Cryptolocker (was RE: Is tape dead?

Chuck Guzis cclist at sydex.com
Wed Sep 16 14:19:36 CDT 2015


On 09/16/2015 11:29 AM, Paul Koning wrote:

> I never had any incentive to look for holes in CDC operating systems,
> but I still remember a simple hole I found in OS/360, about a month
> after I first wrote a program for that OS.  It allowed anyone to run
> supervisor mode code with a couple dozen lines of assembler source
> code. I found it on OS/PCP 19.6, but I noticed in graduate school
> that it still worked on the university's 370 running OS/MVS 21.7.
>
> (The magic?  Use the OS service to give a symbolic name to a location
> in your code, with a well chosen name, then give that name as the
> name of the "start I/O appendage" in an EXCP style I/O request.)

I recall going through a dump of a 360/40 running DOS and digging out 
the names of the various transient phases.  Lots of interesting stuff 
there--and DOS did nothing to verify that a phase could be invoked only 
internally.

At CDC a couple of us were dealing with a SCOPE 3.1.6 or 3.2 version (I 
don't recall which) and decided to see what would happen if one combined 
the RPV PP call (job reprieve) with the RSJ (reschedule job) call. 
What happened was what you'd expect to happen--said job would keep 
spawning copies of itself--and like the sorcerer's apprentice, spawned 
another new copy when the operator tried to kill the job.  The simple 
way to kill the thing was to deadstart--there may have been others, but 
the input queue filled up pretty quickly.

We tried this out on dedicated block time and were delighted with its 
operation.  Some idiot in CPD tried it on COMSOURCE time was was told in 
no uncertain words that severe disciplinary action would be taken should 
he try that one again.

SCOPE 3.4 introduced the "Read List String" CIO call, which was intended 
for use by the loader.  The idea being that you presented 1SP with a 
list of disk addresses to read into a single buffer to build the 
executable.  Someone, noticing that this was a linked list, decided to 
see what would happen if the list looped back on itself.  Of course, the 
obvious *did* happen with 1SP so distracted that no other disk request 
would be honored, including PP overlays.

That reminded me of the S/360 trick of using chained CCWs to ring the 
bell on the 1052 endlessly.

Fun times.

--Chuck




More information about the cctalk mailing list