Joe,

Whether you consider PASE part of i5/OS or not, the fact that it is on the
system and there are OS programs running in it, and because arbitrary
commands executed in PASE can manipulate native i5/OS objects, means that
a buffer overflow attack against PASE can theoretically put the native
i5/OS stuff at risk.

Now, this doesn't mean the sky is falling. It doesn't mean that because
it is possible, that there are holes. It just means that you can run
programs in PASE that are susceptible to buffer overflow attacks. It means
that you have to understand which pieces of i5/OS run in PASE. The most
obvious piece -- and the one that has had buffer overflow patches for
previous versions -- is the DNS server. i5/OS uses the AIX DNS server, if
that is ever patched for security reasons, most likely you will see an
i5/OS PTF (which in all likelyhood will just replace the same AIX binary
shipped with i5/OS).

Thanks.

Patrick Botz
IBM STG Lab Services Security Practice
botz@xxxxxxxxxx
work: 507 253 0917 mobile: 507 250 5644
http://www.ibm.com/systems/services/labservices

midrange-l-bounces@xxxxxxxxxxxx wrote on 10/22/2007 06:25:25 PM:

From: Patrick Botz

This is mostly true, but not universally true. Anything that runs in
the
PASE environment under i5/OS is susceptible to a buffer overflow
attack
just like a standard LUW. So you can't just assume that no matter
what it
is, it won't affect i5/OS.

I guess it depends on your definition of i5/OS. Me, I don't consider
PASE
to be i5/OS. But that's just me.

Joe


This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2019 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].