[Info-vax] How dangerous is it to be able to get into DCL supervisor mode ?
VAXman- at SendSpamHere.ORG
VAXman- at SendSpamHere.ORG
Tue Jul 4 11:00:29 EDT 2017
In article <ojg922$vm8$1 at dont-email.me>, David Froble <davef at tsoft-inc.com> writes:
>VAXman- @SendSpamHere.ORG wrote:
>> In article <ojenjf$iad$1 at dont-email.me>, David Froble <davef at tsoft-inc.com> writes:
>>> Bill Gunshannon wrote:
>>>> On 7/3/2017 6:45 PM, Simon Clubley wrote:
>>>>> On 2017-07-03, Hans Vlems <hvlems at freenet.de> wrote:
>>>>>> If I understand you well then after crashing DCL your process is left in
>>>>>> Supervisor mode. Without a CLI how can you exploit that privileged
>>>>>> position?
>>>>> You don't have a process after DCL crashes. The idea is to try and
>>>>> corrupt
>>>>> DCL just enough to be able to execute your shellcode without corrupting
>>>>> it enough to actually crash and terminate your process.
>>>>>
>>>>> If you find manage to find a way to obtain this level of control then
>>>>> that's the point at which a crash becomes an exploit.
>>>>>
>>>>> However, at the moment, the process crashes with the following final
>>>>> status (from the accounting log):
>>>>>
>>>>> Final status text: %SYSTEM-F-NOHANDLER, no condition handler found
>>>>>
>>>> Just playing devil's advocate.....
>>>>
>>>> If you can determine the condition is there any way you could install
>>>> a handler? That might lead to some interesting situations.
>>>>
>>>> bill
>>>>
>>> Ok, just speculating, the sequence might be CMKRNL then dropping to supervisor
>>> mode. Now, when in kernel mode, you queue a handler, then go to supervisor
>>> mode. That handler takes priority over anything you can do from supervisor
>>> mode, and the first thing it does is drop you to user mode. You're done at that
>>> time.
>>
>> Right but you've got to get there first! ;)
>>
>>
>
>Quite right!
>
>I'm assuming that the DCL utilitys are installed as privilidged.
>
>$ install list
>
>DISK$VMS072:<SYS0.SYSCOMMON.SYSEXE>.EXE
>
> LOGINOUT;1 Open Hdr Shar Prv
>
>As in this example. Therefore they can execute CMKRNL, CMEXEC and such. And
>they can set up handlers while in elevated mode. So, they are already there.
>
>I believe you got the sources, can you confirm what I'm suggesting?
LOGINOUT.EXE must be because it is what creates the process and maps DCL!
Interactive, batch, or network process, it doesn't matter. If DCL is to be
a part of its life, LOGINOUT.EXE is what adds DCL fulfillment to its life.
DCL, BTW, is NOT installed with privies!
DCL;1 Open Hdr Shared Lnkbl
It is mapped ($IMGACT) by LOGINOUT. When all process activation has been
completed, LOGINOUT REIs to supervisor mode transferring control to DCL's
entry address. One can only REI to the same or an outer access mode.
--
VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)ORG
I speak to machines with the voice of humanity.
More information about the Info-vax
mailing list