Whoa, blast from the past. Leave it to Linux users to want to maintain support for the VAX. I haven’t seen DECnet mentioned for forever and then it shows up in a remote exploit announcement of all places.

Despite the BUG_ON and comment suggesting these lengths have been validated, I don’t think this is actually the case – it looks like these fields are validated for outbound data, but I see no validation for inbound data (unless I’m mistaken, which is entirely possible). If this is the case, this can allow remote attackers to cause controllable heap corruption. I’d appreciate it if someone who knows this protocol better than I do took a look at this and implemented appropriate error handling if it needs it.

This just goes to show that today if you spend enough time randomly source auditing, fuzz testing, and reverse engineering it could turn into an exploit in the strangest of places…and if you root a system still connected to a VAX you are bound to find something interesting.

DEC VAX SOFTWARE MAINTENANCE [for the F-100 Engine on the F-15/F-16]
Solicitation Number: FA8126-11-Q-0171
Agency: Department of the Air Force
Office: Air Force Materiel Command
Location: Tinker OC-ALC – (Central Contracting)
[…]
Added: Apr 07, 2011 4:16 pm