[Info-vax] A DCL wish list of sorts...

Simon Clubley clubley at remove_me.eisner.decus.org-Earth.UFP
Fri Mar 22 15:36:27 EDT 2019 

On 2019-03-22, dgordonatvsi at gmail.com <dgordonatvsi at gmail.com> wrote:
> On Friday, March 22, 2019 at 12:42:54 PM UTC-4, pcanagno... at gmail.com wrote:
>
>> But the CDU didn't run with any elevated privilege. 
>> 
>> ~~ Paul
>
> In fact it does. It needs CMEXEC to load the table into P1.  I made changes around that as well (to only enable it when needed) but that wasn't the issue.
>
> Simon published his exploit here in comp.os.vms if you want to look back for it.  Or he'd probably be happy to send you his write-up.

I published the first part only (which gets you into supervisor mode)
and I didn't realise how easy it was to do the second part when I
published that first part. :-)

To Paul: This discovery came in two parts. Part 1 was being able to
get DCL to run a non-privileged user's shellcode and part 2 was being
able to use that to compromise the system.

There had been hints for some time that if you could get code you
control running in supervisor mode then you could compromise the
system. Unfortunately, the people who knew how to exploit supervisor
mode in that way were not talking. :-)

When I released the first part, I didn't know how to do the second
part, but I hoped someone might fill in the missing piece. Unfortunately,
no-one did, so I ended up doing the research to find it myself.

After doing some research (and a lot of thinking :-)), I made the
crucial discovery (that DCL has access to the privileges of the
programs it runs) which allowed me to create shellcode to compromise
the system.

After some discussion in comp.os.vms, I agreed to hold off discussing
the second part of this discovery for an additional 3 months or so to
give people additional time to patch their systems.

I will also mention again (as I did back then) that VMS people would be
unlikely to get the amount of additional time from a third-party researcher
that I gave everyone, especially given that the CDU/DCL patches had been
out for a couple of months or so when I announced I had discovered what
part 2 was and also given the marketing language on the VSI website.

Simon.

-- 
Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
Microsoft: Bringing you 1980s technology to a 21st century world

More information about the Info-vax mailing list