LISTSERV - HP3000-L Archives

HP3000-L Archives

December 2006, Week 1

HP3000-L@RAVEN.UTC.EDU

	LISTSERV Archives
	HP3000-L Home
	HP3000-L December 2006, Week 1

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: MPE/iX Virus Vulnerability
From:	Pete <[log in to unmask]>
Reply To:	Pete <[log in to unmask]>
Date:	Mon, 4 Dec 2006 18:39:44 -0500
Content-Type:	text/plain
Parts/Attachments:	text/plain (91 lines)

On 12/1/06, Steve Cooper <[log in to unmask]> wrote:
> Tracy asks:
> > What if the Naval War College website had used an HP3000 ...
>
> Then, we would have had several virii for the HP 3000 we would be
> discussing today.  (Sometimes obscurity is a good thing.)
>
> Steve
>
> * To join/leave the list, search archives, change list settings, *
> * etc., please visit http://raven.utc.edu/archives/hp3000-l.html *

There was a time long, long, ago, when SL.PUB.SYS contained a function
named ALT'CAP.  It was a very small, obscure, and undocumented
function.  But, if you happened to notice it using a script to scan
the SEGMENTER listing of SL.PUB.SYS, looking for routines/functions
that had PM and were UC, you might wonder, "Hmm, that looks
interesting.".  Then, if you had my decompiler and knowledge of the
HP3000 machine instruction set, you would quickly know that it was a
function that swapped a 16 word with the executing program's
capability bits that called it.  From there, you could update your
session's user capabilities to gain PM at the MPE prompt.  If you are
still following me, you now know that you now have the "keys" to *any*
HP3000 system that you could get to an MPE prompt on with a PC, or a
bit longer on a dumb terminal connected to an HP3000 with an
accessible SPL compiler.  I figured this out after approximately a
year of HP3000 experience.

Now, I could go exploring in PM DEBUG.  Fun at first, but a bit time
consuming.  So, I scripted WRQ to copy an ALT'CAP wrapper program that
I wrote to a temporary file; execute the program; then run PM Debug to
turn on all my capabilities and operator commands (even the undefined
ones) in my JIT; change my JMAT entry to any user&account name
combination (valid or not) and change my session number to any number
that would fit, whether unique or already existing.  Better yet,
change some status bits in my JMAT entry and completely disappear!
And, just for fun, change my JMAT user&account name to simply "GOD",
and send some TELL messages!!  Heady fun for a young HP3000 hacker!
Add to this the ability to steal the console without a trace (no
console switch message) by directly going to the system table octal
location 1074 (IIRC) and putting in my terminal's LDEV.  Add that to
the PM DEBUG script, additional code that stealthly lowers the session
max to zero; strips all operator command access, and any PM, SM, or OP
capabilities from all other job/sessions in the JMAT; and you have a
mighty strong temptation for a young and obscure hacker to play HP3000
god.  I did correct my name and address in Interex's subscription
database one time, and lingered a bit longingly over my subscription
expiration field, but resisted temptation to do any harm.  I
eventually revealed the exploit to HP's system internals expert Tony
Engberg (sp?) in Mountain View, and he immediately contacted the
HP3000 Labs.  Still, I saw the ALT'CAP function in the next version of
MPE, and all HP3000s had it, that I came in contact with over the next
few years.

I resisted the temptation to cause any harm, but were there any
obscure "black hats" out there that stole or compromised information
on HP3000s?  How do you know that there are not currently any back
doors to PM?  What safeguards do you have in place to ensure that you
do not have unauthorized modifications to code or data going on?  When
using PM and going through the system tables, there are no log records
of system or database modifications.  Think about that when designing
or reviewing your security practices.

For all the trouble and costs that "script kiddies" have caused, they
probably have saved very substantial losses due to corporate and
governmental espionage by spies that are going to try their best to
have their activities go unnoticed.  Think of all of the security
awareness that has been generated, and holes that have been plugged
that a professional spy could have used to get access to corporate or
governmental secrets, because no one was paying attention, due to the
opaqueness, complexity, and obscurity of computer operating systems.

If you hook any computer directly or indirectly up to the Internet (or
any other public connection), make sure that you have done a good job
at risk assessment.  You wouldn't rely on the standard lock on your
front door to protect an extremely valuable asset inside your house,
yet many people do that with a simple firewall and anti-virus program.
 The Internet is a 10 lane freeway to your front door; very valuable
for the exchange of data and information, but also having nearly
invisible spies and impostors looking for an easy way to access the
assets you hold dear in your "house".  Make sure you have protection
equal to your risks.

"Security through Obscurity" -- Microsoft's traditional security plan,
and music to a hacker's ears!

-- Pete

* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *

ATOM RSS1 RSS2

RAVEN.UTC.EDU