[Info-vax] Malware in kernel mode, was: Re: Android development Was Re: OT: Larry Ellison takes retirement as CEO of Oracle

Johnny Billquist bqt at softjar.se
Wed Sep 24 17:04:25 EDT 2014 

On 2014-09-24 19:19, Simon Clubley wrote:
> On 2014-09-23, Johnny Billquist <bqt at softjar.se> wrote:
>> On 2014-09-23 16:10, David Froble wrote:
>>> Johnny Billquist wrote:
>>>>
>>>> *How* do you get the x86 code running in kernel mode, without
>>>> involving the OS at all???
>>>>
>>>
>>> I'm not some asshole hacker.  I haven't given it much thought.  If I
>>> could answer your question, I'd be maybe 90% of the way to write malware
>>> to do just what I've suggested.
>>>
>>> Your attitude of "that can't be done" is much appreciated by the hackers.
>>
>> Or maybe I'm right. You know, in general it helps to understand the
>> topic before making claims. :-)
>>
>
> I already posted one conceptual way in which this could be done and that
> was to have something like a buffer overflow occur within a kernel mode
> module; the example I gave was some TCP/IP component which might suffer
> from some VMS specific or common mode vulnerability.
>
> In this example, the data in the buffer would be executed as code and as
> VMS is a monolithic kernel all the peripheral address space is mapped in
> while in kernel mode.
>
> This means the code would basically be running as bare metal code while
> in fully privileged kernel mode and could do whatever it wanted to the
> attached peripherals.
>
> If the code was VMS aware, it could further hook itself into some VMS
> kernel module.

The code better be VMS-aware, or it most likely will not get anywhere.

And noone argued that you cannot find exploits in VMS.
I was merely pointing out that any Unix (or Windows, or whatever) 
exploits are not relevant for VMS. Heck, even buffer overflows in TCP/IP 
will in all likelyhood be different, and triggered differently than 
under any other OS. Because even though for TCP/IP, VMS might have 
ported code from Unix, there will still be changes and differences that 
are highly relevant when you try to use various bugs for exploits.

	Johnny

More information about the Info-vax mailing list