[Info-vax] A DCL wish list of sorts...

pcanagnostopoulos at gmail.com pcanagnostopoulos at gmail.com
Fri Mar 22 16:54:59 EDT 2019 

On Friday, March 22, 2019 at 3:11:55 PM UTC-4, Simon Clubley wrote:
> CDU is the mechanism by which I was able to generate a faulty DCL command
> table entry and DCL didn't perform enough checking which later allowed me
> to clobber a return address. As Doug has already mentioned, CDU didn't
> correctly validate the length of a prompt string.
> 
> The shellcode is not loaded into the DCL command table itself but into
> CTL$A_COMMON. On VAX and Alpha, CTL$A_COMMON is both user writable and
> executable. The overwritten return address points to within CTL$A_COMMON
> so DCL transfers control to this code.
> 
> There is a general attack you can carry out if you can get code you
> control running in supervisor mode, but that wasn't required because
> I discovered something else instead I could use in this case.
> 
> [In the description below, shellcode refers to a binary instruction
> stream. It does not refer to DCL commands.]
> 
> A top level description of the actual attack I used:
> 
> 1) Generate a .CLD with a too long prompt string and with the address
> within CTL$A_COMMON inserted at the correct place in the prompt string.
> 
> 2) Use CDU to compile the .CLD and place it in the in-memory DCL command
> table.
> 
> 3) Use a non-privileged program to insert your shellcode into CTL$A_COMMON.
> The shellcode can either be created by MACRO32 (VAX) or MACRO64 (Alpha)
> or simply hand assembled if you need to.
> 
> 4) Run a privileged program whose privileges you want to hijack and then
> press Ctrl-Y.
> 
> 5) Control is returned to DCL and DCL disables the program's privileges,
> but does not remove them.
> 
> 6) Immediately run your malformed command without a parameter. When prompted
> for your parameter, you can now cause your shellcode to run.
> 
> 7) The first thing your shellcode needs to do is to re-enable the privileges
> and then your shellcode can now do whatever it wants.
> 
> This variant works because DCL does not run down the privileged image
> until _after_ you have been prompted for the parameter for your malformed
> command.

This is just way too much fun.

~~ Paul

More information about the Info-vax mailing list