Cory Smelosky <b4 at gewt.net> writes:
On 6 Mar 2013, at 21:48, "Brian Schenkenberger, VAXman-" =
<system at TMESIS.COM> wrote:
"Jerome H. Fine" <jhfinedp3k at compsys.to> writes:
=20
{...snip...}
Seriously, has anyone ever successfully developed a virus for
a VMS system? I think I heard that there was a yearly contest
to see if anyone could compromise a VMS system and it failed
every year.
=20
A few (2-3) years ago, there was a reported security elevation exploit =
that
involves a stupid buffer contamination exploit in =
SMG$READ_COMPOSED_LINE and
any VMS utility that employed it and that was installed with =
privileges. It
turned out that the INSTALL utility could be exploited. It was NOT =
simple
to do but it could be done. I implemented a weaponized PoC to exploit =
the
security vulnerabity. It was, happily, quickly addressed. =20
=20
There was also another exploit wherein one could send, via VMS mail, =
the
equivalent of an attachment using /FOREIGN. If the attachment was =
created
with SUBMIT-ON-CLOSE and the file was read by a privileged user, all =
bets
were off. Again, this was quickly subdued before it became a =
widespread
exploit. That, IIRC, was about a decade ago.
=20
Not a bad record at one vulnerability per decade. ;) The only real =
success
stories of infiltrating VMS all stemmed from social engineering and =
not, to
my knowledge, from security holes in the OS.
I was recently watching a DEFCON talk about breaking in to VMS=85no =
remote vulnerabilities were found. They all required human stupidity or =
an existing account.
http://www.youtube.com/watch?v=3DXf7gVma6_3g
The vulnerability I spoke to WRT the SMG$READ_COMPOSED_LINE is discussed
in this video; however, these VMS neophytes (and I still believe that the
fellow discussing the SMG$ issue was given information about this from a
disgruntled VMS engineer as he clearly does NOT know what he is speaking
about) were tutored by others. The nonsense about using a logical name
still makes me spew a mouthful of coffee, assuming I'm drinking it, upon
my screen and keyboard when I watch that video you've linked. To exploit
the security hole (now patched) required self-modifying Alpha code. It's
not very likely that these guys had the wherewithal to accomplish such a
feat with their neanderthal approach to the subject they presented.
--
VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)ORG
Well I speak to machines with the voice of humanity.