Bugtraq mailing list archives
Re: Buffer overflow and OS/390
From: do.geun.jo () KR ARTHURANDERSEN COM (Do-Geun Jo)
Date: Tue, 9 Feb 1999 03:04:11 +0900
Marc Heuse wrote;
Hi,
When I was thinking about the OS/390 and its open TCP/IP services, this came to my mind that the conceptual resemblance between MVS and UNIX may lead to some successful buffer overflow attack in OS/390. Now open MVS comes with TCP/IP services that are running as Started
Tasks
which seem to be just like suid demons. TSO session creates its own address space which seems like a memory space for UNIX shell
environment.
If a normal user can create a shell code for the jump to the TSO command line of a SPECIAL user, I think that buffer overflow may not be
impossible.
well, you can't mess with code space as normal users (if i remember
correctly). When you say code space, which area do you specifically mean? Code space is not the common wording for MVS virtual storage. Do you mean common areas (including PSA-prefixed save area) and other common areas above PVT by the word "code space"?
buffer overflows are of course possible, but you can't use them to do stack smashing attacks because the code and data segments are seperated.
Data and Stack addresses are also separated in UNIX memory space. I did not use the word "stack" as the MVS's address space is called differently from that of UNIX. If one can not manipulate PSW with buffer overflow, are you implying that there is way of attacking the common area above PVT such as LPA?
Even C compiler is available for the ESA. Well, if someone finds vulnerable programs, this may lead to successful attack on the
environment.
well, back in an old job I did a security review of the OpenEdition
segment
and found some security vulnerabilities (which should be fixed in the current release - it was a hard fight until they promised that). i think there are still my vulnerabilities left still to be found for the brave searcher ;-)
Greets, Marc -- Marc Heuse, S.u.S.E. GmbH, Schanzaeckerstr. 10, 90443 Nuernberg E@mail: marc () suse de Function: Security Support & Auditing issue a "finger marc () suse de | pgp -fka" for my public pgp key
*******************Internet Email Confidentiality Footer******************* Privileged/Confidential Information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such case, you should destroy this message, and please notify us immediately. Please advise immediately if you or your employer does not consent to Internet email for messages of this kind. Opinions, conclusions and other information expressed in this message are not given or endorsed by my firm or employer unless otherwise indicated by an authorized representative independent of this message.
Current thread:
- Re: Buffer overflow and OS/390 Crispin Cowan (Feb 04)
- <Possible follow-ups>
- Re: Buffer overflow and OS/390 Olaf Seibert (Feb 05)
- Re: Buffer overflow and OS/390 Marc Heuse (Feb 06)
- Re: Buffer overflow and OS/390 Nick Maclaren (Feb 08)
- Re: Buffer overflow and OS/390 Do-Geun Jo (Feb 08)