Re: Buffer overflow and OS/390

[nmm1 () CUS CAM AC UK (Nick Maclaren)]

Marc Heuse <marc () SUSE DE> writes:

> > When I was thinking about the OS/390 and its open TCP/IP services, this
> > came to my mind that the conceptual resemblance between MVS and UNIX may
> > lead to some successful buffer overflow attack in OS/390.

Boggle.  Those two systems are as conceptually different as any two
that you will come across.  But you are correct that all modern
general-purpose systems use similar concepts for their code and data
memory management.  The aspect that I think that you are referring to is
common addressibility of both code and data segments.

> > Now open MVS comes with TCP/IP services that are running as Started Tasks
> > which seem to be just like suid demons.  TSO session creates its own
> > address space which seems like a memory space for UNIX shell environment.
> > If a normal user can create a shell code for the jump to the TSO command
> > line of a SPECIAL user, I think that buffer overflow may not be impossible.

Started tasks are more like daemons started by init or cron/at, and
have few setuid properties.  As far as I recall (and it is a while
ago), the TCP/IP services run in their own address space, which would
mean that they cannot access a TSO's user's code or data (or vice
versa.)  Not at all.

If, however, part or all of them is invoked as an APF task within the
TSO address space, or the service interface explicitly sets up cross
address space accessibility, then such things become possible.

However, you might still get them to execute code within the TCP/IP
buffer, even if there is no cross address space accessibility.

> well, you can't mess with code space as normal users (if i remember correctly).
> buffer overflows are of course possible, but you can't use them to do
> stack smashing attacks because the code and data segments are seperated.

This is true only for reentrant code (subpool 252), but I assume that
the TCP/IP services are reentrant.  Anyway, as has been pointed out
MANY times before, separate segments do not stop such attacks if there
is common addressibility.  And, in both MVS/ESA and Unix, there is.

> > Even C compiler is available for the ESA.  Well, if someone finds
> > vulnerable programs, this may lead to successful attack on the environment.
>
> well, back in an old job I did a security review of the OpenEdition segment
> and found some security vulnerabilities (which should be fixed in the
> current release - it was a hard fight until they promised that).
> i think there are still my vulnerabilities left still to be found for the
> brave searcher ;-)

It would be flabberghasting if there weren't :-)


Regards,
Nick Maclaren,
University of Cambridge Computing Service,
New Museums Site, Pembroke Street, Cambridge CB2 3QG, England.
Email:  nmm1 () cam ac uk
Tel.:  +44 1223 334761    Fax:  +44 1223 334679