[Info-vax] OpenVMS books

[Arne Vajhøj]

On 7/25/2017 11:45 AM, seasoned_geek wrote:
> On Monday, July 24, 2017 at 9:17:31 PM UTC-5, Simon Clubley wrote:
>> On 2017-07-22, seasoned_geek <roland at logikalsolutions.com> wrote:
>>>
>>> OpenVMS was banned from Black Hat conferences until it started getting
>>> OpenSource added to it, then it was welcomed with open arms AND it started
>>> getting breached.
>>>
>>
>> Bollocks.
>>
>> The total system compromise breach was in SMG which is pure VMS and
>> was a straight forward buffer overflow. Its exploit was made a lot
>> easier due to the VMS design which meant the security researchers
>> didn't even have to mess around with loading shellcode onto the stack.
>>
>> The finger compromise on UCX 5.x was caused by not specifying a format
>> string (IIRC) as the first argument. The UCX 5.x stack came from another
>> DEC OS and that code should never have passed peer review.

> Double Bollocks
> 
> https://www.sans.org/reading-room/whitepapers/infosec/primer-openvms-vms-security-604

I don't think that story dispute the SMG or UCX issue.

So no double bollocks.

> ====
> In mid February 2002, news quickly became widespread regarding vulnerabilities that
> existed in the SNMP protocol.
> According to the CERT Advisory CA-2002-03
> “Vulnerabilities in the decoding and subsequent processing of SNMP messages by both
> managers and agents may result in denial-of-service conditions, format string vulnerabilities,
> and buffer overflows. Some vulnerabilities do not require the SNMP message to use the
> correct SNMP community string.”
> According to Compaq’s statement in response to this multi-vendor advisory, the SNMP agent
> for VMS TCP/IP is impacted.
> ====
> 
> There are more from the years when OpenSource started getting rolled in. I just don't feel like wasting the time.

Where is the open source????

VMS TCP/IP is not open source.

And nowhere does it state that DEC/Compaq had used any open source in
their SNMP implementation.

They may have, but it does not say so.

Arne