|
On Sep 17, 2024, at 6:41 AM, Patrik Schindler <poc@xxxxxxxxxx> wrote:
Hello Rob,
Am 16.09.2024 um 20:23 schrieb Rob Berendt <robertowenberendt@xxxxxxxxx>:
I read the overview and it seems to have a real problem with the concept of using a library list. Their fear is that someone could put a version of the program higher in a library list which, while it has the same name, does something completely different.
This is an almost 1:1 transfer of an attack vector on UNIX systems, where the current directory is automatically first to be searched for launchable objects (binaries, scripts with the x flag set).
Usually, the global /tmp directory, writable by anyone, has been abused for that purpose. Place a rogue "ls" there, wait until someone does a cd /tmp and ls. It's not applicable 1:1 to IBM i because there is no global QTEMP, but it's job specific.
Their cure is to hardcode all program calls. So, instead of CALL MYPGM you use CALL MYLIB/MYPGM. This would play havoc with rolling out changes and test libraries.
Security often contradicts the necessities of daily work. Security research shows weak spots and the responsible sysadmin tries to implement a good middle ground between security and pragmatic approach so people can actually do their jobs.
To show case an extreme measure: If you want to be 100% secure, take all of the storage and servers, disconnect them from power and network and put them into a large safe. No work can be done, though.
Well, if I can stick this in a library higher in the library list, what's to stop me from sticking it into the original library?
That the original library or the original object has authorization settings which prevent a simple replacement.
:wq! PoC
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.
Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related questions.
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.