[Info-vax] How dangerous is it to be able to get into DCL supervisor mode ?

[Bill Gunshannon]

On 7/3/2017 8:34 PM, David Froble wrote:
> Bill Gunshannon wrote:
>> On 7/3/2017 6:45 PM, Simon Clubley wrote:
>>> On 2017-07-03, Hans Vlems <hvlems at freenet.de> wrote:
>>>> If I understand you well then after crashing DCL your process is 
>>>> left in
>>>> Supervisor mode. Without a CLI how can you exploit that privileged 
>>>> position?
>>>
>>> You don't have a process after DCL crashes. The idea is to try and 
>>> corrupt
>>> DCL just enough to be able to execute your shellcode without corrupting
>>> it enough to actually crash and terminate your process.
>>>
>>> If you find manage to find a way to obtain this level of control then
>>> that's the point at which a crash becomes an exploit.
>>>
>>> However, at the moment, the process crashes with the following final
>>> status (from the accounting log):
>>>
>>> Final status text: %SYSTEM-F-NOHANDLER, no condition handler found
>>>
>> Just playing devil's advocate.....
>>
>> If you can determine the condition is there any way you could install
>> a handler?  That might lead to some interesting situations.
>>
>> bill
>>
> 
> Ok, just speculating, the sequence might be CMKRNL then dropping to 
> supervisor mode.  Now, when in kernel mode, you queue a handler, then go 
> to supervisor mode.  That handler takes priority over anything you can 
> do from supervisor mode, and the first thing it does is drop you to user 
> mode.  You're done at that time.
> 
> It's been quite a while since I was into such things, and I haven't 
> researched it.  Just depending on (increasingly poor) memory.
> 
> I'm willing to bet that something similar has been in VMS all along.

I realize your saying that's what handlers do, but, in this case there
apparently is no handler.  Could someone write a nasty handler and get
it installed?  I don't know VMS handlers at all so I have no idea how
one gets put n place.  Now, if it were Unix...  :-)

bill