http://www.defcon.org/html/defcon-16...ers.html#Oberg

is due to be presented this Sunday, Aug 10th 2008

Does anyone know ...

o whether there will be anyone from the VMS community at this event;

o the content of this presentation;

o whether the 'proceedings' will be published?

The abstract is protraying the potential exploits as novel and so would
make an interesting read.

--
Ticking away the moments that make up a dull day
You fritter and waste the hours in an offhand way.
Kicking around on a piece of ground in your home town
Waiting for someone or something to show you the way.
[Mason, Waters, Wright, Gilmour; The Dark Side of the Moon]

Mark Daniel wrote:
> http://www.defcon.org/html/defcon-16...ers.html#Oberg
>
> is due to be presented this Sunday, Aug 10th 2008
>
> Does anyone know ...
>
> o whether there will be anyone from the VMS community at this event;
>
> o the content of this presentation;
>
> o whether the 'proceedings' will be published?
>
> The abstract is protraying the potential exploits as novel and so would
> make an interesting read.

You might want to ask the question over at the Deathrow cluster - there
are likely to be some attendees from that group.

bradhamilton wrote:
> Mark Daniel wrote:
>
>> http://www.defcon.org/html/defcon-16...ers.html#Oberg
>>
>> is due to be presented this Sunday, Aug 10th 2008
>>
>> Does anyone know ...
>>
>> o whether there will be anyone from the VMS community at this event;
>>
>> o the content of this presentation;
>>
>> o whether the 'proceedings' will be published?
>>
>> The abstract is protraying the potential exploits as novel and so
>> would make an interesting read.
>
>
> You might want to ask the question over at the Deathrow cluster - there
> are likely to be some attendees from that group.

I could also post on the relevant ITRC forum but VMS vulnerabilities
likely would be considered off-topic and it end up expunged!

--
Tired of lying in the sunshine staying home to watch the rain.
You are young and life is long and there is time to kill today.
And then one day you find ten years have got behind you.
No one told you when to run, you missed the starting gun.
[Mason, Waters, Wright, Gilmour; The Dark Side of the Moon]

There's apparently an overflow flat in Multinet's Fingerd as well:

http://seclists.org/bugtraq/2008/Aug/0056.html

sampsal@gmail.com wrote:
> There's apparently an overflow flat in Multinet's Fingerd as well:
>
> http://seclists.org/bugtraq/2008/Aug/0056.html

This appears to behave as described on at least VAX VMS V7.3 MultiNet
V5.1 Rev A-X but not on Alpha VMS V8.3 V5.2 Rev A-X or I64 VMS V8.3 V5.2
Rev A-X (three platforms I have access to).

$ echo `perl -e 'print "a"x1000'` | nc -v host.name 79
Connection to host.name 79 port [tcp/finger] succeeded!

I guess we can assume the 'group of lads' would be keeping an occasional
eye on c.o.v. :-)

--
So you run and you run to catch up with the sun but it's sinking
Racing around to come up behind you again.
The sun is the same in a relative way but you're older,
Shorter of breath and one day closer to death.
[Mason, Waters, Wright, Gilmour; The Dark Side of the Moon]

On Wed, Aug 6, 2008 at 8:10 AM, Mark Daniel wrote:

> http://www.defcon.org/html/defcon-16...ers.html#Oberg
>
> is due to be presented this Sunday, Aug 10th 2008
>
> Does anyone know ...
>
> o whether there will be anyone from the VMS community at this event;
>
> o the content of this presentation;
>
> o whether the 'proceedings' will be published?
>
> The abstract is protraying the potential exploits as novel and so would
> make an interesting read.
>
> --
> Ticking away the moments that make up a dull day
> You fritter and waste the hours in an offhand way.
> Kicking around on a piece of ground in your home town
> Waiting for someone or something to show you the way.
> [Mason, Waters, Wright, Gilmour; The Dark Side of the Moon]
>


The last "black hat" stuff I read (and it was a while ago) was quite
outdated and went back to the days when SYSTEM, FIELD, etc had default
passwords set at installation time.

That's no longer the case, and has been for some time.

WWWebb

Mark Daniel wrote:
> http://www.defcon.org/html/defcon-16...ers.html#Oberg
>
> is due to be presented this Sunday, Aug 10th 2008
>
> Does anyone know ...
>
> o whether there will be anyone from the VMS community at this event;
>
> o the content of this presentation;
>
> o whether the 'proceedings' will be published?
>
> The abstract is protraying the potential exploits as novel and so would
> make an interesting read.

I will wait for this weekend, like some of us, but in the meantime, I
will note that one of the presenters claims to have an interest in
"social engineering". Of course, the abstract promises "0day
vulnerabilities", but we will have to wait and see.

In article <8660a3a10808071711y49326bci2d6514c28357e72d@mail.g mail.com>, "William Webb" writes:
>
> The last "black hat" stuff I read (and it was a while ago) was quite
> outdated and went back to the days when SYSTEM, FIELD, etc had default
> passwords set at installation time.
>
> That's no longer the case, and has been for some time.

There's a fairly easy to find (or it was last time I bothered
looking) guide to hacking VMS that I think you're talking about.

It was written to a default installation and bad system management
prior to VMS 5.0. It used the canned passwords to get access to
a privileged account. It told of all kinds of little things a
privileged account could do.

Unless the DEFCON sessions reports ways to access a system without
authorization, or elevate your privileges to a higher class without
authorization, on a properly installed and managed system, it's just
smoke up your virtual skirt.

We wait to see.

In article <00a990b4$0$20308$c3e8da3@news.astraweb.com>, Mark Daniel writes:
> http://www.defcon.org/html/defcon-16...ers.html#Oberg
>
> is due to be presented this Sunday, Aug 10th 2008
>

Does anyone know what happened with this ?

Thanks,

Simon.

--
Simon Clubley, clubley@remove_me.eisner.decus.org-Earth.UFP
Microsoft: Bringing you 1980's technology to a 21st century world

I guess they are still "challenged" by the "rout of '01", delivered
handily by OpenVMS on Alpha courtesy of The Wiz, Coremac, and Opcom; the
legend of which is chronicled here:
http://www.bunkerofdoom.com/defcon/defcon9.html

-or maybe they forgot about it and this is completely new.
The rules of the 'game' were changed forever. But never mind;



By the time I saw it, it was too late to get in the truck and drive to
the DEFCON by myself.

Patrick J.

Mark Daniel wrote:
> http://www.defcon.org/html/defcon-16...ers.html#Oberg
>
> is due to be presented this Sunday, Aug 10th 2008
>

this also, of the past..
http://www.openvms.org/stories.php?s.../05/18/5543122

just to pass some time till someone can report.

On Mon, Aug 11, 2008 at 10:47 PM, patrick jankowiak wrote:

> I guess they are still "challenged" by the "rout of '01", delivered handily
> by OpenVMS on Alpha courtesy of The Wiz, Coremac, and Opcom; the legend of
> which is chronicled here:
> http://www.bunkerofdoom.com/defcon/defcon9.html
>
> -or maybe they forgot about it and this is completely new.
> The rules of the 'game' were changed forever. But never mind;
>
>
>
> By the time I saw it, it was too late to get in the truck and drive to the
> DEFCON by myself.
>
> Patrick J.
>
>
> Mark Daniel wrote:
>
>> http://www.defcon.org/html/defcon-16...ers.html#Oberg
>>
>> is due to be presented this Sunday, Aug 10th 2008
>>
>>
Hi, Pat-

Good to see you posting. "What I Did On My Summer Vacation" is one of the
funniest VMS stories I've ever heard, and I've heard some Real Funny Ones at
"Magic Night" at the last two bootcamps.

WWWebb

William Webb wrote:
>
>
> On Mon, Aug 11, 2008 at 10:47 PM, patrick jankowiak > > wrote:
>
> I guess they are still "challenged" by the "rout of '01", delivered
> handily by OpenVMS on Alpha courtesy of The Wiz, Coremac, and Opcom;
> the legend of which is chronicled here:
> http://www.bunkerofdoom.com/defcon/defcon9.html
>
> -or maybe they forgot about it and this is completely new.
> The rules of the 'game' were changed forever. But never mind;
>
>
>
> By the time I saw it, it was too late to get in the truck and drive
> to the DEFCON by myself.
>
> Patrick J.
>
>
> Mark Daniel wrote:
>
> http://www.defcon.org/html/defcon-16...ers.html#Oberg
>
> is due to be presented this Sunday, Aug 10th 2008
>
>
> Hi, Pat-
>
> Good to see you posting. "What I Did On My Summer Vacation" is one of
> the funniest VMS stories I've ever heard, and I've heard some Real Funny
> Ones at "Magic Night" at the last two bootcamps.
>
> WWWebb

Hi William,

Thank you and I guess I need to show up to the party from time to time.
I guess I sort of navigated past the edge of the known world, and found
more worlds and adventures to explore.

Guys,

I just finished reading the presenation slides from DEFCON and
fortunately it doesn't to be anything earth-shattering, two exploits
are described:

1. A format string vulnerability in the FINGER client (VAX only). The
example shellcode is stored on a remote system's .plan file and forces
the victim FINGER client to modify SYSUAF.

2. A CLI buffer overflow on Alphas. Basically any input over 511
characters causes an overflow, it seems to be possible to have a
privileged process execute arbitrary code.

Anyway, this is from a 10 minute reading of the slides, I might have
missed something, but the important thing (IMHO) is that neither of
these exploits are possible from remote but require a malicious user
to already have an account on the targeted system.

Sampsa

In article <6419afac-bb99-4d7d-b61c-2e29234dfb26@z72g2000hsb.googlegroups.com>, sampsal@gmail.com writes:
>Guys,
>
>I just finished reading the presenation slides from DEFCON and
>fortunately it doesn't to be anything earth-shattering, two exploits
>are described:
>
>1. A format string vulnerability in the FINGER client (VAX only). The
>example shellcode is stored on a remote system's .plan file and forces
>the victim FINGER client to modify SYSUAF.
>

Is this with DEC TCPIP services or is it something to do with the
Multinet finger vulnerability ?

see

http://www.multinet.process.com/scri...INGER-010_A052



>2. A CLI buffer overflow on Alphas. Basically any input over 511
>characters causes an overflow, it seems to be possible to have a
>privileged process execute arbitrary code.
>
Can you explain this one in a bit more detail ?
Is this an attack against DCL itself, images installed with privileges
or something else ?


David Webb
Security team leader
CCSS
Middlesex University




>Anyway, this is from a 10 minute reading of the slides, I might have
>missed something, but the important thing (IMHO) is that neither of
>these exploits are possible from remote but require a malicious user
>to already have an account on the targeted system.
>
>Sampsa
>
>
>

> >1. A format string vulnerability in the FINGER client (VAX only). The
> >example shellcode is stored on a remote system's .plan file and forces
> >the victim FINGER client to modify SYSUAF.
>
> Is this with DEC TCPIP services or is it something to do with the
> Multinet finger vulnerability ?

It appears to be something separate, since it seems to have to do with
a format string
vulnerability. Basically someone puts a bunch of % strings and
shellcode in their .plan
on a remote host, fingers that user from the target host, and the
FINGER client executes
the shellcode due to the format string vulnerability in the client.


> >2. A CLI buffer overflow on Alphas. Basically any input over 511
> >characters causes an overflow, it seems to be possible to have a
> >privileged process execute arbitrary code.
>
> Can you explain this one in a bit more detail ?
> Is this an attack against DCL itself, images installed with privileges
> or something else ?

I think this might be a DCL issue, it seems to work across a number of
different images. Not had a chance to play with this as my own VMS
box is down at the moment.

Sampsa

In article <6419afac-bb99-4d7d-b61c-2e29234dfb26@z72g2000hsb.googlegroups.com>, sampsal@gmail.com writes:
> Guys,
>
> 1. A format string vulnerability in the FINGER client (VAX only). The
> example shellcode is stored on a remote system's .plan file and forces
> the victim FINGER client to modify SYSUAF.

Do they say which finger client? HPs?

In article <6419afac-bb99-4d7d-b61c-2e29234dfb26@z72g2000hsb.googlegroups.com>, sampsal@gmail.com writes:
> Guys,
>
> I just finished reading the presenation slides from DEFCON and
> fortunately it doesn't to be anything earth-shattering, two exploits
> are described:

Are these publically available? (If there is anything in them, I'd
like to review my systems).

On Aug 12, 6:00*pm, koeh...@eisner.nospam.encompasserve.org (Bob
Koehler) wrote:
> In article <6419afac-bb99-4d7d-b61c-2e29234df...@z72g2000hsb.googlegroups..com>, samp...@gmail.com writes:
>
> > Guys,
>
> > I just finished reading the presenation slides from DEFCON and
> > fortunately it doesn't to be anything earth-shattering, two exploits
> > are described:
>
> * *Are these publically available? *(If there is anything in them, I'd
> * *like to review my systems).

I got them from a friend who's colleague was at DEFCON - I don't know
what the distribution/copyright issues are with the document so I
daren't host them on my web page.

Sampsa

sampsal@gmail.com wrote:
>>> 1. A format string vulnerability in the FINGER client (VAX only). The
>>> example shellcode is stored on a remote system's .plan file and forces
>>> the victim FINGER client to modify SYSUAF.
>> Is this with DEC TCPIP services or is it something to do with the
>> Multinet finger vulnerability ?
>
> It appears to be something separate, since it seems to have to do with
> a format string
> vulnerability. Basically someone puts a bunch of % strings and
> shellcode in their .plan
> on a remote host, fingers that user from the target host, and the
> FINGER client executes
> the shellcode due to the format string vulnerability in the client.
>
>
>>> 2. A CLI buffer overflow on Alphas. Basically any input over 511
>>> characters causes an overflow, it seems to be possible to have a
>>> privileged process execute arbitrary code.
>> Can you explain this one in a bit more detail ?
>> Is this an attack against DCL itself, images installed with privileges
>> or something else ?
>
> I think this might be a DCL issue, it seems to work across a number of
> different images. Not had a chance to play with this as my own VMS
> box is down at the moment.
>
> Sampsa

I would have thought a CLI overflow to have been tried by at least a few
at DEFCON9 because the system automagically created service-rich user
accounts with of course DCL which the hackers were then free to abuse.

We were not scrutinizing buffers however and any such overflow may in
our case have done nothing harmful (by luck or design). I think it was
version 7.1-? if it makes a difference. Did the gentleman specify any
versions?

Patrick J