[Info-vax] Malware in kernel mode, was: Re: Android development Was Re: OT: Larry Ellison takes retirement as CEO of Oracle

Stephen Hoffman seaohveh at hoffmanlabs.invalid
Fri Sep 26 08:28:42 EDT 2014 

On 2014-09-26 11:00:39 +0000, VAXman-  @SendSpamHere.ORG said:

> In article <7f2740f3-f749-4b52-9da2-22f8ad416f62 at googlegroups.com>, 
> John Reagan <xyzzy1959 at gmail.com> writes:
>> Now you are talking malware that is VMS-specific, not general-purpose 
>> x86 malware (which isn't very common).
>> 
>> What privs does Apache normally have on VMS?  (I've never looked)
> 
> 26-SEP-2014 06:59:42.19   User: APACHE$WWW ...
> Authorized privileges:
>  NETMBX       TMPMBX
> 
> Process privileges:
>  NETMBX               may create network device
>  TMPMBX               may create temporary mailbox


Web server attacks are seldom specifically targeting enhanced web 
server process privileges — Apache isn't configured and running as root 
on any sane Unix platform, either.  These attacks generally seek the 
ability to execute an attacker's code in the context of the target 
server, which can then allow further exploration, exploitation and 
(potentially) privilege escalation.

Apache often has enough access to run code (hopefully you've already 
reviewed your Unix servers for web-facing bash scripts; but I digress), 
and more than a few servers have Apache-writable web server directories 
configured.  If an attacker can upload or can create a program and then 
invoke it on the target server, it's "%SYSTEM-F-GAMEOVER, all your base 
are belong to us".

Apache also has enough access to view and variously modify data stored 
in web-facing databases, and more than a few folks still don't 
parameterize their SQL processing, for instance.

VMS defenses against local stack and heap smashing attacks are 
comparatively weak, with no-execute stack and heap available only on 
OpenVMS I64 V8.2 and later, and with VMS entirely lacking ASLR and 
jails/sandboxes.  While neither no-execute nor ASLR nor jails/sandboxes 
are particularly reliable defenses, they do make it more likely the 
attacker will crash something and the activities then be logged and/or 
detected, or that the attacker will require knowledge of several 
different vulnerabilities.

Arguably, the Itanium separation of program control and user data and 
its associated register-spilling shenanigans are a better defense 
against typical sorts of stack smashing than the mixed-usage stack 
within the architectures of Alpha and VAX, too.





-- 
Pure Personal Opinion | HoffmanLabs LLC

More information about the Info-vax mailing list