OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq archives for 1st quarter (Jan-Mar) 1999: Re: Buffer overflow and OS/390

Re: Buffer overflow and OS/390

Do-Geun Jo (do.geun.joKR.ARTHURANDERSEN.COM)
Tue, 9 Feb 1999 03:04:11 +0900

Marc Heuse wrote;

>Hi,

>> When I was thinking about the OS/390 and its open TCP/IP services, this
>> came to my mind that the conceptual resemblance between MVS and UNIX may
>> lead to some successful buffer overflow attack in OS/390.
>>
>> Now open MVS comes with TCP/IP services that are running as Started
Tasks
>> which seem to be just like suid demons.  TSO session creates its own
>> address space which seems like a memory space for UNIX shell
environment.
>> If a normal user can create a shell code for the jump to the TSO command
>> line of a SPECIAL user, I think that buffer overflow may not be
impossible.

>well, you can't mess with code space as normal users (if i remember
correctly).

When you say code space, which area do you specifically mean? Code space is
not the common wording for MVS virtual storage.  Do you mean common areas
(including PSA-prefixed save area) and other common areas above PVT by the
word "code space"?

>buffer overflows are of course possible, but you can't use them to do
>stack smashing attacks because the code and data segments are seperated.

Data and Stack addresses are also separated in UNIX memory space.
I did not use the word "stack" as the MVS's address space is called
differently from that of UNIX.
If one can not manipulate PSW with buffer overflow, are you implying that
there is way of attacking the common area above PVT such as LPA?

>> Even C compiler is available for the ESA.  Well, if someone finds
>> vulnerable programs, this may lead to successful attack on the
environment.

>well, back in an old job I did a security review of the OpenEdition
segment
>and found some security vulnerabilities (which should be fixed in the
>current release - it was a hard fight until they promised that).
>i think there are still my vulnerabilities left still to be found for the
>brave searcher ;-)



>Greets,
>    Marc
>--
>  Marc Heuse, S.u.S.E. GmbH, Schanzaeckerstr. 10, 90443 Nuernberg
>  Email: marcsuse.de      Function: Security Support & Auditing
>  issue a  "finger marcsuse.de | pgp -fka" for my public pgp key




*******************Internet Email Confidentiality Footer*******************
Privileged/Confidential Information may be contained in this message. If
you are not the addressee indicated in this message (or responsible for
delivery of the message to such person), you may not copy or deliver this
message to anyone. In such case, you should destroy this message, and
please notify us immediately. Please advise immediately if you or your
employer does not consent to Internet email for messages of this kind.
Opinions, conclusions and other information expressed in this message are
not given or endorsed by my firm or employer unless otherwise indicated by
an authorized representative independent of this message.