RE: Buffer overflow and code execution on iSeries -- MI400

an mi program can create a system pointer and the callx instruction will
call the program that the system pointer points to.

theoretically, an MI program can root around in the automatic, static and
heap storage space of a job, looking for system pointers, then materialize
the pointer to determine the program that the system pointer points to.
Once you find the pointer you are looking for, your MI code replaces that
pointer with one that points to another program.

Lets say you have such an MI program but you cant restore it on the system.
A CL or RPG program can, on the fly, build an array containing the MI
statements of an MI program.  Then, if you are authorized, your CL program
can call the QPRCRTPG API.  That API will compile the MI source code in the
array and create a program.

What if you want code that runs everytime an RPG program writes to a
database file or reads from a display device?  The SEPT ( system entry point
table ) of a job contains resolved pointers to system programs.  Not sure if
a job can write to the SEPT, but if it can, an MI program could hook an
entry in the sept - say one of the data management programs that handles
database file i/o in an rpg400 program.  Once hooked, every subsequent call
in the job to that SEPT entry would actually call your MI program.  Your MI
program would run, do whatever special processing you want it to do, then in
turn call the actual system program with the parms unchanged.  An example of
this might be to intercept writes to a display device and redirect the I/O
to a web browser.

All theory of course. The SEPT hook is something I always wanted to try but
did not have the nerve for.  What is the worse that could happen?  A system
crash??

-Steve

-----Original Message-----
From: mi400-bounces@xxxxxxxxxxxx [mailto:mi400-bounces@xxxxxxxxxxxx]On
Behalf Of Walden H. Leverich
Sent: Tuesday, July 19, 2005 4:09 PM
To: mi400-l@xxxxxxxxxxxx
Subject: [MI400] Buffer overflow and code execution on iSeries


On the Midrange-L list someone made the following comment about BIND and
buffer overrun.

>remote execution via buffer overflow doesn't seem likely or possible on an
iSeries box.

Now, that got me thinking, and maybe I just need to go read Leif's book
again, but...

Program A has it's storage space, and let's say there's a field called
'FLD1' in that space, now, as we all know, when I call program B and pass it
FLD1 as a parm, only the address goes over, so if FLD1 is 30 bytes in
program A, but it's 60 bytes in program B I can overwrite whatever is in
memory after FLD1 in program A. Now, that _might_ be FLD2, right?

What if FLD2 is the pointer to program C. Could program B change the value
in FLD2 such that on the next attempted call to program C I actually called
something else? Is this where I'd get caught by the tagged-pointer
validation? But couldn't I load the appropriate values into the memory to
make a valid pointer, I know you can create one per-Leif's book.

So, as I'm thinking about it, code execution via buffer overrun is unlikely,
ne, VERY unlikely, on iSeries, but it _is_ possible. Right?

-Walden

------------
Walden H Leverich III
Tech Software
(516) 627-3800 x11
WaldenL@xxxxxxxxxxxxxxx
http://www.TechSoftInc.com <blocked::http://www.techsoftinc.com/>

Quiquid latine dictum sit altum viditur.
(Whatever is said in Latin seems profound.)


_______________________________________________
This is the MI Programming on the AS400 / iSeries (MI400) mailing list
To post a message email: MI400@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/mi400
or email: MI400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/mi400.