[Info-vax] Kernel Transplantation

Mark Berryman mark at theberrymans.com
Mon Jan 22 14:40:14 EST 2024 

On 1/22/24 6:12 AM, Simon Clubley wrote:
> On 2024-01-20, Mark Berryman <mark at theberrymans.com> wrote:
>> On 1/19/24 11:44 AM, Simon Clubley wrote:
>>> On 2024-01-19, Mark Berryman <mark at theberrymans.com> wrote:
>> .
>> .
>> .
>>>>> Because that command is being run in the same process as the EVL listener
>>>>> it will not help constrain an attacker. This is because all an attacker
>>>>> needs to do in their shellcode is to reenable those privileges.
>>>>
>>>> IIRC, you managed to crash EVL using an insecure setup.  Crashing a
>>>> process is much different that convincing a process to run bogus code
>>>> and, of course, simply crashing EVL causes its process to exit.
>>>>
>>>
>>> By "insecure setup", you mean using a network stack as supplied out of
>>> the box by a vendor selling "the world's most secure operating system" ?
>>
>> No, by insecure setup I mean you allowed an untrusted host, and one not
>> running DECnet, access to another host's DECnet stack.
>>
> 
> Oh, I see Mark. So you mean just like every public node on the Internet is
> supposed to handle without instantly falling over ? :-) (And which gets
> fixed when something unexpected is found ?)
Most likely, every public node on the Internet is behind a firewall, 
which severely limits what packets can reach a given node and, depending 
on the quality of the firewall, the nature of those packets (i.e. good 
firewalls can detect and reject malformed packets).

Sadly, when an IP-based attack makes it through the firewall and into a 
host, the host typically does worse than "fall over".  It lets the 
attacker in where the attacker can then do all kinds of nefarious 
things.  This is often not detected until long after the fact.  If there 
has ever been a successful attack from an external source on a VMS 
system that allowed the attacker to muck around on that system, I am not 
aware of it.  Are you?

The purpose of a firewall is to protect the IP stack of the hosts behind 
it.  I merely suggested a couple of ways one can firewall one's DECnet 
traffic, and thereby protect that stack.  Nothing unusual or exceptional 
about it.

I ran a VMS host fully exposed to the Internet with DECnet phase V on it 
for years without issue.  It was a honeypot so it wanted to see as many 
attack attempts as possible.  It was running WASD instead of Apache so 
none of the attacks on the web port succeeded and none of the attacks on 
the ports used by DECnet ever caused an issue.  So, real word 
experience, not guess work.  And, no, I wouldn't try this with any other 
platform.

Mark Berryman

More information about the Info-vax mailing list