SecureMyi.com Security and Systems Management Newsletter for the IBM i iSeries and AS/400 - October 22, 2014 - I Can Be You! Exploiting Unsecured User Profiles on IBM i iSeries AS400

Tweet
SecureMyi.com Security and Systems Management Newsletter for the IBM i October 22, 2014 - Vol 4, Issue 18

	Feature Article I Can Be You! Exploiting Unsecured User Profiles By Dan Riehl - SecureMyi.com As an IBM i security consultant, I have the opportunity to help companies uncover flaws in their security implementation and determine the best way to fix the problems found. One of the major security risks that I find to be quite common in both large and small companies is unsecured user profile(USRPRF) objects. The point of this article is to explain this risk, and HOW TO FIX the problem!* Let's say for a minute that I'm an inquisitive programmer or contractor at your place. I want to look at things, or do things that I'm prohibited from doing by IBM i security, like looking at the production payroll file, or worse yet, modifying some records in the file. Since my user profile is prohibited from even looking at the file, I need to find a way to get an elevated level of authority before the system will allow me to access the file. One particularly easy way to do this, in most IBM i installations is to steal the authorities of some user profile more powerful than mine, maybe QSECOFR. Being able to elevate my own authorities through what I call the "Profile Hijack" can be painfully easy at system security level 30 and below. Even at security level 40 and 50, it's do-able on almost every system I have seen. Once I have hijacked a more powerful profile, I can use that profile, and probably elevate my own User Profile authority to get the access I need to ANY File on the system. So, How do I Become YOU? Hijacking a User Profile? One of the reports I run during an IBM i vulnerability assessment is the "Public authorities report" for User Profile objects. This report will tell me if any user profiles have authority that is not set to the default of PUBLIC AUT(EXCLUDE). The command to run this report is (Print Public Authority): *PRTPUBAUT OBJTYPE(USRPRF) The sample output of this command is shown below in Figure 1. In a moment I'll explain to you the significance of profiles listed in this report. Another related report that I run is the "Private Authorities Report" for User Profile objects. This report as shown in Figure 2 below will tell me if any individual or group profiles have explicit authority to other user profiles. The command that produces this report is (Print Private Authority): PRTPVTAUT OBJTYPE(USRPRF)* Deciphering the output Before diving into the reports, we need to understand what constitutes a clear vulnerability for the User Profile "Hijack". Let me provide an explanation of the problem. If I have even USE rights, or better(e.g. CHANGE, ALL) to someone else's user profile, I can "Hijack" their profile; using their profile to run commands. This can be as simple as running a SBMJOB command specifying the name of the "Hijacked" user profile in the USER parameter, as in: SBMJOB CMD(CPYF FROMFILE(PAYROLL) TOFILE(PRINT)) USER(PAYUSER) (Where PAYUSER** is a user profile that has read rights (i.e. AUT(USE)) or better to the PAYROLL file, and to which I have, at least USE authority to the PAYUSER User Profile.) This SBMJOB command will submit a batch job to run under the PAYUSER user profile, and will print out the records in the Payroll file, that I, by my own authority, do not have access to, but to which the PAYUSER User Profile does have access. *Read More . .*
In This Issue Featured Article - I Can Be You! Featured Video - Hijack a User Profile Security Shorts - Use Remote Command Industry News and Calendar Security Resources Quick Links Search Security Site for IBM i and i5/OS SecureMyi Website Security Training from The 400 School SecureMyi Newsletter Home/Archives Our Newsletter Sponsors Platinum Sponsor The 400 School, Inc Gold Sponsor PowerTech Skyview Partners, Inc Silver Sponsor Cilasoft Security Solutions	IBM i Security Resources IBM i Security Videos - SecureMyi SecureMyi Newsletter Archives Search Security for IBM i IBM i Security Ref - 6.1 IBM i Security Ref - 7.1 QAUDJRN Entries By AUDLVL QAUDJRN Entry Layouts RedBook - Security Guide IBM i Open Security Foundation - DataLoss DB National Vulnerability Database - NIST PCI Data Security Standard COBIT - ISACA HIPAA Resources HITECH Enforcement CISSP - Certification
Featured YouTube Educational Video IBM i Security Are your User Profiles Vulnerable to Profile Hijacking?
Security Related News for IBM i Bytware Announces StandGuard Anti-Virus version 7.2 Bytware, a division of HelpSystems, announces its new version of its StandGuard Anti-Virus software for IBM i, AIX, and Linux. This latest update incorporates the McAfee 5700 scan engine, which enhances performance and threat detection. (Editor's Note: When using your IFS(Integrated File System) directories as Network Shares, it's very important to watch and scan these disk spaces for Viruses and other Malware, just as you do on your Windows-Based Shares.) Read the Bytware Press Release Live Security Related Webcasts and Training for IBM i October Events Part-Time Privileges: Accountability for Powerful Users Live Webcast - Presented by Powertech Wednesday, Oct 22 1:00pm CT More Information and Register to Attend COMMON 2014 Fall Conference & Expo Oct 27 - 29 Hyatt Regency Indianapolis - Indianapolis, Indiana More Information and Register to Attend Coffee with Carol: Configuring iAccess Servers to use SSL with Carol Woodbury Live Webcast - Presented by Skyview Partners Wednesday, Oct 29 10:00am CDT More Information and Register to Attend November Events Live Hands-On - Security Audit and Vulnerability Assessment Workshop for IBM i, iSeries AS/400 with Dan Riehl Training Workshop - Nov 11-14 - Presented by The 400 School, Inc. Dan Riehl presents this 4-Day Live Online Hands-on Workshop. More Information and Register to Attend Live Hands-On - IBM i, iSeries System Administration and Control Workshop with Dan Riehl Training Workshop - Nov 17-21 - Presented by The 400 School, Inc. Dan Riehl presents this 5-Day Live Online Hands-on Workshop. More Information and Register to Attend

Security Shorts Using RMTCMD.exe to Run Multiple CL Commands By Dan Riehl - SecureMyi.com I have written often about using the IBM i Access command RMTCMD.exe to send commands from your Windows or Linux system to IBM i. But did you know you could also send multiple commands with one execution of the RMTCMD.exe? The Syntax used to send multiple commands is: rmtcmd /I rmtcmds.txt (Where rmtcmds.txt* is the name of a text file containing the list of commands to be executed.)* Here is an example. Using Notepad, enter the Control Language commands that are to be executed, and save to a text file. Here's an example you can try. CRTLIB LIB(MYTESTLIB) TYPE(TEST) TEXT('My Test Library') CRTPF FILE(MYTESTLIB/MYTESTFILE) RCDLEN(500) TEXT('My Test file') GRTOBJAUT OBJ(MYTESTLIB) OBJTYPE(LIB) USER(PUBLIC) AUT(EXCLUDE) SBMJOB CMD(CALL PGM(MYTESTPGM)) JOB(MYTEST) Run the rmtcmd.exe specifying the name of the file which contains the commands. C:\>rmtcmd /I rmtcmds.txt Here is the result. (Note: You may be prompted to Logon, depending on your IBM i Access settings.) IBM i Access for Windows Version 7 Release 1 Level 0 Submit Remote Command (C) Copyright IBM Corporation and Others 1984, 2010. All rights reserved. U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Licensed Materials - Property of IBM The remote system name is MYSYSTEM. CRTLIB LIB(MYTESTLIB) TYPE(TEST) TEXT('My Test Library') CPC2102 - Library MYTESTLIB created. CRTPF FILE(MYTESTLIB/MYTESTFILE) RCDLEN(500) TEXT('My Test file') CPC7301 - File MYTESTFILE created in library MYTESTLIB. CPC7305 - Member MYTESTFILE added to file MYTESTFILE in MYTESTLIB. GRTOBJAUT OBJ(MYTESTLIB) OBJTYPE(LIB) USER(PUBLIC) AUT(EXCLUDE) CPI2201 - Authority given to user PUBLIC for object MYTESTLIB in QSYS object type LIB. CPC2201 - Object authority granted. SBMJOB CMD(CALL PGM(MYTESTPGM)) JOB(MYTEST) CPC1221 - Job 115263/MYUSER/MYTEST submitted to job queue QBATCH in library QGPL. RMTCMD.exe Security Implications While the RMTCMD.exe is great in functionality, it also brings with its functionality, a serious security issue that you will want to be aware of. Limited Capabiliy Users (LMTCPB(YES)) can run CL Commands using RMTCMD.exe. The RMTCMD.exe does not honor the LMTCPB attribute of a User Profile. For more information on this topic, see the article The Reality of User Limited Capabilities LMTCPB(YES)** in the April 9, 2014 issue of the SecureMyi Security Newsletter.		Sponsored Links IBM i, iSeries and AS/400 Security Services from SecureMyi IT Security and Compliance Group In Depth Security Assessment of IBM i Upgrade to QSECURITY level 40 or 50 Forensic Research and Analysis Audit Assistance and Remediation Security Training for IT and Audit Staff Software Selection & Configuration Security and Systems Programming LIVE Training from The 400 School, Inc Customized IBM i (iSeries, AS/400) Training - Presented Live at your offices LIVE Online Hands-On Workshops ILE RPG IV Programming ILE COBOL Programming Interactive Programming Workshops System Operations Workshops System Administration and Control Security and Auditing Workshops Control Language Programming IBM i Concepts and Facilities Query Workshop


Send your IBM i Security and Systems Management News and Events! Send your Questions, Comments, Tips and Stories Copyright 2014 - SecureMyi.com, all rights reserved SecureMyi.com \| St Louis MO 63017