[Info-vax] An old VMS vulnerability, was: Re: Calling standards, was: Re: Byte range locking - was Re: Oracle

Simon Clubley clubley at remove_me.eisner.decus.org-Earth.UFP
Mon Nov 28 15:11:15 EST 2016 

On 2016-11-28, VAXman-  @SendSpamHere.ORG <VAXman- at SendSpamHere.ORG> wrote:
> In article <o1htcj$do1$1 at dont-email.me>, Simon Clubley <clubley at remove_me.eisner.decus.org-Earth.UFP> writes:
>>[1] It's been 8 years so I assume by now VMS Engineering have
>>released patches to make the address space occupied by the logicals
>>non-executable so that if another privileged process is compromised
>>then a logical cannot be used to hold the shellcode.
>
> It had NOTHING to do with logicals other than the fact that the DEFCON group
> didn't know VMS programming.  In fact, having seen their exploit code, I have
> been skeptical that they even discovered the vulnerability.  I'll leave it at
> that.
>

They were not using logical name services to actually trigger their
shellcode but their DEFCON presentation made it very clear that
they were using the address space allocated to a specific logical
to store their shellcode.

When you think about it, that's a clever way to allow code injected
into an address space to survive activation of a privileged image
and to become part of the address space of that privileged image.

One way to stop that as an attack vector is to make sure that the
memory pages allocated to the logical name tables are marked as
no-execute. I don't know where you stored the shellcode in your
version, but I also hope that those memory pages are now no-execute
in VMS as well.

And yes, given the clear lack of knowledge they showed in some areas
in their presentation I can easily believe that their code was not up
to the same standards as an experienced VMS person, but PoC code is
just that, a proof of concept.

I also picked up on some other things they said such as using binutils
compiled for an Alpha target to generate their shellcode. That's easily
something I could have seen even myself doing as well, given that
I know the GNU toolchain but not the Alpha assembler, especially
when you are generating a small bit of standalone shellcode.

Simon.

-- 
Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
Microsoft: Bringing you 1980s technology to a 21st century world

More information about the Info-vax mailing list