Simon Clubley
2017-07-03 13:23:43 UTC
This weekend, I found a way to crash DCL on VMS Alpha v8.4 which causes
the process to terminate with a register dump. The PS register confirms
the process was in supervisor mode when it failed.
I don't know if the crash is controllable let alone if it's exploitable
and it looks like it's going to be quite a bit of work to be able to
get further clues.
==> TO REPEAT: at the moment, this is nothing more than a way to be
able to take down a specific version of DCL running on a specific
architecture (Alpha).
NOTE: we simply would not be having this discussion if the image in
question had kernel or executive mode access as I would be following
standard procedures while exploring it. However, DEC have always made
a point of saying that if DCL was compromised then it didn't really
matter anyway because it was only supervisor mode access.
OTOH, Stephen has commented a couple of times that there's a way to
get further access if you are in supervisor mode. As I don't know
the VMS source code internals (I've never seen it) I don't know
what the conditions on Stephen's statement might be.
So, how dangerous is it to be able to get into supervisor mode ?
I don't really want to spend a lot of time exploring only to find
out that even if I did manage to control the crash, it didn't matter
anyway because there was nothing you could do while you had supervisor
mode access.
Also note that since I am not in a position to judge how dangerous
it would be to release details on exactly how I did this, I will not
be releasing any details on how I did this for now just in case it
turns out to be something more dangerous than I realised.
Even if I did feel it was ok to disclose it, I'd also want to play
with it a bit more before reporting it anyway in order to see if
I could simplify the triggering mechanism.
If this were a normal kernel mode crash then the process would be
simple: report it via a secure mechanism and then release details
after the patch was released.
Unfortunately, with the supervisor mode access available on VMS
I am not really in a position to judge whether being able to get
into DCL supervisor mode is harmless and doesn't even warrant an
urgent patch or whether this could be something dangerous if it
did turn out to be exploitable.
Simon.
--
Simon Clubley, ***@remove_me.eisner.decus.org-Earth.UFP
Microsoft: Bringing you 1980s technology to a 21st century world
the process to terminate with a register dump. The PS register confirms
the process was in supervisor mode when it failed.
I don't know if the crash is controllable let alone if it's exploitable
and it looks like it's going to be quite a bit of work to be able to
get further clues.
==> TO REPEAT: at the moment, this is nothing more than a way to be
able to take down a specific version of DCL running on a specific
architecture (Alpha).
NOTE: we simply would not be having this discussion if the image in
question had kernel or executive mode access as I would be following
standard procedures while exploring it. However, DEC have always made
a point of saying that if DCL was compromised then it didn't really
matter anyway because it was only supervisor mode access.
OTOH, Stephen has commented a couple of times that there's a way to
get further access if you are in supervisor mode. As I don't know
the VMS source code internals (I've never seen it) I don't know
what the conditions on Stephen's statement might be.
So, how dangerous is it to be able to get into supervisor mode ?
I don't really want to spend a lot of time exploring only to find
out that even if I did manage to control the crash, it didn't matter
anyway because there was nothing you could do while you had supervisor
mode access.
Also note that since I am not in a position to judge how dangerous
it would be to release details on exactly how I did this, I will not
be releasing any details on how I did this for now just in case it
turns out to be something more dangerous than I realised.
Even if I did feel it was ok to disclose it, I'd also want to play
with it a bit more before reporting it anyway in order to see if
I could simplify the triggering mechanism.
If this were a normal kernel mode crash then the process would be
simple: report it via a secure mechanism and then release details
after the patch was released.
Unfortunately, with the supervisor mode access available on VMS
I am not really in a position to judge whether being able to get
into DCL supervisor mode is harmless and doesn't even warrant an
urgent patch or whether this could be something dangerous if it
did turn out to be exploitable.
Simon.
--
Simon Clubley, ***@remove_me.eisner.decus.org-Earth.UFP
Microsoft: Bringing you 1980s technology to a 21st century world