[Info-vax] How dangerous is it to be able to get into DCL supervisor mode ?
Jan-Erik Soderholm
jan-erik.soderholm at telia.com
Tue Jul 4 12:31:54 EDT 2017
Den 2017-07-04 kl. 18:18, skrev John Reagan:
> On Tuesday, July 4, 2017 at 10:38:33 AM UTC-4, David Froble wrote:
>> VAXman- wrote:
>>> In article <o>, David Froble <> writes:
>>>> Bill Gunshannon wrote:
>>>>> On 7/3/2017 6:45 PM, Simon Clubley wrote:
>>>>>> On 2017-07-03, Hans Vlems <> wrote:
>>>>>>> If I understand you well then after crashing DCL your
>>>>>>> process is left in Supervisor mode. Without a CLI how can
>>>>>>> you exploit that privileged position?
>>>>>> You don't have a process after DCL crashes. The idea is to try
>>>>>> and corrupt DCL just enough to be able to execute your
>>>>>> shellcode without corrupting it enough to actually crash and
>>>>>> terminate your process.
>>>>>>
>>>>>> If you find manage to find a way to obtain this level of
>>>>>> control then that's the point at which a crash becomes an
>>>>>> exploit.
>>>>>>
>>>>>> However, at the moment, the process crashes with the following
>>>>>> final status (from the accounting log):
>>>>>>
>>>>>> Final status text: %SYSTEM-F-NOHANDLER, no condition handler
>>>>>> found
>>>>>>
>>>>> Just playing devil's advocate.....
>>>>>
>>>>> If you can determine the condition is there any way you could
>>>>> install a handler? That might lead to some interesting
>>>>> situations.
>>>>>
>>>>> bill
>>>>>
>>>> Ok, just speculating, the sequence might be CMKRNL then dropping
>>>> to supervisor mode. Now, when in kernel mode, you queue a
>>>> handler, then go to supervisor mode. That handler takes priority
>>>> over anything you can do from supervisor mode, and the first thing
>>>> it does is drop you to user mode. You're done at that time.
>>>
>>> Right but you've got to get there first! ;)
>>>
>>>
>>
>> Quite right!
>>
>> I'm assuming that the DCL utilitys are installed as privilidged.
>>
>> $ install list
>>
>> DISK$VMS072:<SYS0.SYSCOMMON.SYSEXE>.EXE
>>
>> LOGINOUT;1 Open Hdr Shar Prv
>>
>> As in this example. Therefore they can execute CMKRNL, CMEXEC and
>> such. And they can set up handlers while in elevated mode. So, they
>> are already there.
>>
>> I believe you got the sources, can you confirm what I'm suggesting?
>
> The "Prv" doesn't mean "can set any privilege bit". It just means it
> was installed with privs but you can't see the exact privilege mask from
> that output display. For exmample, installing something with OPER priv
> does not give it the ability to CMKRNL or CMEXEC.
>
$ install list loginout /full
More information about the Info-vax
mailing list