french Version française
Home page


I have a strong interest in computer security. I have studied in particular the security of the WASD web server for OpenVMS, and found multiple vulnerabilities, including a possible remote SYSTEM (root) compromise. Details are in the security advisory published on the Bugtraq mailing list. The vulnerabilities have been assigned Bugtraq id 5811 and SecurityTracker ID 1005301.

John the Ripper is an excellent password cracker. I have written a patch for John the Ripper 1.6.32 to allow cracking OpenVMS (Vax and Alpha) passwords. This tool is designed for system administrators to detect users who too often select very bad passwords, too easily guessable.

The asm version cracks about 200,000 passwords per second on a 1 GHz x86 system. Password cracking is much easier on OpenVMS than on other systems since passwords are not case sensitive and limited to alphanumeric, '$' and '_' only. For this reason, HP suggests using better external authentication schemes instead of the native OpenVMS scheme. OpenVMS 7.3-2 will use case sensitive passwords according to the roadmap.

Here is some documentation on this VMS patch. You can check the PGP signature of the patch using my public key. VMS executables are available. You may also enjoy the thread that my announcement generated on comp.os.vms, and in particular my reply. In a subsequent thread Carl Karcher writes that John the Ripper is definitely an eye opening tool and lets you know what you're up against. It's certainly going to make me rethink our password length policy.

While looking at OpenVMS, I have independently rediscovered a weakness, found later to be already documented in Phrack. Even if the access rights of the file rightslist.dat do not allow reading, it is possible to get the list of all users with a simple program (source, Alpha exe). I found a simpler way using a standard OpenVMS tool:

  $ define sysuaf myuaf.dat
  $ mcr authorize show /identifier/full *

Answer yes when asked if you want to create a new sysuaf.dat. The "define" line is not necessary on the Vax where the logical name sysuaf is not defined by default. I have contacted HP and they do not consider this as a security issue. I agree that user names can often be obtained by other means. Yet it is a bit inconsistent to remove read acccess to rightslist.dat but allow access anyway through the $IDTOASC system service. The solution recommended by HP is to manually set the NAME_HIDDEN attribute on all identifiers.

Note also that the OpenVMS Guide to System Security recommends in section 7.3.4: Do not leave listings of user names where they can be read or stolen because they can be used as a basis for system attack. (If you do need listing files, use ACLs to limit access only to selected individuals.) The ACLs don't prevent usage of the $IDTOASC system service. Nevertheless, the OpenVMS Guide to System Security is still excellent reading in general and its recommendations are too often ignored.

On my home computer, I use the netfilter/iptables firewall, the logwatch log analysis system, and the snort intrusion detection system. The security events are stored in a MySQL database by snort and logsnorter, and checked with the ACID analysis tool. The integrity of the system is checked with tripwire and chkrootkit.

My compression code is used in many security programs, in particular ssh, pgp and gpg. My public PGP/GPG key is here.
Fingerprint: E3EC F4DF 7EDB E724 A3EC FBC2 D9A2 7D25 0196 71A7

Back to Jean-loup's page