[HECnet] Vt100 tester

Brian Schenkenberger, VAXman- system at TMESIS.COM
Thu Mar 7 04:12:14 PST 2013 

Cory Smelosky <b4 at gewt.net> writes:

On 6 Mar 2013, at 21:48, "Brian Schenkenberger, VAXman-" =
<system at TMESIS.COM> wrote:

"Jerome H. Fine" <jhfinedp3k at compsys.to> writes:
=20
{...snip...}
Seriously, has anyone ever successfully developed a virus for
a VMS system?   I think I heard that there was a yearly contest
to see if anyone could compromise a VMS system and it failed
every year.
=20
A few (2-3) years ago, there was a reported security elevation exploit =
that
involves a stupid buffer contamination exploit in =
SMG$READ_COMPOSED_LINE and
any VMS utility that employed it and that was installed with =
privileges.   It
turned out that the INSTALL utility could be exploited.   It was NOT =
simple
to do but it could be done.   I implemented a weaponized PoC to exploit =
the
security vulnerabity.   It was, happily, quickly addressed. =20
=20
There was also another exploit wherein one could send, via VMS mail, =
the
equivalent of an attachment using /FOREIGN.   If the attachment was =
created
with SUBMIT-ON-CLOSE and the file was read by a privileged user, all =
bets
were off.   Again, this was quickly subdued before it became a =
widespread
exploit.   That, IIRC, was about a decade ago.
=20
Not a bad record at one vulnerability per decade. ;)   The only real =
success
stories of infiltrating VMS all stemmed from social engineering and =
not, to
my knowledge, from security holes in the OS.

I was recently watching a DEFCON talk about breaking in to VMS=85no =
remote vulnerabilities were found.   They all required human stupidity or =
an existing account.

http://www.youtube.com/watch?v=3DXf7gVma6_3g

The vulnerability I spoke to WRT the SMG$READ_COMPOSED_LINE is discussed
in this video; however, these VMS neophytes (and I still believe that the
fellow discussing the SMG$ issue was given information about this from a
disgruntled VMS engineer as he clearly does NOT know what he is speaking
about) were tutored by others.   The nonsense about using a logical name
still makes me spew a mouthful of coffee, assuming I'm drinking it, upon 
my screen and keyboard when I watch that video you've linked.   To exploit
the security hole (now patched) required self-modifying Alpha code.   It's
not very likely that these guys had the wherewithal to accomplish such a
feat with their neanderthal approach to the subject they presented.

-- 
VAXman- A Bored Certified VMS Kernel Mode Hacker       VAXman(at)TMESIS(dot)ORG

Well I speak to machines with the voice of humanity.

More information about the Hecnet-list mailing list