back to article Ghost in the DCL shell: OpenVMS, touted as ultra reliable, had a local root hole for 30 years

Forget Meltdown and Spectre. Someone's found a local privilege escalation in the operating system world's elderly statesman OpenVMS when running it on VAX and Alpha processors. On Itanium CPUs, the same bug can be exploited to crash a process. More details on the flaw, which has been given the designation CVE-2017-17482, are …

Page:

  1. Anonymous Coward
    Anonymous Coward

    VMS. Bulletproof. Depending on the bullet.

    Oh bollocks.

    We ran circles around the sysadmin (the head of the department) on a VMS VAX cluster in Uni. There has always been quite a few ways to subvert it (especially if the BSD environment package was installed).

    1. Chris King

      Re: VMS. Bulletproof. Depending on the bullet.

      You mean UCX ? That thing was a total swiss cheese when it came to security, and the competing TCP/IP stacks (Multinet and TCPWare) weren't much better.

      VMS was harder to exploit and kill IF set up properly (and kept up-to-date on patches), but get it wrong and it would be just as vulnerable as everything else out there

  2. YetAnotherJoeBlow

    Also on a PDP 11/70 DCL in RSTS V9.* & 10.*

    1. Warm Braw

      DCL featured on RSX-11, RT-11 and RSTS as well as VMS - for "compatibility", but they were far from the same implementation. On RSX, for example, the DCL parser simply emitted an MCR command line (e;g; DIRECTORY became PIP /LI).

      1. jeffdyer

        PIP /LI. That takes me back.

  3. A Non e-mouse Silver badge
    Joke

    Patches [...] were announced on the comp.os.vms newsgroup

    VMS Sysadmins using up-to-date methods for communication, eh?

    1. Dan 55 Silver badge

      I do hope they didn't have to install a uuencoded binary.

    2. Sebastian Brosig

      newsgroups

      whyever not?

      newsgroups were awesome, and there is no reason why they're not_still_ awesome if they are used by the right people. People sharing news. It's lack of discipline, spam etc, that ruins a medium like that.

  4. Anonymous South African Coward Bronze badge

    And now we wait for other old OS'es to be tested for exploits...

    1. Stuart Castle Silver badge

      How many other old Oses run the central computing systems of major banks?

      Not that I'm pushing the panic button or anything, nor do I think this will be a massive problem, but there is a reason this researcher went for VMS (open or not) rather than the myriad of old oses he could have. That reason is likely to be that it is still used.

      1. Christian Berger

        "How many other old Oses run the central computing systems of major banks?"

        I have one data point on that, and that's some bank having switched their old computer for a newer, Java-based solution and giving that old computer to a museum. (it was probably >20 years old at that point) The employees didn't like it because the old system was _much_ faster.

      2. Michael Wojcik Silver badge

        How many other old Oses run the central computing systems of major banks?

        MVS (aka OS/390, zOS), with VM under it and CICS and IMS on top, for one.

    2. Anonymous Coward
      Anonymous Coward

      And now we wait for other old OS'es to be tested for exploits...

      AIX? Not quite dead, more zombie/undead.

  5. Andrew Commons

    Simple workaround?

    Either remove CDU from non-privileged user command tables and/or reinstall it (this is VMS INSTALL) without CMEXEC. Not sure what the side effects of the second option would be.

    It would be rare for non-privileged users to be using the SET COMMAND command.

    1. Anonymous Coward
      Anonymous Coward

      Re: Simple workaround?

      I vaguely remember you can install a different dcl tables and remove certain commands that way, we used to do it to stop people running 'monitor' as when the system went a bit slow all the developers started monitoring it and making it run even slower.

      1. Andrew Commons

        Re: Simple workaround?

        Yes you can, but it's rarely used.

  6. OskarA

    The sky is falling in

    Enter Chicken Licken Mode:

    One security bug in 30 years. Oh the world is coming to an end.

    Get a life.

    1. Dan 55 Silver badge

      Re: The sky is falling in

      Yo do realise that VMS's security is by obscurity? It's quite expensive to get hold of.

      1. Andrew Commons

        Re: The sky is falling in

        @Dan 55

        "Yo do realise that VMS's security is by obscurity? It's quite expensive to get hold of"

        Well, if you consider the free hobbyist licence expensive I guess it is.

        1. Dan 55 Silver badge

          Re: The sky is falling in

          Well, if you consider the free hobbyist licence expensive I guess it is.

          Of the few hobbies I am allowed to have, buying a second-hand DEC Alpha or MicroVAX and putting it in my man cave isn't one of them.

          1. Anonymous Coward
            Anonymous Coward

            Re: The sky is falling in

            "Of the few hobbies I am allowed to have, buying a second-hand DEC Alpha or MicroVAX and putting it in my man cave isn't one of them."

            Hardware is no problem. VAXes and Alphas were sufficiently simple that a variety of emulators were developed to run on various flavours of hardware, and some of them are zero cost and some of them are commercially supported. See e.g. SIMH (for VAX) and FreeAXP and friends for Alpha.

            The rest is left an exercise for the student.

          2. Chris King

            Re: The sky is falling in

            SIMH is much easier to hide.

            1. Stoneshop

              Re: The sky is falling in

              SIMH is much easier to hide.

              People have entire VMS clusters running on RasPis, and for shits and giggles you could stuff them, plus the network switch and the power supply in a uVAX2000 enclosure.

        2. Christian Berger

          Re: The sky is falling in

          ""Yo do realise that VMS's security is by obscurity? It's quite expensive to get hold of"

          Well, if you consider the free hobbyist licence expensive I guess it is."

          You still need the hardware which realistically is either Alpha or Itanic. Not really something people have lying around.

    2. angrydave

      Re: The sky is falling in

      "One security bug in 30 years. Oh the world is coming to an end."

      Good god, what do you think were on the emergency patch magtapes that used to turn up every few weeks?

      The CCC got started by reverse engineering those patches to find vulns and exploit them, leading to the morning of infamy when every VAX VMS node on JANET was pwned.

      Nice new nym you have there, shame it's burned now.

    3. diodesign (Written by Reg staff) Silver badge

      Re: The sky is falling in

      "Get a life."

      Get another site to comment on.

      C.

    4. GruntyMcPugh Silver badge

      Re: The sky is falling in

      Perhaps you are unaware, but the US DoD is still using VMS systems. Patriot missiles used to have a microVAX as a guidance computer. Some banks still use VMS.

      So this exploit having existed for 30 years is a big deal.

      1. Norman Nescio Silver badge

        Re: Patriot microVAX

        I remember the Patriot missiles and microVAX - mainly because of an interesting lecture on DECnet at a DECUS conference. The speaker was one of the guys who wrote DECnet*, and he played a video of a Patriot missile being launched, and spiralling crazily away from the launcher. It turns out that at that time the guidance radar and the missile communicated by DECnet, and in this particular instance, the missile and radar had been put in different DECnet areas with no inter-area router. It brought home the importance of getting your DECnet addressing and set-up correct. (The Patriot missile system, at the time of the Gulf War, wasn't completely bug free as this article points out). It was slighly shocking that the American military where throwing away a microVAX with every missile launch. I was trying to justify a development system at the time.

        I even have a 'swag' poster somewhere advertising DECnet phase V.

        Sigh. There are days when I miss system managing a herd of VAXen. I had a wall of orange manuals, replaced by the grey ones, and I was enthusiastic enough to read VAX/VMS Internals and Data Structures for pleasure.

        *a large, and I mean large American chap, at least 6'6" tall. When he sat on one of the conference chairs, which was the standard academic moulded plastic with two bent metal tubes in an inverted 'U' shape, the legs splayed dangerously. The chair looked to be on the very edge of doing a 'Bambi on ice' impression.

        1. Warm Braw

          Re: Patriot microVAX

          I even have a 'swag' poster somewhere advertising DECnet phase V

          I still have the developers' T-Shirt, though I've never managed to wash all the blood out of it...

          1. I Am Spartacus
            Linux

            Re: Patriot microVAX

            I used to have an "Ignorance is BLISS" t-shirt, with some Macro-32 on the back.

            Back in the good ol' days.

      2. Chris King

        Re: The sky is falling in

        One of the reasons HPE still has to support OpenVMS is a promise DEC made to Uncle Sam back in '92, to provide support for at least 25 years. Time's up on that deal...

        Looking at the roadmaps, HPE's OpenVMS on VAX and Alpha will be pretty much dead and buried by the end of this year, unless they decide to extend support. Tthey're already "MPS without SE" (tech support, but no new bugfixes) but Itanics on 8.4 get Standard Support until 2020.

        VSI's offerings will each get five years of Standard Support then two years of PVS (Prior Version Support) without SE, so no bugfixes for you unless you keep up. VAX won't be supported, but OpenVMS on x86_64 is coming and they say there will be Hobbyist Licencing.

      3. Daniel von Asmuth
        Terminator

        Re: The sky is falling in

        VMS supports remote access using SSH or Telnet, that makes a lot of networked systems vulnerable.

      4. Anonymous Coward
        WTF?

        Re: The sky is falling in

        Perhaps you are unaware, but the US DoD is still using VMS systems. Patriot missiles used to have a microVAX as a guidance computer. Some banks still use VMS.

        So this exploit having existed for 30 years is a big deal.

        It's a privilege escalation problem. You need a login before you can escalate its privilege. Not sure how many Patriot missile battery guidance computers you can log into over the Internet. But I would guess that the number is a big fat 0.

        1. GruntyMcPugh Silver badge

          Re: The sky is falling in

          Internet, probably not, but connected using DECNET and using wireless connections in the field, definitely, so a MitM may be possible.

          And while we hope none of the built in accounts still have default passwords, there is the possibility of one of these hitting the jackpot:

          Name Password Access

          ------------------------------------------------------------------------------

          SYSTEM SYSTEM, MANAGER or OPERATOR (All privs.)

          FIELD FIELD, SERVICE, or DIGITAL (All privs.)

          SUPPORT SUPPORT or DEC (All privs.)

          SYSMAINT SYSLIB or SYSMAINT (Usually all privs.)

          SYSTEST UETP or SYSTEST (All privs.)

          SYSTEST_CLIG CLIG, SYSTEST, or TEST (Usually a disabled user)

          DEFAULT USER or DEFAULT (Normal User)

          DECNET DECNET, NETWORK, or DIGITAL (Normal User)

          OPERATIONS OPERATIONS (Normal User)

          USER USER (Normal User)

          LIBRARY LIBRARY or None (Normal User)

          GUEST GUEST or None (Normal User)

          DEMO None (Normal User)

          HYTELNET None (NETMBX)

          1. Anonymous Coward
            Anonymous Coward

            Re: there is the possibility of one of these hitting the jackpot

            Maybe there is, more likely there is not. I have a 1994 version of a document containing the list you posted, and it was already way out of date in 1994.

            E.g. Half of the accounts on that list aren't present in a factory-fresh VMS install, or even a typical customer VMS setup.

            E.g. In the late 1980s (eighties not nineties), various VMS upgrades and patch kits and customer newsletters and industry magazines) tried very hard to ensure that VMS systems didn't unknowingly have open accounts or widely-known privileged accounts with easily guessable passwords.

            A little time has elapsed since then, and it seems much of what was known back then has probably been lost in the mists of time.

            1. GruntyMcPugh Silver badge

              Re: there is the possibility of one of these hitting the jackpot

              We'd like to think everyone secured everything, always, but I know this isn't the case. When I worked for a University Dept of Computing at the end of the 90s, I gained access to an SGI workstation via the 'lp' printing account, which, out of the box, had no password. I left that job in '99 so it will have been sometime in the preceding year.

              Anyway, VAXes, and the US military, there was a story that the eight digit launch codes for Minuteman missiles were all set to 00000000 , so it wouldn't surprise me if the passwords for some accounts used in the field weren't exactly strong, given they'd have to be recalled under pressure.

              1. Anonymous Coward
                Anonymous Coward

                Re: there is the possibility of one of these hitting the jackpot

                "We'd like to think everyone secured everything, always"

                You might. Others might not.

                "I know this isn't the case. "

                Correct. That's part of the reason why the VMS community did its best, back in the 1980s and 1990s, to make it harder to be stupid than to be safe, by attempting to remedy (or better still, prevent) obvious security holes such as accounts with no password or accounts with ridiculously weak passwords, as featured on the list you copy/pasted.

                "there was a story that the eight digit launch codes for Minuteman missiles were all set to 00000000"

                There was such a story, and officials denied it (as officials often do). Either way, it was only one part of a chain of authorization - look into what Permissive Action Links (PAL) do in the context of missiles.

      5. asdf

        Re: The sky is falling in

        >Perhaps you are unaware, but the US DoD is still using VMS systems.

        Workstream running on VMS also probably still runs in more semiconductor fabs than it should. Most fabs don't run well or at all with the MES down for an extended amount of time (though most fabs still using VMS probably aren't paperless so some mitigation there).

  7. 45RPM Silver badge

    I suppose one could argue that VMS is sufficiently esoteric that not many people will have the skills necessary to exploit this hole. I used to use VMS every day - I’m not certain that I remember much of it now though.

    On the other hand, if you do get attacked it’s likely that the attackers have specific intent rather than just having a bit of a mooch around to inconvenience you for the props (whatever that means)

    So the good news is that not many people will exploit this flaw. The bad news is that anyone who does exploit this flaw definitely means you harm and is up to no good.

  8. Phil O'Sophical Silver badge

    Source code

    although copies of the listings can, apparently, be purchased.

    You used to get copies of the listing with the systems, on microfiche. I remember many happy days poring through them, since for some never-explained reason our office had a microfiche reader.

    What you had to pay for was actual source, on magtape. I vaguely remember that what you got lacked the build environment, but it was many, many microfortnights ago.

    1. GruntyMcPugh Silver badge

      Re: Source code

      Same here, we had 'The Grey Wall', the hard copy manuals on a shelf, plus the microfiche version, which often had more detailed info.

    2. Steve Graham

      Re: Source code

      Written in assembler and Bliss, an elegant low-level language; and most files signed by the legendary Dave Cutler.

      1. Andrew Commons

        Re: Source code

        I still have the microfiche...and a reader...getting a globe for the reader is a different problem.

    3. I Am Spartacus

      Re: Source code

      @Phil O'Sophical

      I wonder if that was the office where I installed a Vax in late 1980, and insisted we get a microfiche reader. And copies of Systems Internals and Data Structures.

      When men were real men.

      1. TRT Silver badge

        Re: When men were real men

        And the instruction manual came in a box larger than the system itself.

        Yes. I recall the grey wall.

        1. Phil O'Sophical Silver badge

          Re: When men were real men

          Yes. I recall the grey wall.

          I recall the Blue one, and then the Orange one :)

          I still have an RSX-11M orange shelf in boxes in the attic. And the RL02s.

        2. Chris King

          Re: When men were real men

          "And the instruction manual came in a box larger than the system itself".

          Your system turns up on one pallet and the documentation turns up on another one.

          It all went to crap when the "Grey Wall" was replaced by the paperback "White Shelf", and eventually you had to rummage through all the packaging just to find the documentation CD.

      2. Phil O'Sophical Silver badge

        Re: Source code

        I wonder if that was the office where I installed a Vax in late 1980

        1980 I was playing with the Vax at Uni, the one in our office was installed 1982-ish, IIRC.

  9. Tim99 Silver badge

    Back in the day

    The word around was that we should stick with VMS instead of BSD (particularly) from those with a PDP background. We certainly thought a MicroVAX was a nice piece of kit back in the 1980s.

  10. ForthIsNotDead
    Thumb Up

    Sees a post about VAX on The Reg...

    ...goes all warm and fuzzy, like a Sunday lie-in.

    Ahhh.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon