Lex Luthor AND LOD/H Present:

    ADVANCED HACKING VAX'S VMS Part II

    This file, will explain in detail the more useful commands,
notable differences of Version 4.0 and higher from older
versions, and exploit the new security features and software
available for VMS.
                                   
  (C)    Written 01-JUN-85         
  By:  Legion of Doom/Hackers      

VAX/VMS BACKGROUND:
-------------------

   The VMS Operating System supports all VAX-11 series
computers. The system permits an absolute limit of 8192
concurrent processes.  This depends on the physical memory and
secondary storage available.  The practical limit is in excess
of 100 concurrent users for a large scale system.  The initial
license fee is $10,000, and when run on the VAX 8600 the fee is
$15,000. There is an estimated 22,000 sites running VAX/VMS.


LOGGING IN:
-----------

   Username: LOD/H508
   Password:

   LOD/H Advanced Network Insecurity Research System

   VAX/VMS Version 4.2

   Last interactive login on Wednesday, 01-JUN-1985 10:20.11
   Last noninteractive login on Friday, 30-MAY-1985 15:38.27
   2 failures since last successful login
   You have 1 new mail message


   $

   All login procedures are executed by one of two methods,
interactive or noninteractive.  Interactive logins require the
user to follow the prompts of the system for information.
Noninteractive logins are performed exclusively by the system
without user interaction.

   Types of logins are:

   1) Local:  This is executed by a user who is directly
      connected to the CPU.

   2) Dial-up:  Login using dial-up lines.

   3) Remote:  Remote logins are performed to a node over a
      network.

   4) Network:  Network logins are noninteractive as they are
      accomplished automatically when a user accesses files
      stored in a directory on another node or performs a
      network task on a remote node assuming they are both nodes
      on the same network.

   5) Batch:  A Batch login is another noninteractive automatic
      procedure performed when a batch process initiated by a
      user actually runs.

   6) Subprocess:  Subprocess logins are always noninteractive
      although it is also a result of a user executing either a
      specific process form of a command or a system service.

   Other types are:  Proxy login,  a type of network login
permitting a user to access files across a network, a Detached
process login which can be specified by the user as either
interactive or noninteractive. It is a result of a user
executing either a specific process form of a command or a
system service.


COMMON ACCOUNTS (PART II):
--------------------------

   Here are some more common accounts which may enable you to
gain access. One note, there is a difference between default and
common accounts, defaults are put in by the manufacturer, and
common accounts are characteristic of most computers or
operating systems of the same make.

   Username:    Password:
   ---------    ---------

   RJE          RJE
   HOST         HOST
   LINK         LINK
   INFO         INFO
   BACKUP       BACKUP
   NETWORK      NETWORK
   DECMAIL      DECMAIL
   HELPDESK     HELPDESK
   REPORT(S)    REPORT(S)

   As you have noticed, we are relying on the user to use their
username as a password.  If none of these get you in, you may
want to try first names, social security numbers, initials etc.
Remember, all you have to do is get in, worry about getting
privileged later.

PASSWORD SECURITY:
------------------

   Passwords can be selected by the user or automatically
generated by the system.  User selected passwords require a
minimum length of characters to prevent use of familiar
easy-to-guess words.  Automatically generated passwords offer
the user a choice of randomly sequenced characters resembling
English. All passwords need to be changed about every 30 days
and are one-way encrypted when stored.


   A user password is required of the majority of users.  A
system password is required prior to a user password when
restricting access to a particular terminal.  For maximum
security two user passwords may be required, a primary password
and successively a secondary password.  I have not encountered
this yet, but I thought I would just mention the capabilities of
the VMS security system.


INTERIOR BARRIERS:
------------------

   On some systems, after successfully logging on with the
username/password combination, the system may ask you to enter a
dial-up, modem, remote, etc. password, it may dump you into an
application program or it may give you a device not found error.
In any case, this prevents you from gaining access to the
operating system.  A possible way around these problems is to
hang up and call back the system, hit control-c and/or control-y
after the initial logon sequence.  This will prevent the system
from executing the security program, login.com file, application
program, or detect that there is not a device assigned to the
user in question.  You may have to try this a few times, since
timing may be crucial.  Most likely, you will not be able to
break out of the program itself after logon, because of the
command 'set nocontrol=y' which inhibits the use of control-y.
If you find that this doesn't work, then set nocontrol=y has
been implemented from the start of your logging in, which is
accomplished by running authorize and changing the user
characteristics in the UAF.  But as usual, this is not done,
whether its because the system manager is lazy, ignorant or
maybe the use of the control character is needed later in the
logon session, thus, you gain unauthorized access to the
machine.


VERSION 4.2:
------------

   As you have seen, Version 4.2 was mentioned.  At the time of
this writing it is under testing, and not yet released, but DEC
kind of 'leaked' this information to LOD/H via thier DECNET
(hehe).  Also, from the banner, you can deduce that 4.0 and
above has an extensive audit trail.  Which when implemented,
records login failures, thus, be careful when attacking VMS 4.0
and up using trial and error techniques.


SECURITY FEATURES:
------------------

   Security for VMS is based on the reference monitor concept.
Under this concept the reference monitor is the central security
point for the following:

   1) Subjects:  users, processes, batch jobs.

   2) Objects:  files, programs, terminals, tapes, disks,
      mailboxes.

   3) Reference monitor database:  user authorization files,
      rights database, file protection, access control lists.

   4) Security audit.

   The reference monitor system mediates every attempt by a
subject to gain access to an object.

   The greatest advantage of VMS is its flexibility.  The system
manager can choose to implement or ignore a wide range of
security features, fortunately for the hacker, they all seem to
ignore the important ones.  It is possible to protect all, any
or none of the files created.  It is also possible to provide
general or restricted passwords, or no passwords at all.  Access
codes can be global or limited.  The use log can be ignored,
used only for record keeping, or be employed as a security
control tool.  Finally, the encryption system can be activated
where needed, defaulting to uncoded material for normal use.

   VAX/VMS has the following security features that are designed
to prevent unauthorized access or tampering:

   1) It provides a system of password controls and access
      levels that allow the   security manager to open sections
      of the system only to those users with a particular
      requirement or legitimate interest.

   2) It keeps a careful log of all interactions so that
      questionable uses can be challenged and documented.

   3) It supports an encryption system that allows system
      management to create coding keys that are necessary for
      access to programs or databases.  The encryption system of
      VAX/VMS provides an additional level of security,  however
      the other security features are sufficient to deter most
      losers.  The encryption system included in the operating
      system package would probably not stop those few so
      motivated.  The encrypt facility does not use a
      sufficiently complex algorithm to be unbreakable, although
      it would slow down or halt most potential abusers.

AUDIT TRAIL:
------------

   The security log feature, if monitored, and thats a big IF,
is a major disadvantage for the hacker.  Flag codes can alert an
operator to an ongoing hack; review can isolate users attempting
to exceed access restrictions.  The system can 'freeze' a
terminal if a breach is discovered, or if multiple wrong access
codes are attempted.  Of course, the log system functions
somewhat after the fact and it is possible, though difficult, to
alter the security log.  A terminal can be designated as an
audit alarm console and all auditable events are displayed on
the console.  Some events, such as certain login failures and
uses of privilege are always auditable.  Other events, such as
successful or unsuccessful attempts to gain access to sensitive
files, can be selected by users or security managers for
auditing.  For example, the owner of a sensitive file might
create an ACL entry requesting that all accesses to that file be
audited, whether someone reviews that audit is another story.


INTERNAL SECURITY:
------------------

   VAX/VMS determines access to objects by utilizing two
protection mechanisms: Access Control Lists (ACLs), and User
Identification Codes (UICs).  It takes the two together, acting
with user privileges, for access.  Access Control Lists:  The
ACL uses identifiers to specify users.  There are three types:

   1) UIC identifiers depend on the user identification code
      that uniquely identifies each user on the system.

   2) General identifiers are defined by the security manager in
      the system rights database to identify groups of users on
      the system.

   3) System-defined identifiers describe certain types of users
      based on their use of the system.

   An ACL consists of one or more Action Control List Entries
(ACEs).  There are three types of these:

   1) Identifier ACE:  This controls the type of access allowed
      to a particular user or group of users.  Access types are:
      READ, WRITE, EXECUTE, DELETE, CONTROL, and NONE.

   2) Default protection ACE:  This defines the default
      protection for directory files only.

   3) Security alarm ACE:  Watch out for this one!  It provides
      an alarm message when an object is accessed.  This will
      alert managers to possible security threats (YOU!).
      Alarms may be generated when an unauthorized user performs
      the following access types:  READ, WRITE, EXECUTE DELETE,
      or CONTROL. Alarms are also issued for the SUCCESS or
      FAILURE of these attempts.

   User Identification Codes:  As stated in part I, each user
has a UIC.  Each system object also has an associated UIC,
defined to be the UIC of its owner, and a protection code that
defines who is allowed what type of access.  Also mentioned in
part I was the protection put on objects:  System, Owner, Group,
and World. Depending on these, the protection code can grant or
deny access to allow a user to read, write, execute, or delete
an object. When you log in, the identifiers which are in your
'rights database' are copied into a rights list that is part of
your process.  The rights list is the structure that VMS uses to
perform all protection checks.


GENERAL SYSTEM COMMANDS:
------------------------

   DEC-net was briefly mentioned in part I, but I have noticed
that this is more important than I had originally anticipated,
especially after I checked a system which had 100+ nodes on the
network, all of which I proceeded to break into.  Anyways, the
procedure is:

   $ SHOW NETWORK

   Node         Links   Cost  Hops  Line

   1   LEGION     0      61     6  DMC-5
   2   ARCHER     0      11     1  DMC-5
   3   DOCWHO     0      18     2  DMC-5
   4   BLOTTO     0      20     3  DMC-5
   5   PLOVER     0      15     3  DMC-5

   Total of 5 nodes.

   $ SET HOST ARCHER

   You will get one of two responses when connecting to a node
on a network:

   Username:
   ctrl-Y
   ctrl-Y

   Are you repeating ctrl-Y to abort the remote session on node
ARCHER? Y

   %REM-S-END, control returned to node ACIRS::

   or

   %REM-F-NETERR, DECnet channel error on remote terminal link
   %SYSTEM-F-UNREACHABLE, remote node is not currently reachable.

   In the first instance, I merely hit two control-y's to abort
the login, the second, meant that either the system is not
operating or that there is not a node by that name.

DIRECTORIES:
------------

   Instead of using wildcards for getting a directory listing, try:

   $ dir <000000...>

   Directory SYS$SYSDEVICE:<000000>

   000000.DIR;1            AMMONS.DIR;1
   NEWS.DIR;1              RJE.DIR;1
   SECURITY.DIR;1          TEST.DIR;1

   Total of 6 files.

   Directory SYS$SYSDEVICE:<AMMONS>

   *INTERUPT*

   $

   This is a more effective way of listing ALL the directories
on the system. The first directory you see will be the directory
which lists most/every other directory on the system not
including subdirectories.  The difference between this and DIR
<*.*> is that this lists more directories/files than using
<*.*>. Usually the directory name is the same as the username
thus, even though you have a non-privileged account, you can
obtain more usernames to try passwords on.  As you noticed,
*INTERUPT* appeared and the dollar sign prompt appeared, this
was because of hitting control-y.  One neat thing with 4.0 and
above is that if you hit a control-c in the middle of a long
directory or file listing, it will simply say *CANCEL*, pause
for a second, and skip over to the next directory.  It will not
pause when going on to the next file though.  As you know, older
versions simply give you the '$' prompt, so if you wanted to
look at something in the 15th directory, you would have to wait
for all the directories which are before it, before seeing the
contents of the 15th. Now, you can hit control-c and *CANCEL*
long directories and sooner, not later, view the desired
information.


   To see more detailed information about the files in your
directory:

   $ DIR /FULL

   Directory SYS$SYSDEVICE:<AMMONS>

   INTRO.TXT;5                    FILEID: (929,23,0)
   Size:        2/3               Owner:<AMMONS>
   Created:  25-MAY-1985 12:38    Revised: 2-MAY-1985 12:38 (2)
   Expires:  <none specified>     Backup: <no backup done>
   File organization:   Sequential
   File attributes:     Allocation: 3,Extend: o,
   Global buffer count: 0
                        Version limit: 3
   Record format:       Variable length, maximum 74 bytes
   Record attributes:   Carriage return carriage control
   File protection:     System:RWED, Owner:RWED, Group:, World:,
   Access Control List  None

   The important information is:  the file protection, and if
there is an ACL for the file.  The /FULL qualifier will continue
to print the information about each file within the directory.

DEVICES:
--------

   On occasion, when you execute a directory search, you will
not find much. This is because you are not on the same device as
much of the other users are. To change devices:

   $ SET DEVICE DEVICENAME:

   make sure you put the colon after the name.  In the case of
you not knowing what device to switch to type:

   $ SHOW DEVICE

   this will give you a list of devices currently used on the system.


FILE EXTENSIONS:
----------------

   The following file extensions should be used in conjunction
with wildcards or <000000...> for viewing all files with that
extension:

   .MEM    memo file:      These often contain inter-office memos.
                           TYPE this file.
   .JOU    journal file:   This is a Journal file, which is
                           created when editing 
   .JNL    journal file:   A file.  This may contain
                           interesting info.  Use TYPE.
   .TMP    temporary file: This is a temporary image of a file.
                           TYPE this file.
   .LIS    list file:      Listing file, use same procedure
                           as stated above.

   ie:

   $ TYPE <000000...>*.MEM;*


AUTHORIZE AND THE UAF:
----------------------

   In part I, it was mentioned that the file AUTHORIZE.EXE;1
could be found in the <SYSEXE> directory.  It almost always is,
but on occasion, you will be able to find it either in the
<SYS0.SYSEXE> or <000000.SYSEXE> directories.  If you are
non-privileged, you may wish to see if you can access those
directories, and TYPE out the file:  SYSUAF.LIS which is a list
similar to performing the SHOW * /FULL command.  When executing
that command or viewing that file, the output should look like:

   Username:  SYSTEM         Owner:  SYSTEM MANGER
   Account:   SYSTEM         UIC:    <001,004>
   CLI:       DCL            LGICMD:
   Default Device: SYS$ROOT:
   Default Directory: <SYSMGR>
   Login Flags:
   Primary days:   Mon Tue Wed Thu Fri
   Secondary days:                     Sat Sun
   No hourly restrictions

   PRIO:     4      BYTLM:   20480      BIOLM:          12
   PRCLM:   10      PBYTLM:      0      DIOLM:          12
   ASTLM:   20      WSDEFAULT: 150      FILLM:          20
   ENQLM:   20      WSQUOTA:   350      SHRFILLM:        0
   TQELM:   20      WSECTENT: 1024      CPU:      no limit
   MAXJOBS:  0      MAXACCTJOBS: 0      PGFLQUOTA:  200000

   Privileges:

   CMKRNL CMEXEC SYSNAM GRPNAM ALLSPOOL DETACH DIAGNOSE LOG-IO
   GROUP ACNT PRMCEB PRMMBX PSWAPM ALTPRI SETPRV TMPMBX WORLD OPER
   EXQUOTA NETMBX VOLPRO PHY-IO BUGCHK PRMGBL SYSGBL MOUNT  PFNMAP
   SHMEM SYSPRV SYSCLK GROUP BYPASS

   UAF>

   The privileges listed at the end, are in abbreviated form,
the important ones as far as security goes, are:

   ACNT:  May surpress accounting message.
   OPER:     Operator privilege.
   GROUP:    May affect other processes in the same group.
   WORLD:    May affect other processes in the world.
   SHMEM:    May create/delete objects in shared memory.
   ALTPRI:   May set any priority level.
   BYPASS:   May bypass UIC checking.
   SETPRV:   May set any privilege bit.
   SYSLCK:   May lock system wide resources.
   SYSPRV:   May access objects via system protection.
   VOLPRO:   May override volume protection.
   READALL:  May read anything as the owner.
   SECURITY: May perform security functions.


   To see what privileges you have type:

   $ SET PROCESS /PRIVS


   01-JUN-1985  15:50:56.31    RTA1:User: ACIRS508

   Process privileges:

   LOG-IO   May do logical I/O.
   PHY-IO   May do physical I/O.
   TMPMBX   May create temporary mailbox.

   Process rights identifiers:
   INTERACTIVE
   REMOTE

   $

   the privileges listed, are usually found on low access
accounts. If you have the SETPRV privilege, you can give
yourself privs (as stated in part I) by:

   $ SET PROCESS /PRIVS=ALL


SECURITY DEVICES AND SOFTWARE:
------------------------------

   There are a number of additional security products available
for VMS.  Some of which are:

   Name:  ALSP (Applications Level Security Package)
   Manufacturer:  Integrated Systems Inc.
   Location:  New Jersey.
   Phone:  (201) 884-0892.
   Cost:  $650.00
   Description:

   ALSP protects system and resource access by restricting users
commands of applications to authorized users.  On menu driven
applications, ALSP provides further security by checking menu
selections against those authorized for a user.  Security
violations cause LOGOUT and after three unsuccessful access
attempts at logon, the user must be reinstated by the system
manager.   ALSP also generates a message to the system operator
when unauthorized users try to access secured data.


   Name:  DIALBACK and AUDIT
   Manufacturer:  Clyde Digital Systems Inc.
   Location:  Provo, Utah
   Phone:  1-800-832-3238.
   Cost:  $980.00 and $2500.00 respectively.
   Description:

   DIALBACK protects the system by not allowing any dial-in
users to make direct contact.  It stops them before they can
even attempt to log onto the system and requires them to
identify themselves. If a user fails to enter a valid DIALBACK
ID, DIALBACK will disconnect the line.  As soon as DIALBACK
recognizes the ID code, it checks a list of authorized users and
their phone numbers, hangs up, and calls back the number listed.

   AUDIT is a sophisticated software security and documentation
tool. It allows you to create a complete audit trail of the
activities of any terminal on the system.


   Name:  Data Encryption System (DES) Verson II and
          Menu/Authorization Processor System (M/APS) Version I.
   Manufacturer:  McHugh, Freeman & Associates, Inc.
   Location:  Elm Grove, Wisconsin
   Phone:  (414) 784 8250.
   Cost:  1,250.00 and 995.00 respectively.
   Description:

   DES runs as a stand alone program (ENCRPT) which allows
single or double encryption of system files.  DEC encrypts
source, data and task image (binary relocatable) files.

   M/APS provides secured menu access to system applications for
authorized users with security displays, and audit trails of
movements through the M/APS.  Users once captured by the menu
cannot escape to the system monitor level.


CONCLUSION:
-----------

   If all or most security features of VMS were implemented, the
system would be one of the most secure around, even more secure
than IBM.  IBM operating systems such as VM/CMS, MVS/TSO, DOS,
CICS, etc. are insecure without the use of additional software
security packages such as ACF2, RACF, TOP SECRET, etc. which
costs from $20,000 to $30,000!  DEC didn't do a bad job since
the cost of the operating system itself is half that of those
packages.  But, when computers are concerned, its the people who
are the main facter.  Until they realize that hackers can be a
real threat, they will continue to leave their systems open to
unauthorized access.

ACKNOWLEDGEMENTS:
-----------------

   The Blue Archer

