HPE Community
Operating System - OpenVMS
1822525 Members
2613 Online
109642 Solutions
New Discussion юеВ

Re: OpenVMS / Buffer Overflow

 
SOLVED
Go to solution
Mahmoud_1
Frequent Advisor

тАО03-17-2006 06:16 PM

тАО03-17-2006 06:16 PM

OpenVMS / Buffer Overflow

Dear All,
One of my customers sent me this question:
In UNIX systems there are a known problem (Buffer Overflow) which is any one can access the system with username ROOT by typing extra letters or commands after root while issuing the username so he can login to the system without password (Buffer Overflow).
So he wants to know if this problem exist in OpenVMS (The secure operating system)
Its urgent for this customer.
Regards
0 Kudos
Reply
4 REPLIES 4
Jan van den Ende
Honored Contributor

тАО03-17-2006 07:25 PM

тАО03-17-2006 07:25 PM

Re: OpenVMS / Buffer Overflow

Mahmoud,

the short answer: NO that does not exist.

If you still do need a longer answer, which would include the technical explanation WHY that CANNOT exist in VMS, then please tell us tou want that as well.

hth.

Proost.

Have one on me.

jpe
Don't rust yours pelled jacker to fine doll missed aches.
Reply
Mahmoud_1
Frequent Advisor

тАО03-17-2006 07:47 PM

тАО03-17-2006 07:47 PM

Re: OpenVMS / Buffer Overflow

Dear Sir.
Thanks for quick answer, and if possible let me know the long answer, Because my customer want details about this issue.
Best Regards
0 Kudos
Reply
Jan van den Ende
Honored Contributor

тАО03-17-2006 09:15 PM

тАО03-17-2006 09:15 PM

Solution

Re: OpenVMS / Buffer Overflow

Mahmoud,

since you specifically mention the comparison with Unix, I looked up a discussion about that.

You can find the whole discussion on

http://groups.google.com/group/comp.os.vms/browse_frm/thread/e966d70b45d82085/69223e108e9909ad?q=keith+cayemberg+%26+design&rnum=1#69223e108e9909ad

but I took out the relevant part and appended that.

You will note that this particular text is written by an _IBM_ engeneer, so it should be considered to carry some more weight than if it were by "just another VMS" proponent.

(Keith: I know you will not grudge me quoting you. Thanks anyway)

hth.

Proost.

Have one on me.

jpe

Proost.


Don't rust yours pelled jacker to fine doll missed aches.
Reply
Hein van den Heuvel
Honored Contributor

тАО03-18-2006 01:30 AM

тАО03-18-2006 01:30 AM

Re: OpenVMS / Buffer Overflow



>>> In UNIX systems there are a known problem (Buffer Overflow) which is any one can access the system with username ROOT by typing extra letters or commands after root while issuing the username so he can login to the system without password (Buffer Overflow).

I seriously question that statement.
It looks like someone heard some security things some where at some times and pasted them all together into an English sounding sentence, but it is total nonsense IMHO.

I urge you to validate the statement before going on a wild goose chase.

I do not believe for one moment that there is a sinlge, more or less up to date, Unix implementation where you can still become root by just typing a bad username.
- Sure this may have happened to _some_ Unix at _some_ point in the past ( more than 10 year back?)
- not all Unixes are created equal(ly bad).
- Sure, buffer overflow can and have happened in Unix implementations leading to security risks... But even more so on Windows and also on VMS but much less so (and then notably in the Unixy components like web and tcp tools :-)
- Those Overflow problems tend to be MUCH more contrived than just typing in a funky username.

I'm with Jan that such problems are much less likely to happen under VMS due to the codign pratices deployed by VMS engineering, and application engineers alike:
- string descriptors
- multiple security levels
- extensive runtime library packages
- object protection (acl)
- open-nes: no "security though obscurity"
- QIO/RMS IO buffers layers

Good luck!
Hein.
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.