[Info-vax] CVE-2017-17482

Simon Clubley clubley at remove_me.eisner.decus.org-Earth.UFP
Fri Feb 2 08:24:36 EST 2018 

On 2018-02-02, geraldmarsh100 at gmail.com <geraldmarsh100 at gmail.com> wrote:
> On Friday, 26 January 2018 22:19:36 UTC, Derrell Piper  wrote:
>> From: Eddie Orcutt <eddie.orcutt at vmssoftware.com>
>> Date: Friday, January 26, 2018 at 4:27 PM
>> To: Eddie Orcutt <eddie.orcutt at vmssoftware.com>
>> Subject: OpenVMS Security Notice
>> 
>> Dear VSI OpenVMS Customer;
>> 
>> A potential security vulnerability has been found in which a malformed
>> DCL command table may result in a buffer overflow allowing a local
>> privilege escalation in non-privileged accounts. This bug is exploitable
>> on VAX and Alpha and may cause a process crash on IA64. All versions of
>> VMS and OpenVMS after and including VAX/VMS 4.0 are affected.
>> 

[snip]
>
> It seems it is not exploitable on Itanium.

Yes and no.

As you can see from the above text it still causes a process crash on
Itanium. The only reason Itanium is not compromisable with this specific
version of the exploit is because the return address is handled very
differently on Itanium.

It is not beyond the bounds of possibility that someone could find
a different variant that could be used to compromise an Itanium system.
For example, if you can overwrite a pointer to a data structure then
you can force code within DCL to process memory that you control.

I don't easily know if such pointers can be reached by a malformed .cld
definition as I do not have access to the VMS source code (all my
research and exploit development has been done without access to the
VMS source code). And before anyone asks, I don't want access to the VMS
source code as that would be illegal without the source code licences.

I do know however that it is still possible to indirectly compromise
some Itanium systems using this exploit.

For example, if your Itanium systems are part of a mixed-architecture
cluster, then you can use the vulnerability to compromise a vulnerable
cluster member and then use that cluster member to compromise your
Itanium systems.

So no, you can't say that Itanium is not exploitable. The best you can
say is that Itanium is not _directly_ exploitable with _this_ specific
version of the vulnerability.

Simon.

-- 
Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
Microsoft: Bringing you 1980s technology to a 21st century world

More information about the Info-vax mailing list