[Info-vax] How dangerous is it to be able to get into DCL supervisor mode ?

Mon Jul 3 17:48:32 EDT 2017

On Monday, 3 July 2017 14:27:34 UTC+1, Simon Clubley  wrote:
> This weekend, I found a way to crash DCL on VMS Alpha v8.4 which causes
> the process to terminate with a register dump. The PS register confirms
> the process was in supervisor mode when it failed.
> 
> I don't know if the crash is controllable let alone if it's exploitable
> and it looks like it's going to be quite a bit of work to be able to
> get further clues.
> 
> ==> TO REPEAT: at the moment, this is nothing more than a way to be
> able to take down a specific version of DCL running on a specific
> architecture (Alpha).
> 
> NOTE: we simply would not be having this discussion if the image in
> question had kernel or executive mode access as I would be following
> standard procedures while exploring it. However, DEC have always made
> a point of saying that if DCL was compromised then it didn't really
> matter anyway because it was only supervisor mode access.
> 
> OTOH, Stephen has commented a couple of times that there's a way to
> get further access if you are in supervisor mode. As I don't know
> the VMS source code internals (I've never seen it) I don't know
> what the conditions on Stephen's statement might be.
> 
> So, how dangerous is it to be able to get into supervisor mode ?
> I don't really want to spend a lot of time exploring only to find
> out that even if I did manage to control the crash, it didn't matter
> anyway because there was nothing you could do while you had supervisor
> mode access.
> 
> Also note that since I am not in a position to judge how dangerous
> it would be to release details on exactly how I did this, I will not
> be releasing any details on how I did this for now just in case it
> turns out to be something more dangerous than I realised.
> 
> Even if I did feel it was ok to disclose it, I'd also want to play
> with it a bit more before reporting it anyway in order to see if
> I could simplify the triggering mechanism.
> 
> If this were a normal kernel mode crash then the process would be
> simple: report it via a secure mechanism and then release details
> after the patch was released.
> 
> Unfortunately, with the supervisor mode access available on VMS
> I am not really in a position to judge whether being able to get
> into DCL supervisor mode is harmless and doesn't even warrant an
> urgent patch or whether this could be something dangerous if it
> did turn out to be exploitable.
> 
> Simon.
> 
> -- 
> Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
> Microsoft: Bringing you 1980s technology to a 21st century world

To avoid unnecessary duplication of effort, can you summarise
what resources are readily available (and comprehensible :)) 
to you at the moment?

E.g. VMS Internals and Data Structures as relates to memory 
management and to DCL - any version? relevant Alpha version?
(the Alpha versions don't seem to be readily available for free,
I thought I'd seen VAX versions, ie antiques, somewhere).
Probably a bit OTT for this though. 