Bugtraq mailing list archives
Re: Buffer overflow and OS/390
From: nmm1 () CUS CAM AC UK (Nick Maclaren)
Date: Mon, 8 Feb 1999 09:41:48 +0100
Marc Heuse <marc () SUSE DE> writes:
When I was thinking about the OS/390 and its open TCP/IP services, this came to my mind that the conceptual resemblance between MVS and UNIX may lead to some successful buffer overflow attack in OS/390.
Boggle. Those two systems are as conceptually different as any two that you will come across. But you are correct that all modern general-purpose systems use similar concepts for their code and data memory management. The aspect that I think that you are referring to is common addressibility of both code and data segments.
Now open MVS comes with TCP/IP services that are running as Started Tasks which seem to be just like suid demons. TSO session creates its own address space which seems like a memory space for UNIX shell environment. If a normal user can create a shell code for the jump to the TSO command line of a SPECIAL user, I think that buffer overflow may not be impossible.
Started tasks are more like daemons started by init or cron/at, and have few setuid properties. As far as I recall (and it is a while ago), the TCP/IP services run in their own address space, which would mean that they cannot access a TSO's user's code or data (or vice versa.) Not at all. If, however, part or all of them is invoked as an APF task within the TSO address space, or the service interface explicitly sets up cross address space accessibility, then such things become possible. However, you might still get them to execute code within the TCP/IP buffer, even if there is no cross address space accessibility.
well, you can't mess with code space as normal users (if i remember correctly). buffer overflows are of course possible, but you can't use them to do stack smashing attacks because the code and data segments are seperated.
This is true only for reentrant code (subpool 252), but I assume that the TCP/IP services are reentrant. Anyway, as has been pointed out MANY times before, separate segments do not stop such attacks if there is common addressibility. And, in both MVS/ESA and Unix, there is.
Even C compiler is available for the ESA. Well, if someone finds vulnerable programs, this may lead to successful attack on the environment.well, back in an old job I did a security review of the OpenEdition segment and found some security vulnerabilities (which should be fixed in the current release - it was a hard fight until they promised that). i think there are still my vulnerabilities left still to be found for the brave searcher ;-)
It would be flabberghasting if there weren't :-) Regards, Nick Maclaren, University of Cambridge Computing Service, New Museums Site, Pembroke Street, Cambridge CB2 3QG, England. Email: nmm1 () cam ac uk Tel.: +44 1223 334761 Fax: +44 1223 334679
Current thread:
- Re: Buffer overflow and OS/390 Crispin Cowan (Feb 04)
- <Possible follow-ups>
- Re: Buffer overflow and OS/390 Olaf Seibert (Feb 05)
- Re: Buffer overflow and OS/390 Marc Heuse (Feb 06)
- Re: Buffer overflow and OS/390 Nick Maclaren (Feb 08)
- Re: Buffer overflow and OS/390 Do-Geun Jo (Feb 08)