[Info-vax] An old VMS vulnerability, was: Re: Calling standards, was: Re: Byte range locking - was Re: Oracle

[VAXman- at SendSpamHere.ORG]

In article <o1htcj$do1$1 at dont-email.me>, Simon Clubley <clubley at remove_me.eisner.decus.org-Earth.UFP> writes:
>On 2016-11-28, johnwallace4 at yahoo.co.uk <johnwallace4 at yahoo.co.uk> wrote:
>>
>> Either way there still seem to be plenty of ways to get
>> unauthorised code execution and unauthorised privilege
>> escalation in "modern" high volume OSes.
>
>And for a while that included VMS although I hope HP/VSI have now
>fixed the underlying vulnerability.
>
>VMS had[1] a design flaw in it in which shellcode could be loaded into
>a logical and then executed if you could cause a buffer overflow in
>privileged code. That's how the DEFCON security researchers were able
>to turn a simple buffer overflow into something which could compromise
>VMS.

That's just how the group at DEFCON approached it.  Their code exploiting the
hole was rather sketch indeed and required manual intervention to trigger it.
I wrote a proof-of-concept that automated and weaponized the vulnerability.



>[1] It's been 8 years so I assume by now VMS Engineering have
>released patches to make the address space occupied by the logicals
>non-executable so that if another privileged process is compromised
>then a logical cannot be used to hold the shellcode.

It had NOTHING to do with logicals other than the fact that the DEFCON group
didn't know VMS programming.  In fact, having seen their exploit code, I have
been skeptical that they even discovered the vulnerability.  I'll leave it at
that.

-- 
VAXman- A Bored Certified VMS Kernel Mode Hacker    VAXman(at)TMESIS(dot)ORG

I speak to machines with the voice of humanity.