So you are saying they can get to the PASE command line interface from
an application. We would not get a CFP message as we would in RPGLE and
have the application stop running. I think I am going to write my own
DNS server in RPGLE. Just think use the native DB to store your DNS
entries. Sounds like a fun project to play with in my spare time.
(Like I have any.)
Director of Information Services
[mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Patrick Botz
Sent: Tuesday, October 23, 2007 8:55 AM
To: Midrange Systems Technical Discussion
Subject: RE: DB2UDB hack
They would have the rights of whatever userID under which the PASE
application being attacked is running. If this profile had *ALLOBJ
security, they could do anything they wanted on the entire system, not
just in the PASE environment (PASE was designed to allow calls to native
i5/OS stuff). But even just using standard Unix file system commands
(e.g. ls, cat, cp, rm, etc...), they could manipulate most of the data
midrange-l-bounces@xxxxxxxxxxxx wrote on 10/22/2007 06:01:22 PM:
My question is this, if a successful PASE buffer overflow is
accomplished under i5/OS, what can the hacker hope to accomplish?
rights would they have to the rest of the system?