* Posts by Simon Clubley

9 publicly visible posts • joined 2 Jun 2017

Ghost in the DCL shell: OpenVMS, touted as ultra reliable, had a local root hole for 30 years

Simon Clubley

The CVE proves the vulnerability is real

[I am the same person who found the vulnerability detailed in this article.]

@AC on 1-Jan-2019

The AC is a perfect example of the kind of person in the VMS user community I was warning about in the article.

He is either clueless enough about modern security practices that he doesn't have a clue what a CVE is, or he is one of the people who denies that VMS has the same issues as other operating systems do and is in denial that a decades old vulnerability has been found by myself.

What the AC didn't say in his posting above is that he showed up in the comp.os.vms newsgroup several months ago, saying the same things as he has here and ignoring any comments which explained why this vulnerability really does exist and that VSI had produced a patch to fix it.

He only finally went away when the VSI engineer who fixed the vulnerability I found also confirmed the vulnerability was real and so was the patch which fixed it.

As for the money, the AC has already been told I am not interested in it even though the proof he seeks already exists; this wasn't the reason I did this research. Besides, I doubt the money really exists.

In case the AC is simply unaware of what a CVE is, the following should hopefully enlighten him. It doesn't explain however why he has ignored the information provided to him in comp.os.vms.

The CVE database is an industry-wide database of vulnerabilities which has existed since 1999. This specific CVE entry was created by VSI, not myself, and the text in the CVE, which shows the issue has existed since VAX/VMS V4.0, was also written by VSI after they had analysed and confirmed my research.

This means the CVE is a vendor statement confirming the vulnerability and on which platforms (VAX and Alpha) the vulnerability can be exploited to compromise the system. It is NOT merely a series of claims by myself.

This also means the VSI issued CVE _is_ the proof you seek.

BTW, this isn't the first time elements in the VMS user community have reacted in this way. The last major public discussion of VMS vulnerabilities occurred about 10 years ago when VMS was probed at DEFCON 16 and vulnerabilities were found. Some of the subsequent user community discussion was less than impressive in the knowledge displayed and the negative attitude towards the researchers.

VSI marketing

This idea that VMS stands above all other operating systems when it comes to security is also reinforced by VSI as VSI makes the idiotic claim that VMS is "the most secure operating system on the planet". And yes, that's a direct quote from VSI.

As far as I can tell, VSI justifies making this claim by comparing the number of CVEs issued for an operating system (VMS) which is probed once in a blue moon (if that!) and then comparing it to the number of CVEs issued for Linux and Windows, which is actively probed every single day by an entire army of researchers.

Unfortunately, this attitude reflects what some in the VMS user community also believe.

Final notes

I am not a professional security researcher; I am a normal programmer with a range of experience in various operating systems (including VMS) and various programming languages.

I did this one-off research because I was alarmed by the increasingly out of touch language, both by the VMS user community and VSI, about the security of VMS. I could see the possibility of the VMS users getting a very sudden wakeup call from security researchers if they saw the language on the VSI website and treated it as a challenge.

I therefore decided to temporarily put on a security researcher hat and probe VMS for a vulnerability which I could use to hit the VMS community over the head with before any third-party researchers came along and taught them the same lesson in a much more sudden manner.

As you can see from the CVE, I promptly found a vulnerability in VMS which allowed you to compromise VAX (and later Alpha when it arrived) systems for over 30 years if you have direct access to DCL. It makes you wonder what the professional researchers may find if they turn their attention to VMS.

Oh, and the reason why my discovery allowed me to compromise VMS ?

Well, it turns out that on VMS, shells running in supervisor mode (ie: DCL) have access to the privileges of the programs they run. And no, I didn't believe that either when I found it.

Non-privileged users cannot run their own custom written shell in supervisor mode without a privileged user's authorisation, but the above does mean that if a non-privileged user can get shellcode they create running somewhere inside DCL (as I did) it may be possible to use that code to compromise VMS.

Cancel the farewell party. Get back to work. That asteroid isn't going to hit Earth in October

Simon Clubley

And in the UK we have Zelda running the country

And here in the UK, we have a real-life version of Zelda from Terrahawks running the country...

Surely I can't be the only one to notice the parallels between the PM and Zelda ? BTW, from what I remember, Zelda's plans for world domination were about as successful as the PM's are turning out to be.

Can GCHQ order techies to work as govt snoops? Experts fear: 'Yes'

Simon Clubley

Re: FFS!

@LeeE. Thanks for the correction.

On the plus side at least I now know you were interested enough to read the whole article. :-)

Simon Clubley

Re: Who cares?

@AC. "it actually sells licenses to operate to telecommunication operators". I'm assuming that's the public telecommunications operators. Private telecommunications operators are also covered by the IPA.

Simon Clubley
Big Brother

@poohbear. My passport _is_ due for renewal next year...

(Seriously. :-))

Simon Clubley

[I'm the same person mentioned in the article. Thanks to everyone for your feedback.]

@phuzz. Section 133, paragraph 4 comes into play here. According to that section, you are allowed to make disclosures in connection with any legal proceedings which have been initiated against you.

Before you get to that stage, you are also allowed under that section to seek the advice of your professional legal adviser, but only your professional legal advisor, for matters relating to the provisions of the IPA after you have received the warrant.

UK surveillance law raises concerns security researchers could be 'deputised' by the state

Simon Clubley

Re: How could the gov't know?

Kiwi, thank you and you are welcome.

As regards your laptop question, it's an interesting question and quite honestly one I had not considered.

However, having quickly thought about it, my instinct is that even I don't think the government could get away with twisting the law to that level to target you as a private person in order to get access to equipment you own.

However, I still have concerns about general communications networks operated by large companies and organisations because I do believe it's far easier to twist the telecommunications operator definitions I quoted above to cover them.

Simon Clubley
Big Brother

Re: What if your job is to fix vulns?

It might be interesting for people to check out what a telecommunications operator is actually defined as - it's far more widely scoped than people might think.

Section 261, paragraph 10 defines a telecommunications operator as not only the person who runs the service but also any person who has control of a telecommunication system. That latter bit would seem to me to include any vendor who has access to the system as part of (for example) normal support operations.

The rest of that section is well worth a read as some definitions are not what you may expect.

For example, a "telecommunication system" in defined in paragraph 13 as:

“Telecommunication system” means a system (including the apparatus comprised in it) that exists (whether wholly or partly in the United Kingdom or elsewhere) for the purpose of facilitating the transmission of communications by any means involving the use of electrical or electromagnetic energy.

and "Communication" is defined in paragraph 2 as:

“Communication”, in relation to a telecommunications operator, telecommunications service or telecommunication system, includes—

(a) anything comprising speech, music, sounds, visual images or data of any description, and

(b) signals serving either for the impartation of anything between persons, between a person and a thing or between things or for the actuation or control of any apparatus.

As far as I can see, that definition not only includes what a reasonable person would consider to be a telecommunications system, but also something like a messaging system running on (for example) a z/OS mainframe, which if true would also place normal mainframe systems under the scope of this part of the act.

Simon Clubley
Big Brother

Re: How could the gov't know?

[I'm the same person mentioned in the article. Thanks to everyone for the article and the opinions you provided.]

Yes, this is one of the methods I was thinking of. We know GCHQ does pattern matching across Internet traffic and I strongly suspect people doing research on a vulnerability generate their own type of Internet activity pattern. How do we know GCHQ are not looking for those patterns in order to identify people of interest to them ?

As for the opinions offered, what's alarming here is that the experts asked offered a range of opinions from maybe there's a problem here to no, it's telecoms operators only. When even the experts can't agree on what the law means then that's a law which is open to having it's scope stretched and otherwise abused in years to come.

I'm still concerned about the wording though. Many parts of the law are very clear on what the scope of that part of the law means but this part of the law simply uses "any person" without any explicit constraint.