[Info-vax] How dangerous is it to be able to get into DCL supervisor mode ?
David Froble
davef at tsoft-inc.com
Tue Jul 4 15:14:50 EDT 2017
John Reagan wrote:
> On Tuesday, July 4, 2017 at 10:38:33 AM UTC-4, David Froble wrote:
>> VAXman- wrote:
>>> In article <o>, David Froble <> writes:
>>>> Bill Gunshannon wrote:
>>>>> On 7/3/2017 6:45 PM, Simon Clubley wrote:
>>>>>> On 2017-07-03, Hans Vlems <> wrote:
>>>>>>> If I understand you well then after crashing DCL your process is left in
>>>>>>> Supervisor mode. Without a CLI how can you exploit that privileged
>>>>>>> position?
>>>>>> You don't have a process after DCL crashes. The idea is to try and
>>>>>> corrupt
>>>>>> DCL just enough to be able to execute your shellcode without corrupting
>>>>>> it enough to actually crash and terminate your process.
>>>>>>
>>>>>> If you find manage to find a way to obtain this level of control then
>>>>>> that's the point at which a crash becomes an exploit.
>>>>>>
>>>>>> However, at the moment, the process crashes with the following final
>>>>>> status (from the accounting log):
>>>>>>
>>>>>> Final status text: %SYSTEM-F-NOHANDLER, no condition handler found
>>>>>>
>>>>> Just playing devil's advocate.....
>>>>>
>>>>> If you can determine the condition is there any way you could install
>>>>> a handler? That might lead to some interesting situations.
>>>>>
>>>>> bill
>>>>>
>>>> Ok, just speculating, the sequence might be CMKRNL then dropping to supervisor
>>>> mode. Now, when in kernel mode, you queue a handler, then go to supervisor
>>>> mode. That handler takes priority over anything you can do from supervisor
>>>> mode, and the first thing it does is drop you to user mode. You're done at that
>>>> time.
>>> Right but you've got to get there first! ;)
>>>
>>>
>> Quite right!
>>
>> I'm assuming that the DCL utilitys are installed as privilidged.
>>
>> $ install list
>>
>> DISK$VMS072:<SYS0.SYSCOMMON.SYSEXE>.EXE
>>
>> LOGINOUT;1 Open Hdr Shar Prv
>>
>> As in this example. Therefore they can execute CMKRNL, CMEXEC and such. And
>> they can set up handlers while in elevated mode. So, they are already there.
>>
>> I believe you got the sources, can you confirm what I'm suggesting?
>
> The "Prv" doesn't mean "can set any privilege bit". It just means it was installed with privs but you can't see the exact privilege mask from that output display. For exmample, installing something with OPER priv does not give it the ability to CMKRNL or CMEXEC.
We're dancing all around this. Might be nice for someone who actually knows to
explain a bit about how it works.
More information about the Info-vax
mailing list