× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. April 2005

RE: Re: Recent bugtraq postings

The thing to remember is that the command run by STRPCCMD runs under the same 
user profile as the user currently signed on to the PC.

So anything sent by STRPCCMD can't do any more damage than the user could be 
doing a "Start"-->"Run".  If the user should be able to start a REXEC client, 
then they shouldn't be allowed to start a REXEC client using any means.

Now I suppose, one could theorize that a "bad" iSeries user could put STRPCCMD 
in a CL or other HHL program such that the command is inadvertently used by a 
PC user with Admin Privileges to his/her PC or the entire Network.

Let's disregard the fact that it is well known that you shouldn't be using a PC 
Admin profile for regular work and that having a 5250 session to the iSeries 
would probably be considered regular work.

So our theorical "bad" iSeries person would have to be someone with enough 
iSeries authority to 
1) Create programs
2) Put them someplace where another user could/would call them.

Given those requirements, I'd say the "bad" iSeries persons ability to run 
commands on your PC is the least of your worries.

The only place this might be viable exploit is in larger shops that have a 
distinct separation between iSeries Admins and PC/Network Admins.  As an 
iSeries Admin I could set something up so that when the PC Admin signed onto 
the iSeries STRPCCMD would be used to give myself Admin privileges to the 
network.

Of course, with such a distinct separation between PC/iSeries why would the PC 
guy be signing onto the iSeries?  Particularly with while signed onto his PC 
with his admin profile?


Charles Wilt
iSeries Systems Administrator / Developer
Mitsubishi Electric Automotive America
ph: 513-573-4343
fax: 513-398-1121
 

> -----Original Message-----
> From: midrange-l-bounces@xxxxxxxxxxxx
> [mailto:midrange-l-bounces@xxxxxxxxxxxx]On Behalf Of Steve Richter
> Sent: Monday, April 25, 2005 2:05 PM
> To: Midrange Systems Technical Discussion
> Subject: Re: Re: Recent bugtraq postings
> 
> 
> On 4/25/05, Patrick Botz <pcbotz@xxxxxxxxx> wrote:
> > These are my opinions only. They do not necessarily reflect 
> the opinions of
> > my employer...
> > 
> > Just a couple examples of inaccuracies
> > 
> > 
> >    2. Claim: OS400 has a security exposure because a bad 
> person could
> >   use commands on OS400 to do bad things on Windows.
> >   Implication: OS400 causes the exposure.
> >   Clarification: The fact that you can use information from 
> a connection
> >   established by windows to perform windows commands 
> unrelated to the
> >   connection is not an exposure of another system that 
> "COULD" take advantage
> >   of it. It is a windows exposure. It's something that 
> needs to be managed or
> >   fixed in Windows.
> 
> what is unclear to me is if client access, an IBM software product, is
> set by default to allow STRPCCMD to start a service like REXEC on a
> PC.  If so, then that is a case of IBM software contributing to the
> security exposure of a network.  is that correct?
> 
> Would still like to know if a PC user account, compared to super user
> and administrator, can do any harm on a PC.
> 
> -Steve
> 
> -- 
> This is the Midrange Systems Technical Discussion 
> (MIDRANGE-L) mailing list
> To post a message email: MIDRANGE-L@xxxxxxxxxxxx
> To subscribe, unsubscribe, or change list options,
> visit: http://lists.midrange.com/mailman/listinfo/midrange-l
> or email: MIDRANGE-L-request@xxxxxxxxxxxx
> Before posting, please take a moment to review the archives
> at http://archive.midrange.com/midrange-l.
> 
>

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.