Nefarious Masqueraders - AS/400 Trojan Horse programs
By Dan Riehl
Adapted
from the book Power
Tips for OS/400 Security
© 2003-2009 Dan Riehl, All rights reserved.
Ne-far-i-ous, adj. extremely wicked or villainous: a nefarious plot
Mas-quer-ade, v.i. to present oneself falsely
When
I speak of a nefarious masquerader I am referring to a program which is
inserted into the OS/400 operating system at a strategic position, masquerading
as a legitimate program, to perform wicked or evil work, aka, a Trojan horse. As
an example, suppose your system start-up program QSTRUP was modified to perform
a command to power down the system.
Yikes…. This is only one
possible example, but in this article we'll explore some of the more obvious
and not so obvious ways for introducing nefarious programs into OS/400.
For
openers, one possibility is that these evil programs may be used to execute
powerful commands when it is determined that the job is running under a
powerful profile. For a simple example,
a database trigger program can check to see who is the
initiating user. If it is QSECOFR, the trigger program can execute any
command on the system. As in:
RTVUSRPRF CURUSER(&USER)
IF (&USER
= "QSECOFR") DO
CHGUSRPRF MYPROFILE
SPCAUT(*ALLOBJ
*SECADM *AUDIT)
ENDDO
Obviously,
you need to be vigilant in protecting your system from these programs and
monitor for the existence of them on a continuing basis.
The
following are some of the places you will want to protect and watch. This is
not a comprehensive list, but makes for a great start in protecting your
system.
The system
value QSTRUPPGM (System Start-Up Program)
This
value controls the name of the program that starts your subsystems,
communications, and printers. If a change is made to this system value, or the
program that runs, you may not be able to start your system.
The
CHGSYSVAL command is restricted, shipped with *PUBLIC AUT(*EXCLUDE),
but any user with *ALLOBJ special authority, or IBM profiles QPGMR, QSYSOPR or
QSRV can set this value.
Not
only must you protect against someone changing the name of the program in the
system values, but you must protect against the program being changed. Restrict
changes to this program by securing the program with AUT(*USE).
The
best way to track this is to Start Security Auditing and watch for changes to
system values. You will also want to turn on Object Auditing for your Startup
program.
The system
value PWDVLDPGM(Password Validation Program)
This
system value can identify the name of a program that is called when someone
issues the command CHGPWD, or uses the change password API. The purpose of a
password validation program is normally to enforce additional rules over those
available in the other password formation system values. The IBM shipped
default for the name of the password validation program is *NONE.
If
a program name is specified in this system value, the program will be passed,
as parameters, the UserID and the old and new
password in clear text. This can be used as a means of recording
passwords. The system value may also
specify the value *REGFAC, in which case the OS/400 registration facility is
used to maintain the name of the program.
The
best way to track this is to Start Security Auditing and watch for changes to
system values. If a program is named, make sure you know exactly what it's
doing, and set the authority to AUT(*USE).
The system
value QATNPGM(Attention Key Handling Program)
The
Attention key program allows a user to press the Attention Key to escape their
current application and use an alternate application, and then seamlessly
return to their work at the point of exit.
Attention Programs are useful for IT staff as they can allow quick
access to a command line without closing out of the current screen.
The
shipped default is a program named QEZMAIN, which is the Operational Assistant
Main Menu. But the system value can be set to any program. The attention key
program can also be set at the user profile level.
If
an attention key handling program exists, including QEZMAIN, you must protect
it from modification with AUT(*USE).
The
best way to track changes is to Start Security Auditing,
and watch for changes to system values, and changes to user profiles. You will
also want to turn on Object Auditing for any existing attention key handling
programs.
Other system
Values that Specify a program name to monitor
You
also need to monitor changes to these system values as well as their
corresponding programs.
QPRBFTR Problem
log filter
QRMTSIGN Remote
sign-on control
Database
Trigger Programs
A
database trigger program is a user written program that is called when a
database operation(read, update, add, delete) is
performed against a file. Any user with
*OBJALTER, *OBJMGT, *READ, *OBJOPR and *EXECUTE rights to a file can add a
trigger program to the file. A trigger program can do anything the user running
the database operation is authorized to.
If a check is made inside the program for the user running the trigger,
and it is found to be a powerful user, the program can do great mischief.
The
best way to track this is to use the command PRTTRGPGM(Print Trigger Programs). The command allows you to list all trigger
programs in a library, or list only the ones that have been added since you
last ran the command. Secure trigger program with AUT(*USE).
You may also want to turn on Security Auditing and
specify an AUDLVL of *CREATE,
to capture newly created programs. You will want to turn on Object
Auditing (*CHANGE level) for any existing trigger programs.
Network
Attributes Exit programs
The
network Attributes PCSACC and DDMACC control the handling of certain
communication functions. A user written program may be specified for these two network attributes. In order to change these entries, ALLOBJ and IOSYSCFG special authority is
required. If a program is named, it must be secured using AUT(*USE)protected
against modification
The
best way to track this is to Start Security Auditing, and watch for *SECURITY
changes. You will also want to turn on Object Auditing for any existing exit
programs.
Registered
Exit Programs
The
WRKREGINF(Work with Registration Information) command
lists various categories of exit points for system functions. If an exit
program is attached to an exit point, the program will be called when the
associated activity is requested. For example, password validation programs may be
specified in the exit point named QIBM_QSY_VLD_PASSWRD, and when a request is
made to change a password the program name is retrieved and executed.
In order to add an exit program to an exit
point, ALLOBJ special authority is required,
but the exit program itself must be protected against modification with
AUT(*USE).
The best way to track this is to Start
Security Auditing, and watch for SECURITY changes. You
will also want to turn on Object Auditing (*CHANGE Level) for any existing exit
programs.
Changes to
Commands
You
need to watch for changes to IBM supplied Control Language commands and your
own custom commands. Commands provide
multiple avenues for mischief. Each
command can have several programs called as a result of the command being
executed, or even simply prompted(using F4 Key). These
programs include the command validity checking program, command processing
program, prompt control program, prompt override program and prompt choice
control program. If someone were to add a validity checking program to a
command, for example, that program would run under the authority of the user
running the command, and could do anything that the user is authorized to do.
Another
area of concern for creating and changing commands is the ability to add a
product library into the job's library list and to change the job's current
library. The product library and current
library are placed ahead of the user portion of the job's library list, and
therefore mischievous programs and other objects can masquerade as your real
production applications.
You
need to restrict access to the CRTCMD and CHGCMD commands with AUT(*EXCLUDE)..
The
best way to track this is to turn on Object Auditing (*USE level) for the
CHGCMD and CRTCMD commands to record each time the commands are used.
Message
Descriptions
The
CHGMSGD(Change Message Description) command allows you
to specify a default error handling program in the DFTPGM parameter of a message stored in a
message file. The default program is
called whenever the particular message is sent as an *ESCAPE or *NOTIFY
message.
To
track this, turn on object auditing (*CHANGE level) for message files, and make
sure message files are secured with PUBLIC(*USE).
What to do now
We
have dealt with many of the places where nefarious masqueraders can be inserted
into your operating system, and how to thwart these attempts. In some cases,
you will be able only to decipher and eliminate the effect of these attacks
after the fact by viewing your security audit journals. Here are the first few steps you should
consider.
1) Start Security
Auditing with Object Auditing, and review the reports regularly.
2) Take the other
recommended steps discussed in this article.
Since
many of these attacks can be exploited only by a user with elevated security
privileges, take these steps to help you protect you system from powerful user
profiles.
1) Do not allow *ALLOBJ special authority to
get out of hand.
·
Only a very trusted few should have access to a powerful
user profile.
·
Signing on as a powerful user, should be a very rare
occasion.
2) Run your system at QSECURITY level 40 or 50
Many
of you may astutely inquire, "What about the exposures within my own
custom production applications? Aren't they susceptible to this same kind of
threat?" Yes, certainly they are.
To protect you own application objects, ensure that change control policies are
not just a trivial matter of moving test objects to production, but that you have
strict control and auditing of anything
moved to the production environment. I recommend regular, or at the least, random source code
reviews. To help you, you can use the command CMPPFM(Compare
physical file member), which can list out for you the changed lines of source
code before moving to production.
=====================================================================
Sidebar
Start Security
Auditing
Dan Riehl
To
start security auditing, you can use the command CHGSECAUD(Change
Security Auditing). The command creates the QAUDJRN audit journal and its
receiver (if they don’t already exist) and changes the system values to the
values you specify. Here’s a sample CHGSECAUD command:
CHGSECAUD QAUDCTL(*AUDLVL *OBJAUD
*NOQTEMP) +
QAUDLVL(*AUTFAIL *SECURITY
*SERVICE +
*DELETE *OBJMGT *PGMFAIL
*CREATE) +
JRNRCV(audlib/AUDRCV0001)
As
with most journals, you'll need to manage the journal receivers.
© 2003-2009 Dan Riehl,
All Rights reserved.