Marc Heuse <marcat_private> writes: > > When I was thinking about the OS/390 and its open TCP/IP services, this > > came to my mind that the conceptual resemblance between MVS and UNIX may > > lead to some successful buffer overflow attack in OS/390. Boggle. Those two systems are as conceptually different as any two that you will come across. But you are correct that all modern general-purpose systems use similar concepts for their code and data memory management. The aspect that I think that you are referring to is common addressibility of both code and data segments. > > Now open MVS comes with TCP/IP services that are running as Started Tasks > > which seem to be just like suid demons. TSO session creates its own > > address space which seems like a memory space for UNIX shell environment. > > If a normal user can create a shell code for the jump to the TSO command > > line of a SPECIAL user, I think that buffer overflow may not be impossible. Started tasks are more like daemons started by init or cron/at, and have few setuid properties. As far as I recall (and it is a while ago), the TCP/IP services run in their own address space, which would mean that they cannot access a TSO's user's code or data (or vice versa.) Not at all. If, however, part or all of them is invoked as an APF task within the TSO address space, or the service interface explicitly sets up cross address space accessibility, then such things become possible. However, you might still get them to execute code within the TCP/IP buffer, even if there is no cross address space accessibility. > well, you can't mess with code space as normal users (if i remember correctly). > buffer overflows are of course possible, but you can't use them to do > stack smashing attacks because the code and data segments are seperated. This is true only for reentrant code (subpool 252), but I assume that the TCP/IP services are reentrant. Anyway, as has been pointed out MANY times before, separate segments do not stop such attacks if there is common addressibility. And, in both MVS/ESA and Unix, there is. > > Even C compiler is available for the ESA. Well, if someone finds > > vulnerable programs, this may lead to successful attack on the environment. > > well, back in an old job I did a security review of the OpenEdition segment > and found some security vulnerabilities (which should be fixed in the > current release - it was a hard fight until they promised that). > i think there are still my vulnerabilities left still to be found for the > brave searcher ;-) It would be flabberghasting if there weren't :-) Regards, Nick Maclaren, University of Cambridge Computing Service, New Museums Site, Pembroke Street, Cambridge CB2 3QG, England. Email: nmm1at_private Tel.: +44 1223 334761 Fax: +44 1223 334679
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:33:02 PDT