RE: DB2UDB hack -- MIDRANGE-L

So you are saying they can get to the PASE command line interface from
an application. We would not get a CFP message as we would in RPGLE and
have the application stop running. I think I am going to write my own
DNS server in RPGLE. Just think use the native DB to store your DNS
entries. Sounds like a fun project to play with in my spare time.
(Like I have any.)

Chris Bipes
Director of Information Services
CrossCheck, Inc.

-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Patrick Botz
Sent: Tuesday, October 23, 2007 8:55 AM
To: Midrange Systems Technical Discussion
Subject: RE: DB2UDB hack

They would have the rights of whatever userID under which the PASE
application being attacked is running. If this profile had *ALLOBJ
security, they could do anything they wanted on the entire system, not
just in the PASE environment (PASE was designed to allow calls to native

i5/OS stuff). But even just using standard Unix file system commands
(e.g. ls, cat, cp, rm, etc...), they could manipulate most of the data
on
the machine.

midrange-l-bounces@xxxxxxxxxxxx wrote on 10/22/2007 06:01:22 PM:

My question is this, if a successful PASE buffer overflow is
accomplished under i5/OS, what can the hacker hope to accomplish?

What

rights would they have to the rest of the system?

This mailing list archive is Copyright 1997-2025 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.