[Info-vax] Whither VMS?

VAXman- at SendSpamHere.ORG VAXman- at SendSpamHere.ORG
Fri Oct 2 12:53:44 EDT 2009 

In article <4895ah.i6n.ln at gw1>, Jordi Guillaumes i Pons <send.me at no.spam> writes:
>En/na Bob Eager ha escrit:
>>>interesting, since in architectures like x86 that can overwrite the
>>>stack frame
>> 
>> 
>> As you can in the VAX...
>
>Specially if you program in C and "think" in C. If you follow the rules 
>(VAX Calling and Conditio Handling IIRC) you should use descriptors to 
>pass strings. And your routine _should_ check if the lenght of the 
>string passed as parameter fits in your buffer.
>
>C is a good language for systems programming. I've always thought of it 
>as an assembly language on steroids. For a systems programmer pointers 
>are part of his daily life. But those things have no place in a payroll 
>program. And, for the sake of the security, neither in a web server.

Macro is an assembly language on steroids.  Bliss is an assembly language
on steroids.  C needs Altoids, not steroids, because it stinks.  It doesn't
even have a decent macro capability.


>>>Of course, that could'nt happen in a VAX. All you would get is a ACCVIO,
>>>since VAX has a exec bit for each page, and the stack should not be exec
>>>utable. But on the x86 they have that kind of protection only recently.
>> 
>> 
>> The exec bit won't save the stack frame. It'll stop part of the stack 
>> being executed as code, and it'll stop a corrupted return link diving 
>> into non-code, but it won't stop a corrupted return link diving into a 
>> different bit of code.
>
>
>Yep, but if the stack itself is not executable the bad guy will have 
>more difficulties to do nasty things. First of all, he (or she) will not 
>be able of putting a snippet of code in the stack. Yes, he could 
>redirect the program to do nasty things... but not WHATEVER nasty thing.
>
>Oh, by the way, I don't have if this has REALLY happened. Do you nou 
>about any succesful attack against a VAX running VMS using a 
>buffer/stack overflow?

Yes.  About a year ago there was much discussion here with respect to one 
of the RTL routines employed  in many of the system utilities for command
line input and recall.  I still have a simple 20 Alpha instruction "hack"
to demonstrate the exploit dated 17-Aug-2008.  I think if you go back and
google this news group for article around that time frame with DEFCON in
them, you should be able to find some info.  HP issued a patch for this
vulnerability.  Hopefully, sites installed it.


-- 
VAXman- A Bored Certified VMS Kernel Mode Hacker    VAXman(at)TMESIS(dot)ORG

  http://www.quirkfactory.com/popart/asskey/eqn2.png
  
  "Well my son, life is like a beanstalk, isn't it?"

More information about the Info-vax mailing list