[Info-vax] How dangerous is it to be able to get into DCL supervisor mode ?

[Stephen Hoffman]

On 2017-07-03 14:23:52 +0000, John Reagan said:

> 
> There is no direct way from user-mode to supervisor-mode.  You have to 
> change to kernel or exec mode and then "downgrade" to supervisor.  
> Kernel and exec mode access is controlled by the CMKRNL and CMEXEC 
> privileges and you get into them from the SYS$CMKRNL and SYS$CMEXEC 
> services.  Steve's comment is that once in K,E, or S modes, you have 
> the ability to turn on any privilege you like which will stay enabled 
> even after you return back to user mode.
> 
> Taking out the process with DCL bugs has happened from time to time.  
> You don't get to take out the whole system or access data/files that 
> you don't have access to.  It pretty much is a "you can shoot yourself 
> in the foot, but can't shoot anyone else's feet".

What Simon is referencing may be that path into supervisor mode.    An 
access violation points to a condition in the code that was not 
expected by the developer.   An access violation can sometimes be 
exploited to provide additional access, such as reading or writing to 
otherwise protected memory.   That might expose sensitive data, or it 
might allow the attacker to modify the data or even the code of the 
process.   Attacks on various platforms increasingly involve chaining 
several vulnerabilities together too, which is why there've been 
mentions of ASLR/NX, sandboxes/jails, static and dynamic code coverage 
tools, looking at the programming languages involved, etc.



-- 
Pure Personal Opinion | HoffmanLabs LLC