o whether there will be anyone from the VMS community at this event;
o the content of this presentation;
o whether the 'proceedings' will be published?
The abstract is protraying the potential exploits as novel and so would make an interesting read.
-- Ticking away the moments that make up a dull day You fritter and waste the hours in an offhand way. Kicking around on a piece of ground in your home town Waiting for someone or something to show you the way. [Mason, Waters, Wright, Gilmour; The Dark Side of the Moon]
>> is due to be presented this Sunday, Aug 10th 2008
>> Does anyone know ...
>> o whether there will be anyone from the VMS community at this event;
>> o the content of this presentation;
>> o whether the 'proceedings' will be published?
>> The abstract is protraying the potential exploits as novel and so >> would make an interesting read.
> You might want to ask the question over at the Deathrow cluster - there > are likely to be some attendees from that group.
I could also post on the relevant ITRC forum but VMS vulnerabilities likely would be considered off-topic and it end up expunged!
-- Tired of lying in the sunshine staying home to watch the rain. You are young and life is long and there is time to kill today. And then one day you find ten years have got behind you. No one told you when to run, you missed the starting gun. [Mason, Waters, Wright, Gilmour; The Dark Side of the Moon]
This appears to behave as described on at least VAX VMS V7.3 MultiNet V5.1 Rev A-X but not on Alpha VMS V8.3 V5.2 Rev A-X or I64 VMS V8.3 V5.2 Rev A-X (three platforms I have access to).
$ echo `perl -e 'print "a"x1000'` | nc -v host.name 79 Connection to host.name 79 port [tcp/finger] succeeded!
I guess we can assume the 'group of lads' would be keeping an occasional eye on c.o.v. :-)
-- So you run and you run to catch up with the sun but it's sinking Racing around to come up behind you again. The sun is the same in a relative way but you're older, Shorter of breath and one day closer to death. [Mason, Waters, Wright, Gilmour; The Dark Side of the Moon]
> is due to be presented this Sunday, Aug 10th 2008
> Does anyone know ...
> o whether there will be anyone from the VMS community at this event;
> o the content of this presentation;
> o whether the 'proceedings' will be published?
> The abstract is protraying the potential exploits as novel and so would > make an interesting read.
> -- > Ticking away the moments that make up a dull day > You fritter and waste the hours in an offhand way. > Kicking around on a piece of ground in your home town > Waiting for someone or something to show you the way. > [Mason, Waters, Wright, Gilmour; The Dark Side of the Moon]
The last "black hat" stuff I read (and it was a while ago) was quite outdated and went back to the days when SYSTEM, FIELD, etc had default passwords set at installation time.
That's no longer the case, and has been for some time.
> is due to be presented this Sunday, Aug 10th 2008
> Does anyone know ...
> o whether there will be anyone from the VMS community at this event;
> o the content of this presentation;
> o whether the 'proceedings' will be published?
> The abstract is protraying the potential exploits as novel and so would > make an interesting read.
I will wait for this weekend, like some of us, but in the meantime, I will note that one of the presenters claims to have an interest in "social engineering". Of course, the abstract promises "0day vulnerabilities", but we will have to wait and see.
In article <8660a3a10808071711y49326bci2d6514c28357e...@mail.gmail.com>, "William Webb" <william.w.w...@gmail.com> writes:
> The last "black hat" stuff I read (and it was a while ago) was quite > outdated and went back to the days when SYSTEM, FIELD, etc had default > passwords set at installation time.
> That's no longer the case, and has been for some time.
There's a fairly easy to find (or it was last time I bothered looking) guide to hacking VMS that I think you're talking about.
It was written to a default installation and bad system management prior to VMS 5.0. It used the canned passwords to get access to a privileged account. It told of all kinds of little things a privileged account could do.
Unless the DEFCON sessions reports ways to access a system without authorization, or elevate your privileges to a higher class without authorization, on a properly installed and managed system, it's just smoke up your virtual skirt.
I guess they are still "challenged" by the "rout of '01", delivered handily by OpenVMS on Alpha courtesy of The Wiz, Coremac, and Opcom; the legend of which is chronicled here: http://www.bunkerofdoom.com/defcon/defcon9.html
-or maybe they forgot about it and this is completely new. The rules of the 'game' were changed forever. But never mind;
By the time I saw it, it was too late to get in the truck and drive to the DEFCON by myself.
On Mon, Aug 11, 2008 at 10:47 PM, patrick jankowiak <e...@swbell.net> wrote: > I guess they are still "challenged" by the "rout of '01", delivered handily > by OpenVMS on Alpha courtesy of The Wiz, Coremac, and Opcom; the legend of > which is chronicled here: > http://www.bunkerofdoom.com/defcon/defcon9.html
> -or maybe they forgot about it and this is completely new. > The rules of the 'game' were changed forever. But never mind;
> By the time I saw it, it was too late to get in the truck and drive to the > DEFCON by myself.
>> is due to be presented this Sunday, Aug 10th 2008
Hi, Pat-
Good to see you posting. "What I Did On My Summer Vacation" is one of the funniest VMS stories I've ever heard, and I've heard some Real Funny Ones at "Magic Night" at the last two bootcamps.
> On Mon, Aug 11, 2008 at 10:47 PM, patrick jankowiak <e...@swbell.net > <mailto:e...@swbell.net>> wrote:
> I guess they are still "challenged" by the "rout of '01", delivered > handily by OpenVMS on Alpha courtesy of The Wiz, Coremac, and Opcom; > the legend of which is chronicled here: > http://www.bunkerofdoom.com/defcon/defcon9.html
> -or maybe they forgot about it and this is completely new. > The rules of the 'game' were changed forever. But never mind;
> By the time I saw it, it was too late to get in the truck and drive > to the DEFCON by myself.
> is due to be presented this Sunday, Aug 10th 2008
> Hi, Pat-
> Good to see you posting. "What I Did On My Summer Vacation" is one of > the funniest VMS stories I've ever heard, and I've heard some Real Funny > Ones at "Magic Night" at the last two bootcamps.
> WWWebb
Hi William,
Thank you and I guess I need to show up to the party from time to time. I guess I sort of navigated past the edge of the known world, and found more worlds and adventures to explore.
I just finished reading the presenation slides from DEFCON and fortunately it doesn't to be anything earth-shattering, two exploits are described:
1. A format string vulnerability in the FINGER client (VAX only). The example shellcode is stored on a remote system's .plan file and forces the victim FINGER client to modify SYSUAF.
2. A CLI buffer overflow on Alphas. Basically any input over 511 characters causes an overflow, it seems to be possible to have a privileged process execute arbitrary code.
Anyway, this is from a 10 minute reading of the slides, I might have missed something, but the important thing (IMHO) is that neither of these exploits are possible from remote but require a malicious user to already have an account on the targeted system.
In article <6419afac-bb99-4d7d-b61c-2e29234df...@z72g2000hsb.googlegroups.com>, samp...@gmail.com writes:
>Guys,
>I just finished reading the presenation slides from DEFCON and >fortunately it doesn't to be anything earth-shattering, two exploits >are described:
>1. A format string vulnerability in the FINGER client (VAX only). The >example shellcode is stored on a remote system's .plan file and forces >the victim FINGER client to modify SYSUAF.
Is this with DEC TCPIP services or is it something to do with the Multinet finger vulnerability ?
>2. A CLI buffer overflow on Alphas. Basically any input over 511 >characters causes an overflow, it seems to be possible to have a >privileged process execute arbitrary code.
Can you explain this one in a bit more detail ? Is this an attack against DCL itself, images installed with privileges or something else ?
David Webb Security team leader CCSS Middlesex University
>Anyway, this is from a 10 minute reading of the slides, I might have >missed something, but the important thing (IMHO) is that neither of >these exploits are possible from remote but require a malicious user >to already have an account on the targeted system.
> >1. A format string vulnerability in the FINGER client (VAX only). The > >example shellcode is stored on a remote system's .plan file and forces > >the victim FINGER client to modify SYSUAF.
> Is this with DEC TCPIP services or is it something to do with the > Multinet finger vulnerability ?
It appears to be something separate, since it seems to have to do with a format string vulnerability. Basically someone puts a bunch of % strings and shellcode in their .plan on a remote host, fingers that user from the target host, and the FINGER client executes the shellcode due to the format string vulnerability in the client.
> >2. A CLI buffer overflow on Alphas. Basically any input over 511 > >characters causes an overflow, it seems to be possible to have a > >privileged process execute arbitrary code.
> Can you explain this one in a bit more detail ? > Is this an attack against DCL itself, images installed with privileges > or something else ?
I think this might be a DCL issue, it seems to work across a number of different images. Not had a chance to play with this as my own VMS box is down at the moment.
In article <6419afac-bb99-4d7d-b61c-2e29234df...@z72g2000hsb.googlegroups.com>, samp...@gmail.com writes:
> Guys,
> 1. A format string vulnerability in the FINGER client (VAX only). The > example shellcode is stored on a remote system's .plan file and forces > the victim FINGER client to modify SYSUAF.
In article <6419afac-bb99-4d7d-b61c-2e29234df...@z72g2000hsb.googlegroups.com>, samp...@gmail.com writes:
> Guys,
> I just finished reading the presenation slides from DEFCON and > fortunately it doesn't to be anything earth-shattering, two exploits > are described:
Are these publically available? (If there is anything in them, I'd like to review my systems).
On Aug 12, 6:00 pm, koeh...@eisner.nospam.encompasserve.org (Bob
Koehler) wrote: > In article <6419afac-bb99-4d7d-b61c-2e29234df...@z72g2000hsb.googlegroups.com>, samp...@gmail.com writes:
> > Guys,
> > I just finished reading the presenation slides from DEFCON and > > fortunately it doesn't to be anything earth-shattering, two exploits > > are described:
> Are these publically available? (If there is anything in them, I'd > like to review my systems).
I got them from a friend who's colleague was at DEFCON - I don't know what the distribution/copyright issues are with the document so I daren't host them on my web page.
samp...@gmail.com wrote: >>> 1. A format string vulnerability in the FINGER client (VAX only). The >>> example shellcode is stored on a remote system's .plan file and forces >>> the victim FINGER client to modify SYSUAF. >> Is this with DEC TCPIP services or is it something to do with the >> Multinet finger vulnerability ?
> It appears to be something separate, since it seems to have to do with > a format string > vulnerability. Basically someone puts a bunch of % strings and > shellcode in their .plan > on a remote host, fingers that user from the target host, and the > FINGER client executes > the shellcode due to the format string vulnerability in the client.
>>> 2. A CLI buffer overflow on Alphas. Basically any input over 511 >>> characters causes an overflow, it seems to be possible to have a >>> privileged process execute arbitrary code. >> Can you explain this one in a bit more detail ? >> Is this an attack against DCL itself, images installed with privileges >> or something else ?
> I think this might be a DCL issue, it seems to work across a number of > different images. Not had a chance to play with this as my own VMS > box is down at the moment.
> Sampsa
I would have thought a CLI overflow to have been tried by at least a few at DEFCON9 because the system automagically created service-rich user accounts with of course DCL which the hackers were then free to abuse.
We were not scrutinizing buffers however and any such overflow may in our case have done nothing harmful (by luck or design). I think it was version 7.1-? if it makes a difference. Did the gentleman specify any versions?
> I would have thought a CLI overflow to have been tried by at least a few > at DEFCON9 because the system automagically created service-rich user > accounts with of course DCL which the hackers were then free to abuse.
> We were not scrutinizing buffers however and any such overflow may in > our case have done nothing harmful (by luck or design). I think it was > version 7.1-? if it makes a difference. Did the gentleman specify any > versions?
Default 8.3 install on an Alpha according to the presentation notes. To reproduce this, apparently one is to enter exactly 511 characters of input, then press the up arrow three times and wait - a core dump follows.
samp...@gmail.com wrote: >> I would have thought a CLI overflow to have been tried by at least a few >> at DEFCON9 because the system automagically created service-rich user >> accounts with of course DCL which the hackers were then free to abuse.
>> We were not scrutinizing buffers however and any such overflow may in >> our case have done nothing harmful (by luck or design). I think it was >> version 7.1-? if it makes a difference. Did the gentleman specify any >> versions?
> Default 8.3 install on an Alpha according to the presentation notes. > To reproduce this, apparently one is to enter exactly 511 characters > of input, then press the up arrow three times and wait - a core dump > follows.
Sorry - I can't reproduce this the way it is described here on my V8.3 Alpha. After entering the characters, and pressing the up arrow three times, I am returned to the "$", without a dump. I have reproduced this technique on two different Alphas, both running V8.3, and have not reproduced the reported behavior.
In article <9781c047-761a-4923-9aab-8c1a32ff7...@x35g2000hsb.googlegroups.com>, samp...@gmail.com writes:
>> I would have thought a CLI overflow to have been tried by at least a few >> at DEFCON9 because the system automagically created service-rich user >> accounts with of course DCL which the hackers were then free to abuse.
>> We were not scrutinizing buffers however and any such overflow may in >> our case have done nothing harmful (by luck or design). I think it was >> version 7.1-? if it makes a difference. Did the gentleman specify any >> versions?
>Default 8.3 install on an Alpha according to the presentation notes. >To reproduce this, apparently one is to enter exactly 511 characters >of input, then press the up arrow three times and wait - a core dump >follows.
I know you didn't make the claim but you should first test it out before brandishing bullshit here.
I've tried to reproduce the claimed results from your posted instruction and it does NOT produce a "core dump".
-- VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)COM
... pejorative statements of opinion are entitled to constitutional protection no matter how extreme, vituperous, or vigorously expressed they may be. (NJSC)
Copr. 2008 Brian Schenkenberger. Publication of _this_ usenet article outside of usenet _must_ include its contents in its entirety including this copyright notice, disclaimer and quotations.
> >Default 8.3 install on an Alpha according to the presentation notes. > >To reproduce this, apparently one is to enter exactly 511 characters > >of input, then press the up arrow three times and wait - a core dump > >follows.
> I know you didn't make the claim but you should first test it out before > brandishing bullshit here.
> I've tried to reproduce the claimed results from your posted instruction > and it does NOT produce a "core dump".
Hey don't shoot the messenger, people were interested in what was in the presentation, I just relayed that information WITH THE CAVEAT THAT I DIDN'T TEST IT. They had screenshots of the flaw and source code for an exploit, based on that I assumed it's genuine even if we haven't been able to reproduce it.
I'm not trying to scaremonger or stir up shit, in fact I stated in my original post that neither of these exploits seemed particularly earth shattering.
On Wed, Aug 13, 2008 at 7:56 AM, <samp...@gmail.com> wrote: > > >Default 8.3 install on an Alpha according to the presentation notes. > > >To reproduce this, apparently one is to enter exactly 511 characters > > >of input, then press the up arrow three times and wait - a core dump > > >follows.
> > I know you didn't make the claim but you should first test it out before > > brandishing bullshit here.
> > I've tried to reproduce the claimed results from your posted instruction > > and it does NOT produce a "core dump".
> Hey don't shoot the messenger, people were interested in what was in > the presentation, I just relayed that information WITH THE CAVEAT THAT > I DIDN'T TEST IT. They had screenshots of the flaw and source code for > an exploit, based on that I assumed it's genuine even if we haven't > been able to reproduce it.
> I'm not trying to scaremonger or stir up shit, in fact I stated in my > original post that neither of these exploits seemed particularly earth > shattering.
> Sampsa
There are people in Engineering with whom I can check...
