to have an interest in
    "social engineering". Of course, the abstract promises "0day
    vulnerabilities", but we will have to wait and see.

  8. Re: DEFCON 16 and Hacking OpenVMS

    In article <8660a3a10808071711y49326bci2d6514c28357e72d@mail.g mail.com>, "William Webb" writes:
    >
    > The last "black hat" stuff I read (and it was a while ago) was quite
    > outdated and went back to the days when SYSTEM, FIELD, etc had default
    > passwords set at installation time.
    >
    > That's no longer the case, and has been for some time.


    There's a fairly easy to find (or it was last time I bothered
    looking) guide to hacking VMS that I think you're talking about.

    It was written to a default installation and bad system management
    prior to VMS 5.0. It used the canned passwords to get access to
    a privileged account. It told of all kinds of little things a
    privileged account could do.

    Unless the DEFCON sessions reports ways to access a system without
    authorization, or elevate your privileges to a higher class without
    authorization, on a properly installed and managed system, it's just
    smoke up your virtual skirt.

    We wait to see.


  9. Re: DEFCON 16 and Hacking OpenVMS

    In article <00a990b4$0$20308$c3e8da3@news.astraweb.com>, Mark Daniel writes:
    > http://www.defcon.org/html/defcon-16...ers.html#Oberg
    >
    > is due to be presented this Sunday, Aug 10th 2008
    >


    Does anyone know what happened with this ?

    Thanks,

    Simon.

    --
    Simon Clubley, clubley@remove_me.eisner.decus.org-Earth.UFP
    Microsoft: Bringing you 1980's technology to a 21st century world

  10. Re: DEFCON 16 and Hacking OpenVMS

    I guess they are still "challenged" by the "rout of '01", delivered
    handily by OpenVMS on Alpha courtesy of The Wiz, Coremac, and Opcom; the
    legend of which is chronicled here:
    http://www.bunkerofdoom.com/defcon/defcon9.html

    -or maybe they forgot about it and this is completely new.
    The rules of the 'game' were changed forever. But never mind;



    By the time I saw it, it was too late to get in the truck and drive to
    the DEFCON by myself.

    Patrick J.

    Mark Daniel wrote:
    > http://www.defcon.org/html/defcon-16...ers.html#Oberg
    >
    > is due to be presented this Sunday, Aug 10th 2008
    >


  11. Re: DEFCON 16 and Hacking OpenVMS

    this also, of the past..
    http://www.openvms.org/stories.php?s.../05/18/5543122

    just to pass some time till someone can report.

  12. Re: DEFCON 16 and Hacking OpenVMS

    On Mon, Aug 11, 2008 at 10:47 PM, patrick jankowiak wrote:

    > I guess they are still "challenged" by the "rout of '01", delivered handily
    > by OpenVMS on Alpha courtesy of The Wiz, Coremac, and Opcom; the legend of
    > which is chronicled here:
    > http://www.bunkerofdoom.com/defcon/defcon9.html
    >
    > -or maybe they forgot about it and this is completely new.
    > The rules of the 'game' were changed forever. But never mind;
    >
    >
    >
    > By the time I saw it, it was too late to get in the truck and drive to the
    > DEFCON by myself.
    >
    > Patrick J.
    >
    >
    > Mark Daniel wrote:
    >
    >> http://www.defcon.org/html/defcon-16...ers.html#Oberg
    >>
    >> is due to be presented this Sunday, Aug 10th 2008
    >>
    >>

    Hi, Pat-

    Good to see you posting. "What I Did On My Summer Vacation" is one of the
    funniest VMS stories I've ever heard, and I've heard some Real Funny Ones at
    "Magic Night" at the last two bootcamps.

    WWWebb


  13. Re: DEFCON 16 and Hacking OpenVMS

    William Webb wrote:
    >
    >
    > On Mon, Aug 11, 2008 at 10:47 PM, patrick jankowiak > > wrote:
    >
    > I guess they are still "challenged" by the "rout of '01", delivered
    > handily by OpenVMS on Alpha courtesy of The Wiz, Coremac, and Opcom;
    > the legend of which is chronicled here:
    > http://www.bunkerofdoom.com/defcon/defcon9.html
    >
    > -or maybe they forgot about it and this is completely new.
    > The rules of the 'game' were changed forever. But never mind;
    >
    >
    >
    > By the time I saw it, it was too late to get in the truck and drive
    > to the DEFCON by myself.
    >
    > Patrick J.
    >
    >
    > Mark Daniel wrote:
    >
    > http://www.defcon.org/html/defcon-16...ers.html#Oberg
    >
    > is due to be presented this Sunday, Aug 10th 2008
    >
    >
    > Hi, Pat-
    >
    > Good to see you posting. "What I Did On My Summer Vacation" is one of
    > the funniest VMS stories I've ever heard, and I've heard some Real Funny
    > Ones at "Magic Night" at the last two bootcamps.
    >
    > WWWebb


    Hi William,

    Thank you and I guess I need to show up to the party from time to time.
    I guess I sort of navigated past the edge of the known world, and found
    more worlds and adventures to explore.

  14. Re: DEFCON 16 and Hacking OpenVMS

    Guys,

    I just finished reading the presenation slides from DEFCON and
    fortunately it doesn't to be anything earth-shattering, two exploits
    are described:

    1. A format string vulnerability in the FINGER client (VAX only). The
    example shellcode is stored on a remote system's .plan file and forces
    the victim FINGER client to modify SYSUAF.

    2. A CLI buffer overflow on Alphas. Basically any input over 511
    characters causes an overflow, it seems to be possible to have a
    privileged process execute arbitrary code.

    Anyway, this is from a 10 minute reading of the slides, I might have
    missed something, but the important thing (IMHO) is that neither of
    these exploits are possible from remote but require a malicious user
    to already have an account on the targeted system.

    Sampsa




  15. Re: DEFCON 16 and Hacking OpenVMS

    In article <6419afac-bb99-4d7d-b61c-2e29234dfb26@z72g2000hsb.googlegroups.com>, sampsal@gmail.com writes:
    >Guys,
    >
    >I just finished reading the presenation slides from DEFCON and
    >fortunately it doesn't to be anything earth-shattering, two exploits
    >are described:
    >
    >1. A format string vulnerability in the FINGER client (VAX only). The
    >example shellcode is stored on a remote system's .plan file and forces
    >the victim FINGER client to modify SYSUAF.
    >


    Is this with DEC TCPIP services or is it something to do with the
    Multinet finger vulnerability ?

    see

    http://www.multinet.process.com/scri...INGER-010_A052



    >2. A CLI buffer overflow on Alphas. Basically any input over 511
    >characters causes an overflow, it seems to be possible to have a
    >privileged process execute arbitrary code.
    >

    Can you explain this one in a bit more detail ?
    Is this an attack against DCL itself, images installed with privileges
    or something else ?


    David Webb
    Security team leader
    CCSS
    Middlesex University




    >Anyway, this is from a 10 minute reading of the slides, I might have
    >missed something, but the important thing (IMHO) is that neither of
    >these exploits are possible from remote but require a malicious user
    >to already have an account on the targeted system.
    >
    >Sampsa
    >
    >
    >


  16. Re: DEFCON 16 and Hacking OpenVMS


    > >1. A format string vulnerability in the FINGER client (VAX only). The
    > >example shellcode is stored on a remote system's .plan file and forces
    > >the victim FINGER client to modify SYSUAF.

    >
    > Is this with DEC TCPIP services or is it something to do with the
    > Multinet finger vulnerability ?


    It appears to be something separate, since it seems to have to do with
    a format string
    vulnerability. Basically someone puts a bunch of % strings and
    shellcode in their .plan
    on a remote host, fingers that user from the target host, and the
    FINGER client executes
    the shellcode due to the format string vulnerability in the client.


    > >2. A CLI buffer overflow on Alphas. Basically any input over 511
    > >characters causes an overflow, it seems to be possible to have a
    > >privileged process execute arbitrary code.

    >
    > Can you explain this one in a bit more detail ?
    > Is this an attack against DCL itself, images installed with privileges
    > or something else ?


    I think this might be a DCL issue, it seems to work across a number of
    different images. Not had a chance to play with this as my own VMS
    box is down at the moment.

    Sampsa

  17. Re: DEFCON 16 and Hacking OpenVMS

    In article <6419afac-bb99-4d7d-b61c-2e29234dfb26@z72g2000hsb.googlegroups.com>, sampsal@gmail.com writes:
    > Guys,
    >
    > 1. A format string vulnerability in the FINGER client (VAX only). The
    > example shellcode is stored on a remote system's .plan file and forces
    > the victim FINGER client to modify SYSUAF.


    Do they say which finger client? HPs?


  18. Re: DEFCON 16 and Hacking OpenVMS

    In article <6419afac-bb99-4d7d-b61c-2e29234dfb26@z72g2000hsb.googlegroups.com>, sampsal@gmail.com writes:
    > Guys,
    >
    > I just finished reading the presenation slides from DEFCON and
    > fortunately it doesn't to be anything earth-shattering, two exploits
    > are described:


    Are these publically available? (If there is anything in them, I'd
    like to review my systems).


  19. Re: DEFCON 16 and Hacking OpenVMS

    On Aug 12, 6:00*pm, koeh...@eisner.nospam.encompasserve.org (Bob
    Koehler) wrote:
    > In article <6419afac-bb99-4d7d-b61c-2e29234df...@z72g2000hsb.googlegroups..com>, samp...@gmail.com writes:
    >
    > > Guys,

    >
    > > I just finished reading the presenation slides from DEFCON and
    > > fortunately it doesn't to be anything earth-shattering, two exploits
    > > are described:

    >
    > * *Are these publically available? *(If there is anything in them, I'd
    > * *like to review my systems).


    I got them from a friend who's colleague was at DEFCON - I don't know
    what the distribution/copyright issues are with the document so I
    daren't host them on my web page.

    Sampsa


  20. Re: DEFCON 16 and Hacking OpenVMS

    sampsal@gmail.com wrote:
    >>> 1. A format string vulnerability in the FINGER client (VAX only). The
    >>> example shellcode is stored on a remote system's .plan file and forces
    >>> the victim FINGER client to modify SYSUAF.

    >> Is this with DEC TCPIP services or is it something to do with the
    >> Multinet finger vulnerability ?

    >
    > It appears to be something separate, since it seems to have to do with
    > a format string
    > vulnerability. Basically someone puts a bunch of % strings and
    > shellcode in their .plan
    > on a remote host, fingers that user from the target host, and the
    > FINGER client executes
    > the shellcode due to the format string vulnerability in the client.
    >
    >
    >>> 2. A CLI buffer overflow on Alphas. Basically any input over 511
    >>> characters causes an overflow, it seems to be possible to have a
    >>> privileged process execute arbitrary code.

    >> Can you explain this one in a bit more detail ?
    >> Is this an attack against DCL itself, images installed with privileges
    >> or something else ?

    >
    > I think this might be a DCL issue, it seems to work across a number of
    > different images. Not had a chance to play with this as my own VMS
    > box is down at the moment.
    >
    > Sampsa


    I would have thought a CLI overflow to have been tried by at least a few
    at DEFCON9 because the system automagically created service-rich user
    accounts with of course DCL which the hackers were then free to abuse.

    We were not scrutinizing buffers however and any such overflow may in
    our case have done nothing harmful (by luck or design). I think it was
    version 7.1-? if it makes a difference. Did the gentleman specify any
    versions?

    Patrick J

+ Reply to Thread
Page 1 of 35 1 2 3 11 ... LastLast