Re: IBM i for Wintel Hackers - Silent Signal TROOPERS24 Presentation

Hello Rob,

Am 16.09.2024 um 20:23 schrieb Rob Berendt <robertowenberendt@xxxxxxxxx>:

I read the overview and it seems to have a real problem with the concept of using a library list. Their fear is that someone could put a version of the program higher in a library list which, while it has the same name, does something completely different.

This is an almost 1:1 transfer of an attack vector on UNIX systems, where the current directory is automatically first to be searched for launchable objects (binaries, scripts with the x flag set).

Usually, the global /tmp directory, writable by anyone, has been abused for that purpose. Place a rogue "ls" there, wait until someone does a cd /tmp and ls. It's not applicable 1:1 to IBM i because there is no global QTEMP, but it's job specific.

Their cure is to hardcode all program calls. So, instead of CALL MYPGM you use CALL MYLIB/MYPGM. This would play havoc with rolling out changes and test libraries.

Security often contradicts the necessities of daily work. Security research shows weak spots and the responsible sysadmin tries to implement a good middle ground between security and pragmatic approach so people can actually do their jobs.

To show case an extreme measure: If you want to be 100% secure, take all of the storage and servers, disconnect them from power and network and put them into a large safe. No work can be done, though.

Well, if I can stick this in a library higher in the library list, what's to stop me from sticking it into the original library?

That the original library or the original object has authorization settings which prevent a simple replacement.

:wq! PoC