[Info-vax] DCL vulnerability write up on The Register

Simon Clubley clubley at remove_me.eisner.decus.org-Earth.UFP
Sun Feb 18 08:57:15 EST 2018


On 2018-02-18, johnwallace4 at yahoo.co.uk <johnwallace4 at yahoo.co.uk> wrote:
>
> Readers who haven't yet seen reports that ASLR, 'as used by
> every other modern operating system', is frequently an 
> untrustworthy piece of security theatre in commodity systems, 
> might want to dig around a bit, e.g. 
>
> https://www.pcworld.com/article/3170583/security/javascript-based-aslr-bypass-attack-simplifies-browser-exploits.html
>

The point is that ASLR dramatically increases the amount of work that
an attacker has to do (even if that work is to defeat ASLR).

On VMS, an interactive attacker has to do nothing more than just replace
a return address with a known value as they don't have to mess around
with getting the program to accept the shellcode. This makes ASLR utterly
useless as a defence against interactive attackers on VMS.

This also avoids another problem attackers on other operating systems
sometimes face which is that the shellcode can have nulls in it and
the loading of the shellcode may stop at the first null.

On VMS, you can just write the shellcode into a memory area, nulls and
all, and just have done with it.

A memory area that the world's most secure operating system doesn't
even mark as non-executable.

Simon.

-- 
Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
Microsoft: Bringing you 1980s technology to a 21st century world



More information about the Info-vax mailing list