[Info-vax] How dangerous is it to be able to get into DCL supervisor mode ?

Mon Jul 3 13:35:55 EDT 2017

On 2017-07-03, John Reagan <xyzzy1959 at gmail.com> wrote:
> On Monday, July 3, 2017 at 9:39:43 AM UTC-4, Simon Clubley wrote:
>> On 2017-07-03, Simon Clubley <clubley at remove_me.eisner.decus.org-Earth.UFP> wrote:
>> > This weekend, I found a way to crash DCL on VMS Alpha v8.4 which causes
>> > the process to terminate with a register dump. The PS register confirms
>> > the process was in supervisor mode when it failed.
>> >
>> > I don't know if the crash is controllable let alone if it's exploitable
>> > and it looks like it's going to be quite a bit of work to be able to
>> > get further clues.
>> >
>> >==> TO REPEAT: at the moment, this is nothing more than a way to be
>> > able to take down a specific version of DCL running on a specific
>> > architecture (Alpha).
>> >
>> 
>> Just to confirm for the people not familiar with the implications of
>> the above terminology. I am saying I have a way to crash a specific
>> version of DCL on Alpha. I do not currently have a way to get into
>> supervisor mode with my own code but additional research may possibly
>> reveal a way to control the crash in such a way that I might be able
>> to get my own shellcode running in supervisor mode.
>> 
>> That's what the additional work and the exploitable comment above is
>> referring to.
>> 
>
> There is no direct way from user-mode to supervisor-mode.

Unfortunately, that's not how these attacks work.

You already _are_ in supervisor mode by virtue of having run a DCL
command; there is no transition from user mode to supervisor mode
required.

The idea is to (1) initially find a DCL command which you can make
crash while it's running in supervisor mode and then (2) try and
control the crash in such a way that you can get it to do what you
want, including running your own shellcode while in supervisor mode.

If someone manages to pull off step (2) then they have a crash which
has now become an exploit running in supervisor mode.

Don't forget that VMS has some attacker friendly features such as an
address space which is shared by both a program and the CLI, data only
areas which are executable and some buffers/data structures at well
known locations. This means the buffer/data structures can be used to
store your shellcode so that you don't even need to mess around with
placing your shellcode onto the stack.

> Steve's
> comment is that once in K,E, or S modes, you have the ability to turn on
> any privilege you like which will stay enabled even after you return back
> to user mode.
>

If you can do _that_ in supervisor mode :-(, then I most certainly
am not releasing any more information until I've had a chance to
explore the crash further. Unfortunately, real life means it's
going to be a while before I can really look at it.

> Taking out the process with DCL bugs has happened from time to time.  You
> don't get to take out the whole system or access data/files that you don't
> have access to.  It pretty much is a "you can shoot yourself in the foot,
> but can't shoot anyone else's feet".
>

In light of the possible attack scenario I have just laid out above,
and in light of what you have said can be done in supervisor mode,
are you still sure about that ?

Simon.

-- 
Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
Microsoft: Bringing you 1980s technology to a 21st century world