[Info-vax] How dangerous is it to be able to get into DCL supervisor mode ?

David Froble davef at tsoft-inc.com
Wed Jul 5 12:22:11 EDT 2017 

Simon Clubley wrote:
> On 2017-07-05, David Froble <davef at tsoft-inc.com> wrote:
>> No, the subject of this thread, just what happens when DCL running in supervisor 
>> mode aborts on an error, and the process returns to user mode.  At least I 
>> thought that was the subject.  Sometimes I get confused.
>>
> 
> No, when DCL crashes badly enough to take out the process, then the
> process crashes while in supervisor mode. That was confirmed by the
> PS register in the register dump.
> 
>> I believe that Simon started out questioning whether he could retain supervisor 
>> mode.  Then the guessing started, I guess.
> 
> Correct. You generally need to be able to cause a crash in the
> first place to be able to use this kind of approach. The question
> then becomes if the environment can be changed in a way which allows
> you to be able to control the crash in such a way as to allow your
> shellcode to run by the failing image (in this case DCL itself).

Ok, short story.  Back in the early 1980s I thought I needed to include some 
exception handlers, in case of an exception happening.  Thought I needed to do 
some clean-up.  Then I found out VMS did all that for me, and that's the last 
looking at handlers that I did.

My memory, remember, we're talking over 30 years, is that if the conditions for 
an exception handler were met, whatever they are, then the exception handler(s) 
will be invoked.

 From what I remember, the exception handlers can be set up in various processor 
modes, and a lesser mode has no control of a handler running in a higher mode. 
For example, if there is an exception handler set up in Kernel mode, unless 
you're in Kernel mode, you can't touch it, stop it, and such.

So maybe I'm the culprit, but speculation began about exception handlers for a 
crash in Supervisor mode.  No real information.  Perhaps someone at VSI, if they 
had the time and desire, could clear this up.  I cannot.

> Only a subset of crashes can be controlled in this way and I do not
> know yet if this crash is one of them.
> 
> If you can control it, the idea is to get DCL to jump to your shellcode
> which you have previously loaded into memory before causing the crash.
> There is no switching of modes involved at this point; this is a simple
> jump to your shellcode by DCL while it is in supervisor mode.

Key provision is "if you can control it".

> VMS makes things easier here than some other operating systems because
> you have a shared address space and data only structures which can
> become executable if jumped to. This means you can load your shellcode
> at a known location before causing your crash instead of having to faff
> around with getting your shellcode onto the stack (for example).

Your "shellcode" doesn't matter, if you're no longer running in elevated mode.

> If you get this far, then at this point all you have is shellcode running
> in supervisor mode and if you believe what DEC had been saying all the
> years it was around then there's little you could do because supervisor
> mode was supposed to be this limited environment.
> 
> However, Stephen has been dropping hints that once you get into
> supervisor mode, there's a way to escalate things further, but
> I thought, if this was the case, then it was some super weird obscure
> thing which required deep internals knowledge.
> 
> I was absolutely stunned by the suggestion by John however that you
> can set privilege bits while in supervisor mode because if that's true
> then it's an utterly insane thing to allow in an access mode which
> the _CLI_ runs in. :-( :-(
> 
> If you want to know how insane, try to imagine what the reaction
> would be if bash was installed as suid root on Linux because this
> is the same.
> 
> As such I am now being very careful about what I say until we know
> for sure one way or another.
> 
> Simon.
> 

There were lots of VERY good software engineers at DEC.  If I had to bet, I'd 
bet they would have had this issue very well covered.  Then again, maybe a horse 
could learn to sing ....

More information about the Info-vax mailing list