back to article Ghost in the DCL shell: OpenVMS, touted as ultra reliable, had a local root hole for 30 years

Forget Meltdown and Spectre. Someone's found a local privilege escalation in the operating system world's elderly statesman OpenVMS when running it on VAX and Alpha processors. On Itanium CPUs, the same bug can be exploited to crash a process. More details on the flaw, which has been given the designation CVE-2017-17482, are …

  1. Anonymous Coward
    Anonymous Coward

    VMS. Bulletproof. Depending on the bullet.

    Oh bollocks.

    We ran circles around the sysadmin (the head of the department) on a VMS VAX cluster in Uni. There has always been quite a few ways to subvert it (especially if the BSD environment package was installed).

    1. Chris King Silver badge

      Re: VMS. Bulletproof. Depending on the bullet.

      You mean UCX ? That thing was a total swiss cheese when it came to security, and the competing TCP/IP stacks (Multinet and TCPWare) weren't much better.

      VMS was harder to exploit and kill IF set up properly (and kept up-to-date on patches), but get it wrong and it would be just as vulnerable as everything else out there

  2. YetAnotherJoeBlow

    Also on a PDP 11/70 DCL in RSTS V9.* & 10.*

    1. Warm Braw Silver badge

      DCL featured on RSX-11, RT-11 and RSTS as well as VMS - for "compatibility", but they were far from the same implementation. On RSX, for example, the DCL parser simply emitted an MCR command line (e;g; DIRECTORY became PIP /LI).

      1. jeffdyer

        PIP /LI. That takes me back.

  3. A Non e-mouse Silver badge
    Joke

    Patches [...] were announced on the comp.os.vms newsgroup

    VMS Sysadmins using up-to-date methods for communication, eh?

    1. Dan 55 Silver badge

      I do hope they didn't have to install a uuencoded binary.

    2. Sebastian Brosig

      newsgroups

      whyever not?

      newsgroups were awesome, and there is no reason why they're not_still_ awesome if they are used by the right people. People sharing news. It's lack of discipline, spam etc, that ruins a medium like that.

  4. Anonymous South African Coward Silver badge

    And now we wait for other old OS'es to be tested for exploits...

    1. Stuart Castle

      How many other old Oses run the central computing systems of major banks?

      Not that I'm pushing the panic button or anything, nor do I think this will be a massive problem, but there is a reason this researcher went for VMS (open or not) rather than the myriad of old oses he could have. That reason is likely to be that it is still used.

      1. Christian Berger Silver badge

        "How many other old Oses run the central computing systems of major banks?"

        I have one data point on that, and that's some bank having switched their old computer for a newer, Java-based solution and giving that old computer to a museum. (it was probably >20 years old at that point) The employees didn't like it because the old system was _much_ faster.

      2. Michael Wojcik Silver badge

        How many other old Oses run the central computing systems of major banks?

        MVS (aka OS/390, zOS), with VM under it and CICS and IMS on top, for one.

    2. Anonymous Coward
      Anonymous Coward

      And now we wait for other old OS'es to be tested for exploits...

      AIX? Not quite dead, more zombie/undead.

  5. Andrew Commons

    Simple workaround?

    Either remove CDU from non-privileged user command tables and/or reinstall it (this is VMS INSTALL) without CMEXEC. Not sure what the side effects of the second option would be.

    It would be rare for non-privileged users to be using the SET COMMAND command.

    1. Anonymous Coward
      Anonymous Coward

      Re: Simple workaround?

      I vaguely remember you can install a different dcl tables and remove certain commands that way, we used to do it to stop people running 'monitor' as when the system went a bit slow all the developers started monitoring it and making it run even slower.

      1. Andrew Commons

        Re: Simple workaround?

        Yes you can, but it's rarely used.

  6. OskarA

    The sky is falling in

    Enter Chicken Licken Mode:

    One security bug in 30 years. Oh the world is coming to an end.

    Get a life.

    1. Dan 55 Silver badge

      Re: The sky is falling in

      Yo do realise that VMS's security is by obscurity? It's quite expensive to get hold of.

      1. Andrew Commons

        Re: The sky is falling in

        @Dan 55

        "Yo do realise that VMS's security is by obscurity? It's quite expensive to get hold of"

        Well, if you consider the free hobbyist licence expensive I guess it is.

        1. Dan 55 Silver badge

          Re: The sky is falling in

          Well, if you consider the free hobbyist licence expensive I guess it is.

          Of the few hobbies I am allowed to have, buying a second-hand DEC Alpha or MicroVAX and putting it in my man cave isn't one of them.

          1. Anonymous Coward
            Anonymous Coward

            Re: The sky is falling in

            "Of the few hobbies I am allowed to have, buying a second-hand DEC Alpha or MicroVAX and putting it in my man cave isn't one of them."

            Hardware is no problem. VAXes and Alphas were sufficiently simple that a variety of emulators were developed to run on various flavours of hardware, and some of them are zero cost and some of them are commercially supported. See e.g. SIMH (for VAX) and FreeAXP and friends for Alpha.

            The rest is left an exercise for the student.

          2. Chris King Silver badge

            Re: The sky is falling in

            SIMH is much easier to hide.

            1. Stoneshop Silver badge

              Re: The sky is falling in

              SIMH is much easier to hide.

              People have entire VMS clusters running on RasPis, and for shits and giggles you could stuff them, plus the network switch and the power supply in a uVAX2000 enclosure.

        2. Christian Berger Silver badge

          Re: The sky is falling in

          ""Yo do realise that VMS's security is by obscurity? It's quite expensive to get hold of"

          Well, if you consider the free hobbyist licence expensive I guess it is."

          You still need the hardware which realistically is either Alpha or Itanic. Not really something people have lying around.

    2. angrydave

      Re: The sky is falling in

      "One security bug in 30 years. Oh the world is coming to an end."

      Good god, what do you think were on the emergency patch magtapes that used to turn up every few weeks?

      The CCC got started by reverse engineering those patches to find vulns and exploit them, leading to the morning of infamy when every VAX VMS node on JANET was pwned.

      Nice new nym you have there, shame it's burned now.

    3. diodesign (Written by Reg staff) Silver badge

      Re: The sky is falling in

      "Get a life."

      Get another site to comment on.

      C.

    4. GruntyMcPugh Silver badge

      Re: The sky is falling in

      Perhaps you are unaware, but the US DoD is still using VMS systems. Patriot missiles used to have a microVAX as a guidance computer. Some banks still use VMS.

      So this exploit having existed for 30 years is a big deal.

      1. Norman Nescio Silver badge

        Re: Patriot microVAX

        I remember the Patriot missiles and microVAX - mainly because of an interesting lecture on DECnet at a DECUS conference. The speaker was one of the guys who wrote DECnet*, and he played a video of a Patriot missile being launched, and spiralling crazily away from the launcher. It turns out that at that time the guidance radar and the missile communicated by DECnet, and in this particular instance, the missile and radar had been put in different DECnet areas with no inter-area router. It brought home the importance of getting your DECnet addressing and set-up correct. (The Patriot missile system, at the time of the Gulf War, wasn't completely bug free as this article points out). It was slighly shocking that the American military where throwing away a microVAX with every missile launch. I was trying to justify a development system at the time.

        I even have a 'swag' poster somewhere advertising DECnet phase V.

        Sigh. There are days when I miss system managing a herd of VAXen. I had a wall of orange manuals, replaced by the grey ones, and I was enthusiastic enough to read VAX/VMS Internals and Data Structures for pleasure.

        *a large, and I mean large American chap, at least 6'6" tall. When he sat on one of the conference chairs, which was the standard academic moulded plastic with two bent metal tubes in an inverted 'U' shape, the legs splayed dangerously. The chair looked to be on the very edge of doing a 'Bambi on ice' impression.

        1. Warm Braw Silver badge

          Re: Patriot microVAX

          I even have a 'swag' poster somewhere advertising DECnet phase V

          I still have the developers' T-Shirt, though I've never managed to wash all the blood out of it...

          1. I Am Spartacus
            Linux

            Re: Patriot microVAX

            I used to have an "Ignorance is BLISS" t-shirt, with some Macro-32 on the back.

            Back in the good ol' days.

      2. Chris King Silver badge

        Re: The sky is falling in

        One of the reasons HPE still has to support OpenVMS is a promise DEC made to Uncle Sam back in '92, to provide support for at least 25 years. Time's up on that deal...

        Looking at the roadmaps, HPE's OpenVMS on VAX and Alpha will be pretty much dead and buried by the end of this year, unless they decide to extend support. Tthey're already "MPS without SE" (tech support, but no new bugfixes) but Itanics on 8.4 get Standard Support until 2020.

        VSI's offerings will each get five years of Standard Support then two years of PVS (Prior Version Support) without SE, so no bugfixes for you unless you keep up. VAX won't be supported, but OpenVMS on x86_64 is coming and they say there will be Hobbyist Licencing.

      3. Daniel von Asmuth Bronze badge
        Terminator

        Re: The sky is falling in

        VMS supports remote access using SSH or Telnet, that makes a lot of networked systems vulnerable.

      4. Smooth Newt
        WTF?

        Re: The sky is falling in

        Perhaps you are unaware, but the US DoD is still using VMS systems. Patriot missiles used to have a microVAX as a guidance computer. Some banks still use VMS.

        So this exploit having existed for 30 years is a big deal.

        It's a privilege escalation problem. You need a login before you can escalate its privilege. Not sure how many Patriot missile battery guidance computers you can log into over the Internet. But I would guess that the number is a big fat 0.

        1. GruntyMcPugh Silver badge

          Re: The sky is falling in

          Internet, probably not, but connected using DECNET and using wireless connections in the field, definitely, so a MitM may be possible.

          And while we hope none of the built in accounts still have default passwords, there is the possibility of one of these hitting the jackpot:

          Name Password Access

          ------------------------------------------------------------------------------

          SYSTEM SYSTEM, MANAGER or OPERATOR (All privs.)

          FIELD FIELD, SERVICE, or DIGITAL (All privs.)

          SUPPORT SUPPORT or DEC (All privs.)

          SYSMAINT SYSLIB or SYSMAINT (Usually all privs.)

          SYSTEST UETP or SYSTEST (All privs.)

          SYSTEST_CLIG CLIG, SYSTEST, or TEST (Usually a disabled user)

          DEFAULT USER or DEFAULT (Normal User)

          DECNET DECNET, NETWORK, or DIGITAL (Normal User)

          OPERATIONS OPERATIONS (Normal User)

          USER USER (Normal User)

          LIBRARY LIBRARY or None (Normal User)

          GUEST GUEST or None (Normal User)

          DEMO None (Normal User)

          HYTELNET None (NETMBX)

          1. Anonymous Coward
            Anonymous Coward

            Re: there is the possibility of one of these hitting the jackpot

            Maybe there is, more likely there is not. I have a 1994 version of a document containing the list you posted, and it was already way out of date in 1994.

            E.g. Half of the accounts on that list aren't present in a factory-fresh VMS install, or even a typical customer VMS setup.

            E.g. In the late 1980s (eighties not nineties), various VMS upgrades and patch kits and customer newsletters and industry magazines) tried very hard to ensure that VMS systems didn't unknowingly have open accounts or widely-known privileged accounts with easily guessable passwords.

            A little time has elapsed since then, and it seems much of what was known back then has probably been lost in the mists of time.

            1. GruntyMcPugh Silver badge

              Re: there is the possibility of one of these hitting the jackpot

              We'd like to think everyone secured everything, always, but I know this isn't the case. When I worked for a University Dept of Computing at the end of the 90s, I gained access to an SGI workstation via the 'lp' printing account, which, out of the box, had no password. I left that job in '99 so it will have been sometime in the preceding year.

              Anyway, VAXes, and the US military, there was a story that the eight digit launch codes for Minuteman missiles were all set to 00000000 , so it wouldn't surprise me if the passwords for some accounts used in the field weren't exactly strong, given they'd have to be recalled under pressure.

              1. Anonymous Coward
                Anonymous Coward

                Re: there is the possibility of one of these hitting the jackpot

                "We'd like to think everyone secured everything, always"

                You might. Others might not.

                "I know this isn't the case. "

                Correct. That's part of the reason why the VMS community did its best, back in the 1980s and 1990s, to make it harder to be stupid than to be safe, by attempting to remedy (or better still, prevent) obvious security holes such as accounts with no password or accounts with ridiculously weak passwords, as featured on the list you copy/pasted.

                "there was a story that the eight digit launch codes for Minuteman missiles were all set to 00000000"

                There was such a story, and officials denied it (as officials often do). Either way, it was only one part of a chain of authorization - look into what Permissive Action Links (PAL) do in the context of missiles.

      5. asdf Silver badge

        Re: The sky is falling in

        >Perhaps you are unaware, but the US DoD is still using VMS systems.

        Workstream running on VMS also probably still runs in more semiconductor fabs than it should. Most fabs don't run well or at all with the MES down for an extended amount of time (though most fabs still using VMS probably aren't paperless so some mitigation there).

  7. 45RPM Silver badge

    I suppose one could argue that VMS is sufficiently esoteric that not many people will have the skills necessary to exploit this hole. I used to use VMS every day - I’m not certain that I remember much of it now though.

    On the other hand, if you do get attacked it’s likely that the attackers have specific intent rather than just having a bit of a mooch around to inconvenience you for the props (whatever that means)

    So the good news is that not many people will exploit this flaw. The bad news is that anyone who does exploit this flaw definitely means you harm and is up to no good.

  8. Phil O'Sophical Silver badge

    Source code

    although copies of the listings can, apparently, be purchased.

    You used to get copies of the listing with the systems, on microfiche. I remember many happy days poring through them, since for some never-explained reason our office had a microfiche reader.

    What you had to pay for was actual source, on magtape. I vaguely remember that what you got lacked the build environment, but it was many, many microfortnights ago.

    1. GruntyMcPugh Silver badge

      Re: Source code

      Same here, we had 'The Grey Wall', the hard copy manuals on a shelf, plus the microfiche version, which often had more detailed info.

    2. Steve Graham

      Re: Source code

      Written in assembler and Bliss, an elegant low-level language; and most files signed by the legendary Dave Cutler.

      1. Andrew Commons

        Re: Source code

        I still have the microfiche...and a reader...getting a globe for the reader is a different problem.

    3. I Am Spartacus

      Re: Source code

      @Phil O'Sophical

      I wonder if that was the office where I installed a Vax in late 1980, and insisted we get a microfiche reader. And copies of Systems Internals and Data Structures.

      When men were real men.

      1. TRT Silver badge

        Re: When men were real men

        And the instruction manual came in a box larger than the system itself.

        Yes. I recall the grey wall.

        1. Phil O'Sophical Silver badge

          Re: When men were real men

          Yes. I recall the grey wall.

          I recall the Blue one, and then the Orange one :)

          I still have an RSX-11M orange shelf in boxes in the attic. And the RL02s.

        2. Chris King Silver badge

          Re: When men were real men

          "And the instruction manual came in a box larger than the system itself".

          Your system turns up on one pallet and the documentation turns up on another one.

          It all went to crap when the "Grey Wall" was replaced by the paperback "White Shelf", and eventually you had to rummage through all the packaging just to find the documentation CD.

      2. Phil O'Sophical Silver badge

        Re: Source code

        I wonder if that was the office where I installed a Vax in late 1980

        1980 I was playing with the Vax at Uni, the one in our office was installed 1982-ish, IIRC.

  9. Tim99 Silver badge

    Back in the day

    The word around was that we should stick with VMS instead of BSD (particularly) from those with a PDP background. We certainly thought a MicroVAX was a nice piece of kit back in the 1980s.

  10. ForthIsNotDead
    Thumb Up

    Sees a post about VAX on The Reg...

    ...goes all warm and fuzzy, like a Sunday lie-in.

    Ahhh.

    1. jeffdyer

      Re: Sees a post about VAX on The Reg...

      In about 1995 the company I fitted a 7GB !!!!! SCSI disk in our MicroVAX 3100. Our Osicom 486 PCs had 40Mb hard disks. Happy days.

  11. Anonymous Coward
    Anonymous Coward

    More to come?

    Now this has been found and published, is it going to be a new hunting ground, just like we saw with processors.

    Stu..

    1. Michael Wojcik Silver badge

      Re: More to come?

      It's certainly possible. We've seen significant growth in the hacking of IBM mainframe OSes and system software over the past few years. There are still relatively few well-known independent researchers working in that area (Dominic White, Phillip Young), but they've documented a number of major security issues and created some great tools. VMS is a smaller target, but still of interest.

      The widespread OSes - Windows, Linux, Android - are becoming less interesting to people who do serious OS vulnerability discovery and exploit development because those fields are too crowded, I think.

  12. Herby Silver badge

    Wasn't VMS...

    The pattern used for Windows NT. It was my understanding (I could be wrong though) that the head of VMS development went on to Microsoft to do Windows NT development.

    Of course this explains Windows problems, etc...

    1. Duncan Macdonald Silver badge

      Re: Wasn't VMS...

      And NT versions up to 3.5 were quite reliable - in 3.51 (and all later versions) the graphics drivers were moved from being user mode programs to being kernel mode. Since then bugs in the graphics drivers can and do crash Windows. The NT kernel (without the graphics drivers) can be seen in the text mode displays that occur on boot when the system needs to do something critical like check the system disk for errors.

      Moving the graphics drivers into the kernel increased speed but reduced reliability - the old tradeoff.

      Of the many problems in Windows, few have been due to the NT kernel - most have been due to the mounds of crud (much of which is privileged) added over the years. (The NT kernel file ntoskrnl.exe is still only around 8MB in size - a tiny part of Windows as a whole.)

    2. Tim99 Silver badge
      Windows

      Re: Wasn't VMS...

      Of course this explains Windows problems, etc...

      One of the stories that I heard was that the original NT prototype from Dave (VMS) Cutler was designed to be reliable and allegedly "more secure" than VMS, but BIll told him to strip some of the reliable and secure stuff out so it would run adequately on lower-end kit (as a lot of it was written in C instead of assembler for portability between Intel and Alpha chips).

      1. /dev/null

        Re: Wasn't VMS...

        NT was certainly intended to be portable from the start, but the first architectures it ran on were Intel i860 and MIPS, using Microsoft home-brewed hardware, to avoid falling into x86-centric habits. x86 support came later, then Alpha.

        1. Anonymous Coward
          Anonymous Coward

          Re: "x86 support came later, then Alpha."

          "x86 support came later, then Alpha."

          Also selected MIPS and PowerPC, briefly, during the brief life of the Advanced RISC Computing consortium. MIPS and PowerPC soon fell by the wayside from the NT point of view, Alpha carried on for a while longer despite Gates only ever really caring about x86.

    3. Norman Nescio Silver badge

      Re: Wasn't VMS...

      Wasn't VMS the pattern used for Windows NT. It was my understanding (I could be wrong though) that the head of VMS development went on to Microsoft to do Windows NT development.

      Of course this explains Windows problems, etc...

      Well sort of. The thinking goes along the lines of Windows New Technology (WNT) is just one alphabet letter shifted up from Virtual Memory System (VMS), and the lead developer (Dave Cutler) for Windows NT moved to Microsoft from DEC.

      The same question has been asked many times, and there are some answers here:

      When Dave Cutler designed Windows NT, what did he consider to be the design shortcomings of Unix?

      Why did Dave Cutler, Senior Technical Fellow at Microsoft, hate unix to the point of developing Windows NT?

      Some argue that Dave Cutler designed a good O/S that was ruined by other Microsoft considerations (listed in the answers in the second link above).

      While the questions above are oriented towards a comparison between VMS and Unix, it's more likely that Dave Cutler aimed to improve on the shortcomings he perceived in VMS, and was aware of the (eventual, after cooperation) competition from IBM's OS/2. It's more likely that Windows NT was Dave Cutler's attempt at 'VMS done right' with the resources he had available than anything else. That said, Cutler has never concealed his dislike for Unix and Unix-like operating systems.

      This page goes into more detail at a technical level about the similarities and differences between VMS and Windows NT. http://www3.sympatico.ca/n.rieck/docs/Windows-NT_is_VMS_re-implemented.html

      For interested bystanders, here's a paper on DEC: The mistakes that led to its downfall

      I don't want to indulge in criticism of any one particular O/S. All have good points and bad points and it is as well to remember that. Hopefully Google's developers working on Fuchsia are learning from the best and improving things, as I'll guess that O/S is going to appear on a lot of phones in the future.

      1. Anonymous Coward
        Anonymous Coward

        Re: Wasn't VMS...

        One letter transposed from VMS.........W NT

      2. Andrew Commons

        Re: Wasn't VMS...

        @Norman

        What crippled Win NT was that it was a consumer desktop operating system and many of the really good bits of VMS that should have been in there were left out. Think logical names and installed images for a start....although it seems that it is a flaw in a privileged installed image that is the problem here.

        1. Anonymous Coward
          Anonymous Coward

          "What crippled Win NT was that it was a consumer desktop"

          Windows NT was since the beginning a server/workstation OS, since very few "consumers" could afford the hardware to run it properly, and the OS price itself.

          Remember back then Window 3.x and 9x were the "consumer" version - and even 2000 wasn't aimed at the consumer market. Only XP merged the lines - but hardware was enough powerful to run it.

      3. Anonymous Coward
        Anonymous Coward

        Re: Wasn't VMS...

        For interested bystanders, here's a paper on DEC: The mistakes that led to its downfall

        Interesting to note the parallels with the downfall of Sun, for many of the same reasons.

        1. Doctor Syntax Silver badge

          Re: Wasn't VMS...

          "Interesting to note the parallels with the downfall of Sun"

          There seem to be parallels with HP and IBM as well. It seems to be a management anti-pattern.

      4. Doityourself

        Re: Wasn't VMS...

        Here is the story about Dave Cutler's role in W NT development and about VMS traces in W NT told by Microsoft:

        http://news.microsoft.com/features/the-engineers-engineer-computer-industry-luminaries-salute-dave-cutlers-five-decade-long-quest-for-quality/#sm.0001ec43gz9tbcsq1106k7yhdz29e

    4. analyzer

      Re: Wasn't VMS...

      No actually it wasn't.

      DEC were looking to replace VMS at the time so as to cover the 32 bit VAX and 64 bit Alpha with the same OS.

      Dave Cutler and his venerable team presented PRISM and the other engineering team presented OpenVMS. OpenVMS won the beauty contest and Dave was a little ticked off then Bill came along.

      As a result Windows NT was actually based on PRISM not VMS because it was actually capable of 64 bit from the beginning, they just didn't have 64 bit Intelx86 at the time.

      1. Norman Nescio Silver badge
      2. Christian Berger Silver badge

        Re: Wasn't VMS...

        "As a result Windows NT was actually based on PRISM not VMS because it was actually capable of 64 bit from the beginning, they just didn't have 64 bit Intelx86 at the time."

        Well yes, but apparently Windows NT for Alpha wasn't really 64 Bit. At least that's what people said back then.

        1. Anonymous Coward
          Anonymous Coward

          Re: wasn't really 64 Bit

          "apparently Windows NT for Alpha wasn't really 64 Bit. At least that's what people said back then."

          And it was largely true. NT applications and NT itself were all fundamentally in a 32bit address space, and largely expecting 32bit data registers, so Alpha's 64bitness for both addresses and data registers wasn't really helpful in the world of 32bit Windows (plus PAE and similar x86-specific extensions).

          Itanic was going to change all that; IA64 would be the industry standard 64bit architecture (said Intel in public). In private, Intel were working to make sure that when AMD inevitably came out with AMD64, Intel had a more realistic option than IA64, just in case.

          The rest may still be in relatively recent memory.

          1. Daniel von Asmuth Bronze badge

            Re: wasn't really 64 Bit

            Alphas on 32-bit NT were really slow.... one reason for the demise of DEC.

            This of course was until Windows 2000... After a row Digtal laid off a team of engineers working on 64-bit NT, after which Microsoft cancelled the project which was still in Alpha stage. Somewhat later they started a port to IA64 (Itanic), which was released with much dealy.

            1. Anonymous Coward
              Anonymous Coward

              Re: wasn't really 64 Bit

              "Alphas on 32-bit NT were really slow...."

              Fact check needed. Doing what? On which Alphas? Running fairly routine x86 desktop Win32 apps (emulated/translated by FX!32) there were reports that performance was acceptable, especially on second generation Alpha processors (which were also available at sensible prices) if the desktop apps were a small part of a bigger picture.

              MS own desktop apps, less so - e.g. it's widely reported that MS shipped "Alpha native" apps still with debug/unoptimised code. Also, first generation Alphas didn't do byte writes, which wasn't helpful for legacy PC apps (byte writes were added in the 2nd generation Alpha processors).

              Where Alpha came into its own in its time on NT was numerically intensive apps running native Alpha code. Image processing and such. Fast enough in the right circumstances to be well worth looking at when performance was what mattered, e.g. getting something like a newspaper (remember them?) ready to print an hour or so before the x86-based competition could do it.

      3. Anonymous Coward
        Anonymous Coward

        Re: Wasn't VMS...

        > Dave Cutler and his venerable team presented PRISM and the other engineering team presented OpenVMS. OpenVMS won the beauty contest and Dave was a little ticked off then Bill came along.

        IIRC, it was a contest between the Prism hardware + the Mica OS, vs. MIPS-based hardware running Ultrix (which became the DECstation line).

        Lots of interesting historical docs here if youre in to that kind of thing: http://www.textfiles.com/bitsavers/pdf/dec/prism/

    5. bombastic bob Silver badge
      Devil

      Re: Wasn't VMS...

      HAL is to IBM as VMS is to WNT

      One of the key engineers for VMS was a major architect of NT 3.0 [but I think he was a kernel guy, no so much on the userland/shell end]

      I guess someone already mentioned Dave Cutler - assuming it's the same guy I'm thinking of [can't remember his name]. I remember him being mentioned at a dev conference for the win '95 beta, so that would have been around December of 1993

    6. jmcc

      Re: Wasn't VMS...

      Actually the WinNT/2K/XP etc kernel code was basically a rewrite of VMS that lost the battle in one of the legendary Maynard "Mill" political infighting bloodbaths. DEC internal company politics was legendary at the time for its viciousness with Ken Olson orchestrating the cage fights. Cutler was not exactly held in the highest esteem by the real tech heavyweights in the company, which is why his team lost. After a fairly light weight "rewrite" of his losing codebase it became the basis of the Portable OS/2 project in Redmond. A.K.A WinNT 3.1.

      Reading through the source code used in NT4.0/Win2K/XP Cutlers kernel code looks very very DEC'ish, i.e. very good clean code. A stark contrast from the rest of the Win32 codebase which ranges from pretty mediocre to the embarrassing bad. Cutler may have been team lead at DEC but he was no great shakes as a system programmer. I got the impression that in the DEC project he was very much the lightweight on the team but was lead because no one else wanted the job.

      Given that all the old Win32 kernel API's still works with the original behaviors in NT10.0 that means that old VMS rewrite code must still be in there. Just like the Win16 code.

    7. Champ

      Re: Wasn't VMS...

      > The pattern used for Windows NT. It was my understanding (I could be wrong though) that the head of VMS development went on to Microsoft to do Windows NT development.

      Yes, this was the legendary Dave Cutler, referred to up there.

      The other story is that W(indows) NT is one letter on from VMS (compare and contrast with HAL and IBM)

  13. Anonymous Coward
    Anonymous Coward

    Happy Days!

    $ set proc/priv=all seemed to cover most bases

    Also accessing most VAXes with systest/uetp

    Still my favourite OS!

    The standard response to any customer question was "check yer logicals"

    1. Anonymous Coward
      Anonymous Coward

      Re: Happy Days!

      "Also accessing most VAXes with systest/uetp"

      At one time it seemed that anyone who had been on VMS Systems Management course knew to change the default passwords for SYSTEM and FIELD but somehow never did that for SYSTEST.

      Got into several systems via that route to fix them when the normal System Manager was sick or on holiday.

      1. Phil O'Sophical Silver badge

        Re: Happy Days!

        Or just halt in SYSBOOT, set the max privileged UID to something large, and continue the boot. Then every user became SYSTEM.

        1. Andrew Commons

          Re: Happy Days!

          @Phil

          MAXSYSGRP or something like that as I recall. And I think you set that in VMB?? You set conversational boot anyway.

          1. Phil O'Sophical Silver badge

            Re: Happy Days!

            MAXSYSGRP or something like that as I recall.

            Indeed so.

            And I think you set that in VMB??

            You may well be right. Damn, where did those past 30-odd years go? I do hope the rumours of a hobbyist license for x86 are true, I knew there was a reason not to throw out that old PC.

            1. Andrew Commons

              Re: Happy Days!

              @Phil O'Sophical

              You don't need an old PC, a Raspberry Pi will do!

              https://www.rs-online.com/designspark/a-raspberry-pi-vax-cluster

              I used to be quite familiar with manually booting various early VAX models and tweaking a few of the parameters in the early boot stages once upon a time.

        2. GruntyMcPugh Silver badge

          Re: Happy Days!

          Bugger, wish I'd known that 25 years ago!

          I worked for a Uni Physics dept back then, just me and my boss did the techhie stuff, and he went on holiday, then on the Monday evening, I was dragged from the Students Union bar by a postgrad, who said 'everything is broken'. Given we had a VAXcluster I doubted that, but he was correct, the star coupler had died spectacularly, and corrupted both system disks.

          Anyway, it turned out my boss had changed the SYSTEM password when I'd been on hols, and had forgotten to tell me, ... so after new parts, I went through a conversational boot, renamed sysuaf.dat and got in without a password but it was a PITA as there was no error handling, one spelling mistake or typo and you had to start again.

          Damn, I miss VAXes.

        3. Chris King Silver badge

          Re: Happy Days!

          "Or just halt in SYSBOOT, set the max privileged UID to something large, and continue the boot. Then every user became SYSTEM".

          That one will bite you if you forget to set it back to the right value for your system. Setting UAFALTERNATE used to be a safer option (so long as nobody messed with SYSUAFALT.DAT) but HPE don't recommend it these days.

  14. BrianLinxuing

    It is easy to bolt down a VMS system

    Obviously, if you are sloppy enough to give users complete DCL access then things might happen.

    But it's not terribly difficult to restrict access to a menu system, some spawned arrangement or a limited DCL table etc

    Plenty of possible solutions, assuming its done properly and people know what they are doing!

  15. Steve Nice, CTO @ Reconnix

    https://www.shodan.io/search?query=OpenVMS

    752 hits

    1. Anonymous Coward
      Anonymous Coward

      @Steve Nice

      ahem

      Your connection is not secure

      The owner of www.reconnix.com has configured their web site improperly. To protect your information from being stolen, Firefox has not connected to this web site.

  16. Anonymous Coward
    Anonymous Coward

    https://www.shodan.io/search?query=OpenVMS

    752 hits....

  17. airdrummer

    the vax, & i assume vms as well, were copied by the soviets, so either they've known about this bug for 30yrs, or are equally vulnerable;-}

  18. JeffyPoooh Silver badge
    Pint

    VMS = Really good 'Lunar Lander' game

    Circa 1990.

    We played with the VMS 'Lunar Lander' game for hours while our actual work compiled.

    We also enjoyed the terminal to terminal messaging. One overused gag was: "SECURITY: HEY (name), YOUR CAR IS ON FIRE."

  19. Michael Wojcik Silver badge

    Elder statesmen

    VMS is certainly an elder statesman in the OS world, and I like it as much as the next fellow. But I don't think it's fair to refer to it as "the elder statesman".

    VMS, as the article notes, was released in 1977, which was a while back. But today's zOS is basically an enhanced MVS, and MVS came out in 1974. (You can trace zOS all the way back to OS/360, but I think anything earlier than MVS is a stretch; MVS was the first version to support starting an arbitrary number of simultaneous "address spaces" (TCBs, the equivalent of processes) in an OS image.)

    UNIX first appeared in public in '73, and it's clearly still going strong.

    VM/CMS came out in '72; VM continues to provide virtualization on IBM mainframes, and there are still places running the CMS shell. (CP-67, with the original commercial version of CMS, came out in '68.) Also released in 1972 was DOS/VS, the ancestor of zVSE, still in use at some shops.

    TPF is from '79, but it was based on 1967's ACP. I don't know enough about ACP to judge whether it's fair to consider zTPF effectively the latest version of it, rather than a descendant.

    Most of the other old-but-still-around OSes I can think of date from the '80s. Anyone else have interesting ones for nostalgic waxing?

  20. Lorry

    Bulletproof VMS...

    Bulletproof? VMS has had more security holes than a Group 4 staff reunion dinner.

  21. ultradwc

    OpenVMS rules

    How many installations let users run DCL? Answer, NONE. This could only be exploited by an employee with privileges. OpenVMS is the most secure OS ever. Read the CERTS. Unix Linux and Windows are members of the CERT of the day club. They don't even compare.

  22. PaulM 1

    I knew about systest when I was a vax manager in 1985

    I changed the passwords on the three standard accounts in 1985:

    SYSTEM MANAGER

    FIELD SERVICE

    SYSTEST UETP

    It always struck me that SYSTEST was the account most likely to have the original password.

  23. Anonymous Coward
    Anonymous Coward

    Regarding Clubley's 'alleged' security 'hole'

    He has a £10,000 cheque to claim from me ... if he can prove it. Needless to say, my dosh is still sitting in my bank account, nice and snug

    1. Simon Clubley

      The CVE proves the vulnerability is real

      [I am the same person who found the vulnerability detailed in this article.]

      @AC on 1-Jan-2019

      The AC is a perfect example of the kind of person in the VMS user community I was warning about in the article.

      He is either clueless enough about modern security practices that he doesn't have a clue what a CVE is, or he is one of the people who denies that VMS has the same issues as other operating systems do and is in denial that a decades old vulnerability has been found by myself.

      What the AC didn't say in his posting above is that he showed up in the comp.os.vms newsgroup several months ago, saying the same things as he has here and ignoring any comments which explained why this vulnerability really does exist and that VSI had produced a patch to fix it.

      He only finally went away when the VSI engineer who fixed the vulnerability I found also confirmed the vulnerability was real and so was the patch which fixed it.

      As for the money, the AC has already been told I am not interested in it even though the proof he seeks already exists; this wasn't the reason I did this research. Besides, I doubt the money really exists.

      In case the AC is simply unaware of what a CVE is, the following should hopefully enlighten him. It doesn't explain however why he has ignored the information provided to him in comp.os.vms.

      The CVE database is an industry-wide database of vulnerabilities which has existed since 1999. This specific CVE entry was created by VSI, not myself, and the text in the CVE, which shows the issue has existed since VAX/VMS V4.0, was also written by VSI after they had analysed and confirmed my research.

      This means the CVE is a vendor statement confirming the vulnerability and on which platforms (VAX and Alpha) the vulnerability can be exploited to compromise the system. It is NOT merely a series of claims by myself.

      This also means the VSI issued CVE _is_ the proof you seek.

      BTW, this isn't the first time elements in the VMS user community have reacted in this way. The last major public discussion of VMS vulnerabilities occurred about 10 years ago when VMS was probed at DEFCON 16 and vulnerabilities were found. Some of the subsequent user community discussion was less than impressive in the knowledge displayed and the negative attitude towards the researchers.

      VSI marketing

      This idea that VMS stands above all other operating systems when it comes to security is also reinforced by VSI as VSI makes the idiotic claim that VMS is "the most secure operating system on the planet". And yes, that's a direct quote from VSI.

      As far as I can tell, VSI justifies making this claim by comparing the number of CVEs issued for an operating system (VMS) which is probed once in a blue moon (if that!) and then comparing it to the number of CVEs issued for Linux and Windows, which is actively probed every single day by an entire army of researchers.

      Unfortunately, this attitude reflects what some in the VMS user community also believe.

      Final notes

      I am not a professional security researcher; I am a normal programmer with a range of experience in various operating systems (including VMS) and various programming languages.

      I did this one-off research because I was alarmed by the increasingly out of touch language, both by the VMS user community and VSI, about the security of VMS. I could see the possibility of the VMS users getting a very sudden wakeup call from security researchers if they saw the language on the VSI website and treated it as a challenge.

      I therefore decided to temporarily put on a security researcher hat and probe VMS for a vulnerability which I could use to hit the VMS community over the head with before any third-party researchers came along and taught them the same lesson in a much more sudden manner.

      As you can see from the CVE, I promptly found a vulnerability in VMS which allowed you to compromise VAX (and later Alpha when it arrived) systems for over 30 years if you have direct access to DCL. It makes you wonder what the professional researchers may find if they turn their attention to VMS.

      Oh, and the reason why my discovery allowed me to compromise VMS ?

      Well, it turns out that on VMS, shells running in supervisor mode (ie: DCL) have access to the privileges of the programs they run. And no, I didn't believe that either when I found it.

      Non-privileged users cannot run their own custom written shell in supervisor mode without a privileged user's authorisation, but the above does mean that if a non-privileged user can get shellcode they create running somewhere inside DCL (as I did) it may be possible to use that code to compromise VMS.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019