[Info-vax] Assembly languages

Simon Clubley clubley at remove_me.eisner.decus.org-Earth.UFP
Tue Apr 12 08:28:33 EDT 2022 

On 2022-04-11, VAXman-  @SendSpamHere.ORG <VAXman- at SendSpamHere.ORG> wrote:
> In article <t31ose$pr0$1 at dont-email.me>, Simon Clubley <clubley at remove_me.eisner.decus.org-Earth.UFP> writes:
>>
>>Ok, Brian, you win. I'll be pedantic if you wish. :-)
>>
>>Once you have code you control running in one of the hardware inner modes,
>>you can get to the others without any additional privileges required on
>>the part of the account doing it.
>
> NOT TRUE.  Stop confusing $CMKRNL from EXEC mode with all others.  You can 
> NOT get to EXEC from SUPERVISOR mode.  Granted, you found an exploit with an
> installed image but that was corrected.  There's no $CMEXEC jump from SUPER-
> VISOR mode without privileges vis-a-vis $CMKRNL from EXEC mode.
>

You are contradicting yourself with the above statements Brian.
First you say it's not possible, then you say it's possible if the
supervisor mode code has access to the privileges of the current image.

As you have been told multiple times Brian, the only fix was to fix
the buffer overflow that allowed me to get code running within the
context of DCL itself. There was nothing fixed to reduce what you can
do once you are in supervisor mode.

If someone finds another way back into supervisor mode, then supervisor
mode is still as dangerous as it always was.

For anyone else wondering why supervisor mode is so dangerous, it's
because code running in supervisor mode has access to the privileges
of the current image.

You are really only limited by your knowledge and imagination with what
you can do with that. There are two ways I know of to make use of that:

1) The CTRL-Y attack which was part of my exploit.

2) You can activate a privileged image from supervisor mode and then
use its privileges. You don't have to take my word for this one as
the image activation sequence is very well documented in the Alpha I&DS
manual.

If you read the image activation checklist in the Alpha I&DS, you will see
that the image activator enables the image's privileges in the current
process and _then_ returns control back to DCL with those elevated
privileges in place.

So yes, if you have code that you control running in supervisor mode,
then you can still use it to get into executive or kernel mode.

Simon.

-- 
Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
Walking destinations on a map are further away than they appear.

More information about the Info-vax mailing list