1 INFO-VAX	Sun, 25 Jun 2006	Volume 2006 : Issue 351       Contents: APACHE$PRIVILEDGED& CSWS 2.1 Startup failure after upgrade Hey, Waterboy? Re: Hey, Waterboy?4 Stacks, Static, Item Lists, Modes and Initialization Re: TELNET PERFORMANCE OVER WAN O UWSS Critique #1 What's wrong with sys$create_user_profile and sys$check_access   F ----------------------------------------------------------------------  % Date: Sun, 25 Jun 2006 17:19:59 +0800 3 From: "Richard Maher" <maher_rj@hotspamnotmail.com>  Subject: APACHE$PRIVILEDGED 1 Message-ID: <e7lkcb$88g$1@news-02.connect.com.au>    Hi,   L Is anyone out there that is running Apache on their systems in a position toG use my Exec-Mode friendlier version of FAKE_RTL.COM? It's just that I'm G willing to wager that it breaks Stephen Hoffman's Primary Directive and L commits the heinous crime of calling out to an RTL from Exec-Mode. (Why am I6 having this vision of that "Scanners" head explosion?)   What can it all mean???    Regards Richard Maher   G PS. Hold-The-Phone!!! Apache is open-source isn't it? Send me a copy of 9 Apache$Privileged and I'll tell you what's wrong with it.   D PPS. Anyone else running ACMS? Can you please do an ANALYZE/IMAGE onG whatever SYS$SHARE:*ACMS*.EXE that is INSTALLed /PROTECTed and post the  linked image list here?    ------------------------------    Date: 25 Jun 2006 09:33:38 -0700 From: Uwe.Kroyer@gmx.de / Subject: CSWS 2.1 Startup failure after upgrade B Message-ID: <1151253218.900363.85870@c74g2000cwc.googlegroups.com>  F I've upgraded CSWS 2.0 to CSWS 2.1 on a XP1000 with OpenVMS 7.3-2, allG available patches installed. TCPIP Version is 5.4-15. After the upgrade  CSWS startup fails with:  E        [SUN JUN25 17:48:17 2006] [crit] (6)no such device or address:         alloc_listener:)        failed to get a socket for 0.0.0.0 G        syntax error on line 155 of /apache$root/000000/conf/httpd.conf:         Listen setup failed  B CSWS 2.0 has showed the same failure but during CSWS restart only.  ( I start CSWS under the SYSTEM account.     Any help is appreciated    ------------------------------  % Date: Sun, 25 Jun 2006 18:00:45 +0800 3 From: "Richard Maher" <maher_rj@hotspamnotmail.com>  Subject: Hey, Waterboy? 1 Message-ID: <e7lmop$bf9$1@news-02.connect.com.au>   	 Hi Steve,   A <?xml version = "13.0" encoding = "UTF-Humerous" render="Acerbic"  <html lang="Oz vanacular">4 <meta http-aquire="Content_Type" Content="Bollocks">   <head>2     Continuing Probe into Hoffman UWSS Credibility     <charge>K       Recognition issues - Can't distinguish arse from elbow without visual  aids! 
     </charge> 	   </head>    <freeform_abuse>   Hoff wrote: J >    Ayup.  That's part of the fun of working in a development group, too.  I Exactly which development group would that be Steve? Are you being (not a ( wee bit) pathetically aspirational here?  K The reason I ask is that I've just done a search for "Hoff" through the VMS J source listings, and although I know there's no "I" in TEAM, there doesn'tI appear to be a whole lot of "U" either. (There was one mention in LIB$FIS K about how you were allowed keyboard-time to maintain a "Comment", but other J than that, not much) Would it be fair to say that when it comes to the VMSK "development group", you pretty much look after the meta-code and carry the  oranges?  D Don't get me wrong, I'm not saying that you have to launder the teamK jock-straps. (Given the age and incontinence-levels of some of those in VMS J engineering (let alone Rob's hygiene issues :-) I would not wish that taskI on anyone! (Having said that, Ruth coding commando should balance out the 
 workload :-))   K I just wouldn't want the COV subscribers or the VMS user community at large G to get the wrong idea about exactly how much input you've had in to the J existing VMS code base or its strategic direction. Hey, don't get me wrongD Big Guy, "Public Relations" and "Expectation Management" is a mightyE important cog in that VMS wheel that we all know and love, but please I embrace this opportunity to tell us all exactly what your jobspec entails H and what you do from day to day. (Please also post the names of the UWSS5 modules that you've personally written or maintained)    Regards Richard Maher   4 PS. Was that you in the Turkey-Suite at half-time???     </freeform_abuse>    Hoff Hoffman wrote:  > Dave Froble wrote: > > Hoff Hoffman wrote: J > >>   I have to assume that there is a lack of familiarity with XML here. > > J > > Again, possibly so, but I can envision some designs that could 'learn'K > > about previously unknown types of data and make some reasonable guesses K > > for adding such without need for re-programming.  Definitely not a 100% 0 > > solution, but could handle minor variations. > G >    XML offers a block quote mechanism, allowing a translation tool to E > convert the incoming RFC-compliant SMTP headers into recognized and E > structured XML, and into what amounts to quoted headers for the odd J > stuff.  When regurgitating the message, the block quotes can be replayedG > into the data stream.   Or the incoming traffic detects the pieces of D > the header of interest, and block quotes the whole SMTP header for? > posterity.  Much like how existing mailers handle this stuff.  > H >    If SMTP can do "it", then an XML translation can be implemented for > "it", too. >  > I > > Remember, those things that 'cannot be done' remain so only until the  > > first time they are 'done'.  > J >    Ayup.  That's part of the fun of working in a development group, too.   ------------------------------    Date: 25 Jun 2006 08:07:23 -0500- From: Kilgallen@SpamCop.net (Larry Kilgallen)  Subject: Re: Hey, Waterboy? 3 Message-ID: <TTwbdK5g16lg@eisner.encompasserve.org>   g In article <e7lmop$bf9$1@news-02.connect.com.au>, "Richard Maher" <maher_rj@hotspamnotmail.com> writes:   
 > Hoff wrote: K >>    Ayup.  That's part of the fun of working in a development group, too.  > K > Exactly which development group would that be Steve? Are you being (not a * > wee bit) pathetically aspirational here? > M > The reason I ask is that I've just done a search for "Hoff" through the VMS  > source listings,  H That is not the purpose of the source listings.  In the deep past I knowJ of a lot of source code changes in the security area that were made by oneG person but attributed to others to disguise the involvement of security  experts in particular changes.  F The source listings will show you how the software works, but will not< necessarily show you the sociology of the development group.   ------------------------------  % Date: Sun, 25 Jun 2006 19:01:22 +0800 3 From: "Richard Maher" <maher_rj@hotspamnotmail.com> = Subject: Stacks, Static, Item Lists, Modes and Initialization 1 Message-ID: <e7lqae$gge$1@news-02.connect.com.au>    Hi,   G The other day I was re-visiting some UWSS code for vulnerability, after I remembering how wonderfully useful it is that /PROTECTed data pages for a K User-Written System Service are set to UREW protection. I mean if, after my J UWSS exits, the User-Mode code can see my working-storage and workout whatG I've been doing then I'd better make sure it is blanked out ever time I D exit. I ideally would like an Item_List initializer. I know it's notJ rocket-science but if there was a supported generic one available then I'd prefer to use that.   L I then thought that a good idea would be to "look at the source code". Can'tI go wrong there can you? So I looked at sys$getuai. It makes sense that if I you read a UAF record that the calling User-Mode-Unprivileged code is not J entitled to see then you'd better make sure it's still not in memory after you exit with ss$_nosysprv.   J Now I'm not too bright with Bliss but my mate assures me that "Local" goesL on the Stack and "Own" looks like static compiler generated data. So lookingK at $getuai it looks like it lets stack unwinding cleanup all residual data. F But my friend says Bliss doesn't re-initialize anything. When the codeL enters the routine it is initialized at entry time, but he says that at exitK time the SP just gets increased by X bytes and unwound. So what's stops the K User-Mode code from being able to pick an EXEC-MODE stack address and start D dumping it after calling $getuai with a valid (but nopriv) username?  L Does the Inner-Mode stack set protection on it's pages to prevent outer-mode
 READ? Nup!  J Does the System Service Dispatcher guess the maximum stack depth and start# zeroizing pages down to there? Nup! L (I thought about confering with "Mr Remarkable and his youthful ward Gillie"= on this, but then I realized that we're after the FACTS here)   K So if anyone can tell me why using the Stack in a UWSS makes one imune from L having to cleanup memory before exiting then *please* let me know! OtherwiseD I'll just stick to MOVCing NULL record blocks to used record blocks.  D PLV$M_CLRREG Clever! CLEVER! You can't be too careful! Do any LOADSS services use this flag?   H PLV$M_STACK_ARGS Danger Will Robinson! What does $QIO Think it is doing?  L PLV$M_WAIT_CALLERS_MODE  If only we had *REAL* engineering involvment in COV# someone could discuss this flag :-(    Regards Richard Maher.   ------------------------------  % Date: Sat, 24 Jun 2006 23:13:13 -0700 = From: "John Gemignani, Jr." <john@nfw-invalid.cibtrikker.com> ( Subject: Re: TELNET PERFORMANCE OVER WAN6 Message-ID: <JLydnaLiAqjntAPZnZ2dnUVZ_rqdnZ2d@dls.net>  1 <hoffman@xdelta.zko.dec.nospam> wrote in message  , news:l5Cmg.2182$TL6.1981@news.cpqcorp.net...H > In article <06062214022850@dscis6-0.dalsemi.com>, brandon@dalsemi.com  > (BRANDON, JOHN M) writes: I > |> I would like some feedback on how to check for and tune performance  
 > issues with  > |> TELNET over the WAN.  > |>
 > |> servers:  > |> VMS 7.2 TCP V5.0  > = >  There's a nasty telnet bug or two in TCP/IP Services V5.0. < >  The one I've seen involves a loop that sucks down cycles.< >  Can you move to something slightly newer, or at least ECO; >  the release?  V5.0A with ECOs would be good, or later...  >  >  >    K The nasty TELNET bug in V5.0 was a problem with terminal type negotiation.  K If the client presented a type that the server didn't recognize, it didn't  L return the correct (bad) status, and the client would start the negotiation * all over again. This caused an awful loop.  J For your problem, I think it was related to data overrun where either the K flow control didn't get turned back on or characters amid escape sequences  
 were lost.  J To solve both of these, be sure that you are up-to-date with your patches   (for your version, V5.0 is OLD).   JohnJ (Who hasn't worked on or used VMS for over a year and who can't keep from - dropping into c.o.v from time to time, sigh)     ------------------------------  % Date: Sun, 25 Jun 2006 16:56:24 +0800 3 From: "Richard Maher" <maher_rj@hotspamnotmail.com> X Subject: UWSS Critique #1 What's wrong with sys$create_user_profile and sys$check_access1 Message-ID: <e7lj04$6d7$1@news-02.connect.com.au>    Hello,  F (I've been meaning to get around to doing these reports properly in anJ attempt to try to resurrect a VMS development base culture in COV, but theG winter here is like the summer in the UK (Bottle of sav. blanc watching F sunset on the beach as the dolpins chase fish in front of you, after aJ heated game of beach cricket with the kids) so there's nottalotta time forE this crap. Anyway, I'll at least try to report the bare facts for the H benefit of all the other developers out there who are being treated like shit by HP Cling-ons)   D The Crime: Neither SYS$CREATE_USER_PROFILE or SYS$CHECK_ACCESS ProbeK caller-access to the "context" parameter before passing it on to subsequent ; routines and ultimately SYS$GETUAI (for writing/corrupting)   < The Consequences: At best potential corruption, at worst theE deterministic/predictable manipulation of Exec-Mode Protected memory.   J The Details: These routines assume that $getuai (as the ultimate consumer)I will do all the probing and validation of the "context" parameter that is H necessary. While this is true, a problem arises in that $c_u_p is in theG same shareable image (secureshrp) as $getuai and the change mode vector L seems to be bypassed resulting in $getuai being activated as a caller's-modeK routine. This should be no big deal as we're already in EXEC but in reality H would piss $create_user_profile and $check_access off 'cos (most of) theC parameters that they pass to $getuai are in UREW memory therefore a K "previous-mode" probe for write access to their stactic memory or Exec-Mode K stack would fail :-( The strategy employeed appears to be a call to $cmexec D which changes the previous mode again to EXEC and bypasses any dodgyK ACCVIOs. The problem is *no one* has yet probed the "context" parameter for H caller's-mode write. So now User-Mode code can happily pass an Exec-ModeK address to sys$create_user_profile and have it written with the IFI and ISI " returned. (Ugly! Nasty! Not-Nice!)  J The Fix: Simply Probe the context parameter for Caller's-Mode write access before relying on it!   G The Moral of the Story: UWSSs can NEVER trust what the unprivileged and B unprotected code is sending them. Take nothing for granted! VerifyI *everything*! School-boy errors like these can be very costly in terms of  system security.   Regards Richard Maher   J PS. This is not an exhaustive critique of all that can be wrong with these@ routines; just what jumped out at me after 5 mins investigation.  D Next installment: SYS$GETUAI itself! (Followed shortly afterwards by COSI_AUTHENTICATE in RDB$COSIP)    ------------------------------   End of INFO-VAX 2006.351 ************************          1)kSz3y\y[x+	O*ӤODTL=6my^cϧ3xHhkqQhGHSh	,Io>)0cSa<q]+XԉEŎ=tk#u9}5OOqeٞ^J==k-!._?m1ULoz
lq3d?_FO鳝)nzvu};QG
˞'Udٰ|`~!{+MyphA[ٰ֯ÇmRտtbEp"9|,liOG#i:gWGA7>%ܬ<6 ˴FS1.[8Я˗SFHnmeGR\̴1_6
z6mS>ZvyS귻<Mx%_U$}ŇHI>}#x|:JKR'cF?2'y<7#7qRy XMƌHt>;!HTIK	;_"z}oJ䏾U8J'Ia17j&qCqo٘.0?O@y7ֿ=l?+";qCw:s+-U8={Wkܵۮq&|_rlg~t#ghۿUɩ9h~N>â/d5\}x#}adQ<ǆccg%9G{vGk_7z
gfA:`)v9 q\GȪĈtS6T٘MFHSW*1aC8C_?&氡:BhJ	R\|}S8dЇ_n/,M"n>RNά^䬶TT9kpP,m4Hx/KVYP(gf6opVQhd(TRW&k뷼q?(Rc8?{M.>
LִcԨYk<04/|f|g.:6~_dIi79}[sg.B9d71epVcʱTBB
rN;osBsq9}"䬵_\OPW>ˋ'K%GS|gOI>c[&g)y`3mů3ubqd|2NȁCk޸:>n	8QĳOC/48QlPq"ᚙM||q|sȏzO
\'
kz^|vv|i.u,y^>MY8fq;eCilĂϹbROs|2]Y\6|
-!>Sŧg2Sr3/"Unqԑ2ħ)͉v[Lz$/>?-r-2₍VunOXw[𙙼<|f&M|'!o1چOfپw"Fdτѐ
4.
LΒ[\&}19><*#fQ'jT?TQGr#M9^
8ςǔ;YQ`mx[I!mqCw+u.^eWdIΊ߀_8qN.U(~MN&
!7fh-wsHɉߣ_Ov1.ff$g<r;jjYF}8]1|ԼVʷ0F*ʤw5A"(	*noWFH-n\x?ݞFR2^cIm9]^E}3d5!!)ħ%ƀ.Lfo/
y 8wT׎N7yՉqīC̊>;^3q^i;vJ>C׃j@q7xE	1Eo2ZZ(Ǭx̓t}jFm\)6}>CRFtj+r"ςרWfCTԌk\Kʯf
M~
}W/Pislnܟ|A:}xv>|@<I&F|v_^ʯ7x]('xmȃ1W]_e5UM6}\&|`K.xUeqNE&^c!ꯢ
9WO*kߘ[BS$榯rOBŎWՎd\FOt
^H]
'{s<0j@~qߢs6,^a=W%h6>٘Y#C&igt,&Kr9:"s[s6K+ȇu