Adam Thornton wrote:
It was _2600_ Magazine in 1992 or so.
They had an actually sort-of-useful VM hack in there too (possibly a
different issue), about, if you were a class B user, being able to
lock a real page in memory and then edit it to escalate yourself to
class A (or any class, really).
The problem with that, is, of course, if you're class B, you pretty
much own the machine already anyway. A *much* more interesting hack
would have been class G to something useful, but no one I've talked to
can remember a VM exploit since at least the early 1980s that allowed
a Class G user to escape and compromise the hypervisor. If anyone
*does* know of a more recent privilege-escalation attack, I'd be
interested in hearing about it.
Adam
The last major hole I can recall was in the late 80s or early 90s IIRC,
where it was discovered that when sending an SMSG to an SVM (I think it
was RSCS) which included a CP command, the the SVM would blindly execute
multiple CP commands if they were chained with CP Newline character. If
the SVM had any special privs ...well you get the idea. It was patched
very quickly.