[Info-vax] How dangerous is it to be able to get into DCL supervisor mode ?
VAXman- at SendSpamHere.ORG
VAXman- at SendSpamHere.ORG
Mon Jul 3 17:22:28 EDT 2017
In article <oje7gq$riu$1 at dont-email.me>, Simon Clubley <clubley at remove_me.eisner.decus.org-Earth.UFP> writes:
>On 2017-07-03, VAXman- @SendSpamHere.ORG <VAXman- at SendSpamHere.ORG> wrote:
>> In article <ojdv9r$t4l$1 at dont-email.me>, Simon Clubley <clubley at remove_me.eisner.decus.org-Earth.UFP> writes:
>>>On 2017-07-03, John Reagan <xyzzy1959 at gmail.com> wrote:
>>>> Steve's
>>>> comment is that once in K,E, or S modes, you have the ability to turn on
>>>> any privilege you like which will stay enabled even after you return back
>>>> to user mode.
>>>>
>>>
>>>If you can do _that_ in supervisor mode :-(, then I most certainly
>>>am not releasing any more information until I've had a chance to
>>>explore the crash further. Unfortunately, real life means it's
>>>going to be a while before I can really look at it.
>>
>> I've done an awful lot in supervisor mode. Let me know if/when you think
>> you've found something.
>>
>>>> Taking out the process with DCL bugs has happened from time to time. You
>>>> don't get to take out the whole system or access data/files that you don't
>>>> have access to. It pretty much is a "you can shoot yourself in the foot,
>>>> but can't shoot anyone else's feet".
>>>>
>>>
>>>In light of the possible attack scenario I have just laid out above,
>>>and in light of what you have said can be done in supervisor mode,
>>>are you still sure about that ?
>>
>> Let me know when you've figured out how to go from supervisor mode to kernel
>> too.
>>
>
>That's interesting Brian thanks.
>
>You seem to be implying the situation with supervisor mode is closer
>to what I've always believed until recently in that supervisor mode
>is heavily restricted as far as the privileged modes go and that
>even if you could get into it, there wasn't much damage you could on
>a system-wide basis.
>
>However Stephen has suggested more than once recently that if you
>can get into supervisor mode, then there's a way to escalate your
>access rights even further.
>
>John above has just said pretty much the same thing as Stephen.
>
>As I've mentioned previously, I have never had access to the VMS
>source code so I don't know the VMS internals as well as you and
>some other people around here do.
>
>As such, I would like to ask those of you here who do have that
>level of knowledge, what is the actual situation here ?
>
>Once you manage to get into supervisor mode (regardless of how you
>do it), are you constrained from doing any system wide damage
>or can you elevate your privileges as John states above or
>get into executive/kernel mode as Stephen has stated previously ?
When in exec mode, one can invoke $CMKRNL and execute code in kernel
mode without possessing the privies needed for $CMKRNL because there
is a check for the previous mode being exec. There's nothing similar
for $CMEXEC from supervisor mode. It sure would have removed a few
hurdles for me when writing my DCL Debugger had that been the case.
--
VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)ORG
I speak to machines with the voice of humanity.
More information about the Info-vax
mailing list