[Info-vax] A DCL wish list of sorts...

Simon Clubley clubley at remove_me.eisner.decus.org-Earth.UFP
Fri Mar 22 15:11:53 EDT 2019 

On 2019-03-22, pcanagnostopoulos at gmail.com <pcanagnostopoulos at gmail.com> wrote:
> On Friday, March 22, 2019 at 12:24:33 PM UTC-4, Stephen Hoffman wrote:
>> 
>> > Question: How does someone interject arbitrary instructions into the 
>> > DCL table? I don't think the CDU supports hex escapes in strings. 
>> > Perhaps that has been added.
>> 
>> This wasn't in DCL itself.  This was a corruption that allowed data to 
>> be written into a memory location that altered program execution flow 
>> within CDU, and which then allowed Simon to inject instructions into 
>> the processing.
>
> But the CDU didn't run with any elevated privilege. Oh, you mean he could
> inject instructions that ended up in the command table and then snuck past DCL.
> Marvelously obscure.
>

You may have been confused by Stephen's typo of CDU instead of DCL above.

CDU is the mechanism by which I was able to generate a faulty DCL command
table entry and DCL didn't perform enough checking which later allowed me
to clobber a return address. As Doug has already mentioned, CDU didn't
correctly validate the length of a prompt string.

The shellcode is not loaded into the DCL command table itself but into
CTL$A_COMMON. On VAX and Alpha, CTL$A_COMMON is both user writable and
executable. The overwritten return address points to within CTL$A_COMMON
so DCL transfers control to this code.

There is a general attack you can carry out if you can get code you
control running in supervisor mode, but that wasn't required because
I discovered something else instead I could use in this case.

[In the description below, shellcode refers to a binary instruction
stream. It does not refer to DCL commands.]

A top level description of the actual attack I used:

1) Generate a .CLD with a too long prompt string and with the address
within CTL$A_COMMON inserted at the correct place in the prompt string.

2) Use CDU to compile the .CLD and place it in the in-memory DCL command
table.

3) Use a non-privileged program to insert your shellcode into CTL$A_COMMON.
The shellcode can either be created by MACRO32 (VAX) or MACRO64 (Alpha)
or simply hand assembled if you need to.

4) Run a privileged program whose privileges you want to hijack and then
press Ctrl-Y.

5) Control is returned to DCL and DCL disables the program's privileges,
but does not remove them.

6) Immediately run your malformed command without a parameter. When prompted
for your parameter, you can now cause your shellcode to run.

7) The first thing your shellcode needs to do is to re-enable the privileges
and then your shellcode can now do whatever it wants.

This variant works because DCL does not run down the privileged image
until _after_ you have been prompted for the parameter for your malformed
command.

Simon.

-- 
Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
Microsoft: Bringing you 1980s technology to a 21st century world

More information about the Info-vax mailing list