Whether you consider PASE part of i5/OS or not, the fact that it is on the
system and there are OS programs running in it, and because arbitrary
commands executed in PASE can manipulate native i5/OS objects, means that
a buffer overflow attack against PASE can theoretically put the native
i5/OS stuff at risk.
Now, this doesn't mean the sky is falling. It doesn't mean that because
it is possible, that there are holes. It just means that you can run
programs in PASE that are susceptible to buffer overflow attacks. It means
that you have to understand which pieces of i5/OS run in PASE. The most
obvious piece -- and the one that has had buffer overflow patches for
previous versions -- is the DNS server. i5/OS uses the AIX DNS server, if
that is ever patched for security reasons, most likely you will see an
i5/OS PTF (which in all likelyhood will just replace the same AIX binary
shipped with i5/OS).
IBM STG Lab Services Security Practice
work: 507 253 0917 mobile: 507 250 5644
midrange-l-bounces@xxxxxxxxxxxx wrote on 10/22/2007 06:25:25 PM:
From: Patrick Botz
This is mostly true, but not universally true. Anything that runs in
PASE environment under i5/OS is susceptible to a buffer overflow
just like a standard LUW. So you can't just assume that no matter
is, it won't affect i5/OS.
I guess it depends on your definition of i5/OS. Me, I don't consider
to be i5/OS. But that's just me.