[Info-vax] How dangerous is it to be able to get into DCL supervisor mode ?
David Froble
davef at tsoft-inc.com
Tue Jul 4 10:38:29 EDT 2017
VAXman- @SendSpamHere.ORG wrote:
> In article <ojenjf$iad$1 at dont-email.me>, David Froble <davef at tsoft-inc.com> writes:
>> Bill Gunshannon wrote:
>>> On 7/3/2017 6:45 PM, Simon Clubley wrote:
>>>> On 2017-07-03, Hans Vlems <hvlems at freenet.de> wrote:
>>>>> If I understand you well then after crashing DCL your process is left in
>>>>> Supervisor mode. Without a CLI how can you exploit that privileged
>>>>> position?
>>>> You don't have a process after DCL crashes. The idea is to try and
>>>> corrupt
>>>> DCL just enough to be able to execute your shellcode without corrupting
>>>> it enough to actually crash and terminate your process.
>>>>
>>>> If you find manage to find a way to obtain this level of control then
>>>> that's the point at which a crash becomes an exploit.
>>>>
>>>> However, at the moment, the process crashes with the following final
>>>> status (from the accounting log):
>>>>
>>>> Final status text: %SYSTEM-F-NOHANDLER, no condition handler found
>>>>
>>> Just playing devil's advocate.....
>>>
>>> If you can determine the condition is there any way you could install
>>> a handler? That might lead to some interesting situations.
>>>
>>> bill
>>>
>> Ok, just speculating, the sequence might be CMKRNL then dropping to supervisor
>> mode. Now, when in kernel mode, you queue a handler, then go to supervisor
>> mode. That handler takes priority over anything you can do from supervisor
>> mode, and the first thing it does is drop you to user mode. You're done at that
>> time.
>
> Right but you've got to get there first! ;)
>
>
Quite right!
I'm assuming that the DCL utilitys are installed as privilidged.
$ install list
DISK$VMS072:<SYS0.SYSCOMMON.SYSEXE>.EXE
LOGINOUT;1 Open Hdr Shar Prv
As in this example. Therefore they can execute CMKRNL, CMEXEC and such. And
they can set up handlers while in elevated mode. So, they are already there.
I believe you got the sources, can you confirm what I'm suggesting?
More information about the Info-vax
mailing list