 Good morning, Defconn. Can you hear me? Yep Well, thanks for coming this morning Sunday morning at 10 It's not too many of you, but hopefully those of you that are here Are very interested are either very interested in open VMS or just had nothing better to do right so The goal first of all I want to let you know that we know absolutely nothing about open VMS But we do know how to break it the goal of this talk is To prove to you that even though an operating system that has been considered very very secure and reliable for 30 years Can be broken and actually can be broken quite easily The some of the bugs that we found were very trivial to find a little more a little harder to exploit But we're quite easy to find anyone here an open VMS user Good anyone from a HP No Right the open VMS user can take a short nap the talk Is broken and into three parts that will have a lightweight introduction to open VMS Well, we'll just cover the some of the history some of the fundamentals for the operating system history of bugs etc Then we'll have Krista and my colleague Klaus Talk about the Vax and alpha architecture and in particular in particular how they managed to exploit that and how they managed to write shellcode for it the Challenges that they faced and how they managed to overcome those challenges and Most importantly the last part Will show you the root prompt so let's go right ahead Open VMS was developed in the late 70s by digital and It has some of the standard features that nowadays are considered Well standard for an up for an operating system, but then they were quite innovative So all of the standards such as multi-user multi-processing virtual memory real-time processing Transaction process those were pretty cool at the time As far as the ownership goes digital developed it and owned it until 98 when compact took over and then the HP Owns it today initially was called Vax VMS Vax was the hardware that run on and it was developed at the same time of the operating system probably the first time that that happened Then the Vax name dropped and it was just called VMS and then later open VMS in the 90s when The open standards gained more more and more popularity VMS is not similar to Unix in any way However, it is it does share some similarities with Windows NT Because one of the developers Dave Cutler who initially developed VMS was then called at Microsoft to develop Windows NT it runs of on three hard hardware architectures Vax which is a 32-bit system CISC And also alpha and itanium and Crystal and and cmn will talk more about the Vax and alpha later on It is considered secure and reliable even more so than OS X So why would we want to hack open VMS? Well first of all nobody? Hacks it and it's considered very secure Unbreakable it runs on it runs critical operations in financial systems lots of banks and The majority of stock exchanges have some open VMS systems running It runs your SCADA infrastructure systems your railway Your electricity boards they're all controlled by open VMS systems in the UK The NHS system use it a lot for their back-end system another And in other areas you can find it such as manufacturing Intel uses it and education and the military also use it It is also certified by the Department of Defense for its security It's challenging and it's a lot of fun if you want to Try out open VMS you can Get a get an account online with the guys at death row Which we've used and it's pretty cool because they give you access to a cluster of both alpha and Vax systems and They also encourage security research so you can play around with it and They they also have a small deck next so you can play around with deck neck as well There's also this crazy guy in Germany, which is great. He he runs a Vax cluster in his basement and He'll give you access for free If you're particularly interested in Testing out the itanium features then HP will give you a limited access to it So as far as getting the software goes the best way to do that is to go through the hobbies program Which is a cheap way of getting a License and for at least in the UK for 30 bucks and a local subscription of a hundred Dollars a year you can get a valid open VMS license We use emulators There's a free version of personal alpha available. It has limited function eyes such as you can only Use 128 megabytes of RAM One ethernet card and four hard disks, but it's absolutely fine. It runs fine on my laptop It is Windows only so if you're looking at running it on any other platforms it won't work There's also Sharon which emulates Vax system. There's a demo version available and Sim which is again emulates Vax It's free and it runs on most operating system if you do go out and buy your own hardware be aware that Size can be pretty big. So do check with the wife The user environment where it does run an X server with CD. So UNIX users will be familiar with that Although it is pretty hard to get it running on an emulator and it really isn't worth it The DCL, which is the default shell of VMS is what you'll be interacting with It is case insensitive. So if you're UNIX user That's different and it you can't run commands explicitly. You have to either use run Or define a foreign command before you can run a binary in Back in 8889 A couple of worms Propagated through decknet. They were relatively simple. They just exploited weak passwords on Finger and FTP But they did cause a lot of havoc bringing down thousands of VMS systems in a short period of time As far as vulnerabilities reported in open VMS there aren't that many and Most reported vulnerability pretty old and you can't find much information on them The pretty much the only source where you'll find that is text files.com Quick vulnerability graph. These are very rough figures But they kind of show that open VMS is way below Way below the average and we're looking at increasing that a little bit. So VMS survived Defcon 9 Bunch of guys set up these alpha clusters running VMS in back in 2001 and apart from someone compromising the Telnet password of the system admin logging in No one managed to break into those systems. So the VMS users were really proud of that One of the great things that a VMS which can bite back though is it's very fine grain controlled So you don't need The system user for for everything when is the last time that you saw a VMS exploit Well, if you want to get an account on VMS to run our exploits, so we'll show later on You can try the usual stuff Try some default to count some weak passwords The system user never locks out It the passwords are also capital by default You can you can change that but it is a pain. So the chances are that You'll have no case There's a the default password hash algorithm is pretty weak as well. So you could try to crack that and Some default accounts that you can try a system field operate a default backup Etc. Some important files that you want to be looking at are the VMS images dot that it's a binary file and it lists all the VMS images programs And they're respective privileges. So if you want to start breaking Some of the software you want you want to look at this file look through it and grip through the Images that run with certain certain high privileges We have the rights list dot that which again is a binary file and it's not readable By default by a normal user and it contains all the the user list and their their rights The system user authorization file, which is like the password file in Unix Contains the users and the hashed passwords. This is a binary file, but if the administrator Has converted that to a text file it will have created a dot list file in the same directory and by default That will be readable by everyone. So check out that file When you log into VMS system it executes the login.com script So check check that out for malicious lines of code Or if you can if you have right right access then you can run some commands in there put some evil evil commands The last is an open open source web server for VMS. It was specifically written for VMS and it's The default choice for running a web server. It's pretty fast and reliable But unfortunately the initial release was really full of security holes which allowed you to compromise the system fully loads of bugs such as full directory traversal completely bypass the ACLs on the system and By default it had some sample CGI scripts, which could be compromised to again gain access to the system There are still all versions out there. I have found So if you come across a VMS system on the internet running a web server do check out that they're running Wized maybe it's how dated if you if you run across a website running our VMS system Do check out the dash character for directory traversal Use your stuff for all enumerating users on the network through SMTP verify EXPN finger all those work again You can try default accounts Or you can try Some easy-to-guess accounts such as postmaster default, etc Again, you can do that through the files that I've mentioned before the rights list dot-down assist UAF dot-down the way that open VMS protects the files is using three main means main main ways One of them is through the UIC which is a user identification code that's made up of the group ID and the user pair It isn't necessarily unique Although it is preferably unique and group ID one to ten by default belong to system users Although you can change that. There are many privileges on open VMS and again, you can use those to Control access to files in a more fine manner You can also add Specific ACL files and those will take priority Over any other protection as I said, there are really loads of privileges on open VMS Users VMS users will tell you that for this reason VMS is much more secure But unfortunately, although the default usually are very restrictive There are many of these privileges that directly enable you to get system privileges So it is very similar to then having root directly. There's high Usage of logical names in VMS systems. These are like aliases to shorten up the really long paths that they have They have a record management service which Lists all the files in a database form It's also pretty cool that they have fake file versioning by default. So each new file that you create Has an appendix 1 2 3 etc and can go up to thousands This is just an example of what VMS pass path looks like Files are owned by a user group. We have four permissions. We have read write execute and delete and these are applied to four groups System owner group and world Again, we have privileges such as bypass which will allow you to bypass all privileges read all again You can read everything system privileges and group privileges Which again gives you complete access? we have ACLs as well for fine-grained control which I mentioned earlier and every file can have An optional ACL and that takes priority over everything else Chris does not Chris is now going to talk about His research and his bugs that he found Okay, I'm going to talk about a couple of bugs. I found in the finger plant And I find it a bit interesting that 20 years after the big internet form exploited finger As supposedly secure operating system like open VMS is still absolutely trivial to own with the finger binary so Finger when you finger a user it will try to open two files For that user the dot plan file and the dot project file The problem is on open VMS the finger client runs with High privileges and it's following links. So what you can do is you can link your dot plan file To a file you want to read and then finger yourself and finger will try to open that file for you and display the content of that file and I don't have a demo for it because it's such an easy bugs The next bug is a bit more interesting because it can actually give you a root prompt So at first I thought about trying to find a buffer overflowing finger But I figured out they probably fixed all of them. So I checked for some format string when it builds instead and Found that I could trigger form string when it built this Through the use of the dot plan file and the dot project file and also through the command line. I Choose to use the dot plan file in my exploit This is a screenshot of finger misbehaving a bit what I'm doing first as I'm using the install program To list the privileges of the finger image and as you can see I hope it runs with system privilege and world privilege What I'm doing next is I'm opening my Dot plan file and you can see a couple of former string characters in there And then I finger my user and when finger tried process my dot plan file it triggers the form string when I built them So to exploit this one ability you're going to need a Shell code and to write a shell code. You need to know a little bit about that platform That stands for virtual address extension. It's a 30-bit platform. It has an executable stack at least an open VMS I don't know about other operating systems It has for privilege modes and open VMS use all of them It's a sysc Platform has instructions for absolutely everything The platform has been discontinued, but you can still get a lot of information online. So it's not a problem finding documentation This slide isn't very very useful for use land exploitation, but at least according to documentation The top two gigs of virtual memory is Reserved for the kernel below that you have P1 space with DCL stacks symbol tables, etc And finally you have a P0 space where your program is loaded in for execution The first problem I ran into trying to develop a shell code is that I'm a Unix user and I found open VMS environment to be very very hard to work in And I didn't like the tools at all, especially the debugger So to speed up development I installed netbc In my emulator and used GCC and GDB instead My first idea for a shell code was to use libc based shell code and the calling standard is pretty simple So what you do is you push all the arguments onto the stack in reverse order And then use the call s instruction to call a function address with the number of parameters You want to pass through function the call instruction does a few things. It saves registers if the Cold function requires it. It saves the flag register and the return address on stack Return value are passed Back in a register as well. So it's very very simple and it works, but sometimes you don't have access to Good libc function to call And if that happens you have to use system services. System services are a bit like system calls in Unix So this simple libc based shell code example, I think what it does is Yeah, it just calls systems and execute a program for me Then I developed Shell code that uses system services and again to call a system service You push all the arguments onto the stack in reverse order Then you call a function that executes a CHMK CHME or CHMS instruction with an op-rand This op-rand is yes the number that let's open VMS know which system service you want to call a Major drawback with this approach is that system services usually takes a lot of arguments and They also take the arguments in the form of descriptors. So instead of passing a string you post a string descriptor to the system call This is what Descriptor looks like basically the top one is a string descriptor and since you Have to write Position independent code you have to update all these fields at runtime and that leads to the shell code growing even larger There are a few things you can do to make exploitation a bit easier like for example, you can exploit symbols Symbols are executable and this is really important on Alpha in particular because they have an unexecutable stack There are also string descriptors and as such they can contain pretty much any characters including null bytes and That makes writing the payload much much easier We haven't actually found a really good way of finding the right service numbers. So The way we do it is we write a small program that calls one service and then we set a break point on the CHM KCH MS and CH ME instructions run it in debugger until the break point hits Then we just look at the operand for that instruction and get the number that way This doesn't work on The alpha platform unfortunately because they don't support this particular feature in their debugger So now we pretty much have to single step through the entire program Interesting system services to call from your payload or system services that create processes modify user records or Ground privileges to a process and this is a few examples You can find a lot more if you read the documentation provided by HP So here's a bit of an interesting note when I was getting familiar with Vax I tried to exploit a really really simple stack overflow And I knew I hit return address with the address of my payload but the program has kept crashing without even trying to execute my payload and I discovered that it was because The flag register with which is saved below the return address on the stack Contains a ball a bite that is defined as Mb said it has to be zero otherwise the program will crash when it tries to return So I thought well, I knew that Morris exploded a bug in the finger D Finger D service in his internet worm but It turns out that he didn't have to use in a magic tricks or anything like that Because his bug was that triggered through a call to get so he didn't have to worry about null bytes So my conclusion to this is that there are probably a lot of really really stupid bugs on this platform that are really really hard if not impossible to exploit but Then again, you don't have to worry too much about it because you still have a lot of special cases like Gets for example or pointers on the stack that can override and entire other bug classes like form string when I built this So yes to summarize before I show you my demo my My bug is a very very simple form string when I built them. I use the plan file To hold my form string format string and my shell code I use a system service to modify my user record And this particular service will send a log message So, you know, it's not very stealth then My username is hard coded into exploit So if you have a different username to the exploit, it's not going to work for you, but that's not my problem So let me show you the exploit. Okay, so I'm logging in as my user on my box Okay, what we'll do is we'll carry on with same ends talk and then at the end we'll try and get these videos work Okay, I'm going to talk about the alpha architecture, which we also take took a look at As we all know it's 64 bit that she took her risk And then you can find a lot of information about the instruction using MSDN It's very good organized. So it's really neat you have to Keep in mind to flush the instruction cache when writing shell code for this architecture Especially when writing self-modifying code, of course As we mentioned earlier, you can use personal alpha with a free emulator if you want to play around with it We did not manage to boot BSD And we never tried Linux, but you can also build the new binutils with with with alpha target and Create a shell code in your local PC However, as Krister mentioned it does not work with the function pointers the way it doesn't in Unix because it's not a simple Address that you jump to you have to construct a function descriptor instead and Fully understand that you really need to take a look at the open VMS calling standard The vulnerability that I found resists in the command line interface library It's used by a lot of applications So it's widespread and got a lot of targets it fails to handle crafted command lines and This vulnerability has been verified on open VMS alpha 8.3 in the default install and Basically, it gives you total control of the program counter to trigger this vulnerability you simply find Target program that uses the command line interface and while you are at the prompt you paste or type 511 characters and Then the up arrow key three times and then you manually type the return address Just wait for it Here's the screen dump of a crash in the TCP IP program And here's a similar crash in the stall program as you can see the return address is a bunch of bees and at the end of the screen dump we Get an error message saying that we don't have enough privileges to dump core for this process, which is quite interesting since that Imply that we have a set of privileges that is interesting As I said, we have multiple targets with this vulnerability. For instance, we have the install program which Has the privileges to run kernel code We have the TCP IP program which has the privileges to perform a physical IO And we have the telnet client which gives you the operator privileges. You can use that for all sockets and stuff like that Yeah Now what we we have control of the program counter. We obviously need some shell code so The seas the sea calling standard is complex as we mentioned before so you actually need To know Pretty much about it and there is a document covers everything The stack is not executable, but as Christian mentioned we could execute code in logicals That's useful for local exploitation when it comes to remote we Have to do other tricks perhaps copy the code to an executable location or similar things and yeah flushing the instruction cash is important for self-modifying code My story doesn't need really need to get to know the location of the shell code, but that's Sometimes the case so you obviously need to get PC code running in in something in some cases The PC register can't be directly read to the bit of a Fiddle to get this running, but the shell code is handbook has a really nice solution which Stores the IMB instruction with old code of 86 and then overwrites the branch instruction in the second loop and Saves the PC register in the in the 16th register before the shell code continues to execute To do something really useful you need to be able to call system services or As system calls in Unix You pass the six first arguments in the a registers and then you push additional arguments onto the stack You also keep an argument counter in the 25th register and the system service index in in the zero register Yeah, keep in mind that the index vary from Open BSD versions you really have to make sure that you have the right index for the target that you are exploiting and Instructions used to jump into kernel mode and the run execute the system show source contains null bytes Which even even the IMB instruction does it's a bit tricky to get stuff null free The create process system call is interesting interesting for exploitation since it allows us to execute an arbitrary binary on the file system and When this binary is executed we inherit the current privileges of the process This particular code doesn't do a clean exit. So it will actually crash one when the program has been executed So where do we inject the shell code? We could use the command line in the overflow But that suffer from a lot of heavy input restrictions control codes and stuff like that in the command line interface. I also use telnet for To automate this exploitation and you get some input restrictions there as well But you can easily overcome them with the terminal settings What I did was that I populated a target process with data in certain areas and then crashed it and Scan the core dump basically to see where the data was located you can use the analyze program to Take a look at the core dumps to eval registers dump certain area of memories and assembly instructions You can also use the analyze program to get a nice list of the different memory segments in the process This gives you hints about where you where you could could search for for the data you have injected I first found my string or my shell code in the command line interface data segment But I couldn't execute it. I got an access violation So I decided to fill a little with the input restrictions and try to make a shell code that copies to the shell code to another location and Remove the some input filtering in the terminal talent line I Ended up with a shell code that almost all only uses the LDA instructions instead got an opcode that was accepted by the input filtering However, didn't this didn't work since I got I didn't even have permissions to read at that At the in the command line interface data segment so Didn't really help me much, but it's a nice code to use in other exploits so We can actually use to an execute code in logicals with nulls evens You just have to upload your shell code into a logical and then jump there to execute it when analyzing The when finding the address of the shell code you can use the analyze program as well and They use the clue process logical command to to get the director address of the shell code But you need system for this so if you don't have the possibilities to increase those Permissions when researching you could simply just scan the core dump as well Yeah, so what I did was that I I wrote a proof-of-concept exploit that That calls the creative process system service I first uploaded the shell code using a tool that simply just adds it to logical and sponsors our process And then I wrote a little program called file.exe which simply just Prince the the privileges of the current process So it's an easy way to see what kind of privileges you gain from the target Unfortunately, we got some problems with the video so Yeah Do you have? Thank you Okay, so this is my proof-of-concept code Exploit we start by attacking the install program so we connect to the To the target machine and our first delete that the privilege file that is generated by the file dot AXE program and then just run it and take a look at what kind of privilege privileges we have and it's only the default Then we'll load the shell code into the logical sponsors subversives for us Then we're on the install program and trigger the vulnerability now the install program will crash when the shell code has Executed since we don't handle it doesn't handle the exit after that so now we just have to take a peek into the Privs dot txt file to see what privileges the program has when it was executed and As you can see we got Kernel privileges now so we can actually run a kernel code this exploits also works for for a Lot of other targets as I mentioned in this case. We are attacking the TCP IP program the same way so Still have the default set of privileges for this user Load the shell code spawn a sub process and then the TCP IP program Trigger the vulnerability And the program will crash And we peek into the privilege file to see that we gained Actually physical IO privileges you can show you the last one as well. It's for the Telnet program So we're on the exploit again with telnet as target Just as We did before Availability and the program will crash and now we got over privileges as well Okay, I think that Krister is going to show his Video of his exploit as well So I'm logging on to my books with my normal user And I tried to set all privileges for my process and it's not working and I look at what Privileges I do have and I just have the default ones So I compile the exploit and I link the exploit and Run it so at this point the exploit has run And I've modified my user records so next time I'm logging in I'm going to have full privileges So let's try that some enabling all privileges and Then I show all privileges and you can see I've got a lot more privileges now Actually, I got all of them So I think that's it any questions Yeah These are all local. Yes. Thank you