Security and Systems Management Newsletter for the IBM i             October 22, 2014 - Vol 4, Issue 18
Security Training from

Security software from Powertech

Skyview Partners

Training from The 400 School

Feature Article

I Can Be You!   Exploiting Unsecured User Profiles

By Dan Riehl -

As an IBM i security consultant, I have the opportunity to help companies uncover flaws in their security implementation and determine the best way to fix the problems found. One of the major security risks that I find to be quite common in both large and small companies is unsecured user profile(*USRPRF) objects. The point of this article is to explain this risk, and HOW TO FIX the problem!

Let's say for a minute that I'm an inquisitive programmer or contractor at your place. I want to look at things, or do things that I'm prohibited from doing by IBM i security, like looking at the production payroll file, or worse yet, modifying some records in the file. Since my user profile is prohibited from even looking at the file, I need to find a way to get an elevated level of authority before the system will allow me to access the file. One particularly easy way to do this, in most IBM i installations is to steal the authorities of some user profile more powerful than mine, maybe QSECOFR. Being able to elevate my own authorities through what I call the "Profile Hijack" can be painfully easy at system security level 30 and below. Even at security level 40 and 50, it's do-able on almost every system I have seen. Once I have hijacked a more powerful profile, I can use that profile, and probably elevate my own User Profile authority to get the access I need to ANY File on the system.

So, How do I Become YOU?   Hijacking a User Profile?

One of the reports I run during an IBM i vulnerability assessment is the "Public authorities report" for User Profile objects. This report will tell me if any user profiles have authority that is not set to the default of *PUBLIC AUT(*EXCLUDE). The command to run this report is (Print Public Authority):


The sample output of this command is shown below in Figure 1. In a moment I'll explain to you the significance of profiles listed in this report.

Another related report that I run is the "Private Authorities Report" for User Profile objects. This report as shown in Figure 2 below will tell me if any individual or group profiles have explicit authority to other user profiles. The command that produces this report is (Print Private Authority):


Deciphering the output

Before diving into the reports, we need to understand what constitutes a clear vulnerability for the User Profile "Hijack". Let me provide an explanation of the problem.

If I have even *USE rights, or better(e.g. *CHANGE, *ALL) to someone else's user profile, I can "Hijack" their profile; using their profile to run commands. This can be as simple as running a SBMJOB command specifying the name of the "Hijacked" user profile in the USER parameter, as in:


(Where PAYUSER is a user profile that has read rights (i.e. AUT(*USE)) or better to the PAYROLL file, and to which I have, at least *USE authority to the PAYUSER User Profile.)

This SBMJOB command will submit a batch job to run under the PAYUSER user profile, and will print out the records in the Payroll file, that I, by my own authority, do not have access to, but to which the PAYUSER User Profile does have access.

Read More . .

In This Issue

Featured Article - I Can Be You!

Featured Video - Hijack a User Profile

Security Shorts - Use Remote Command

Industry News and Calendar

Security Resources

Quick Links

Search Security Site for IBM i and i5/OS

SecureMyi Website

Security Training from The 400 School

SecureMyi Newsletter Home/Archives

Our Newsletter Sponsors

Platinum Sponsor

    The 400 School, Inc

Gold Sponsor


    Skyview Partners, Inc

Silver Sponsor

    Cilasoft Security Solutions

IBM i Security Resources

IBM i Security Videos - SecureMyi

SecureMyi Newsletter Archives

Search Security for IBM i

IBM i Security Ref - 6.1

IBM i Security Ref - 7.1


QAUDJRN Entry Layouts

RedBook - Security Guide IBM i

Open Security Foundation - DataLoss DB

National Vulnerability Database - NIST

PCI Data Security Standard


HIPAA Resources

HITECH Enforcement

CISSP - Certification

Follow SecureMyi on Twitter
Follow SecureMyi on LinkedIn=
Follow SecureMyi on YouTube

Software from Cilasoft

Security software from Powertech

Featured YouTube Educational Video

IBM i Security

Are your User Profiles Vulnerable to Profile Hijacking?

Featured Video - HiJack User Profile
Security news and Events

Security Related News for IBM i

Bytware Announces StandGuard Anti-Virus version 7.2
Bytware, a division of HelpSystems, announces its new version of its StandGuard Anti-Virus software for IBM i, AIX, and Linux. This latest update incorporates the McAfee 5700 scan engine, which enhances performance and threat detection.

(Editor's Note: When using your IFS(Integrated File System) directories as Network Shares, it's very important to watch and scan these disk spaces for Viruses and other Malware, just as you do on your Windows-Based Shares.)

Read the Bytware Press Release

Live Security Related Webcasts and Training for IBM i

October Events

Part-Time Privileges: Accountability for Powerful Users
Live Webcast - Presented by Powertech
Wednesday, Oct 22 1:00pm CT
More Information and Register to Attend

COMMON 2014 Fall Conference & Expo
Oct 27 - 29
Hyatt Regency Indianapolis - Indianapolis, Indiana
More Information and Register to Attend

Coffee with Carol: Configuring iAccess Servers to use SSL
with Carol Woodbury

Live Webcast - Presented by Skyview Partners
Wednesday, Oct 29 10:00am CDT
More Information and Register to Attend

November Events

Live Hands-On - Security Audit and Vulnerability Assessment Workshop
      for IBM i, iSeries AS/400 with Dan Riehl

Training Workshop - Nov 11-14 - Presented by The 400 School, Inc.
Dan Riehl presents this 4-Day Live Online Hands-on Workshop.
More Information and Register to Attend

Live Hands-On - IBM i, iSeries System Administration and Control Workshop
with Dan Riehl

Training Workshop - Nov 17-21 - Presented by The 400 School, Inc.
Dan Riehl presents this 5-Day Live Online Hands-on Workshop.
More Information and Register to Attend

Skyview Partners

Security Training from The 400 School
Training from The 400 School

Security Shorts

Using RMTCMD.exe to Run Multiple CL Commands

By Dan Riehl -

I have written often about using the IBM i Access command RMTCMD.exe to send commands from your Windows or Linux system to IBM i. But did you know you could also send multiple commands with one execution of the RMTCMD.exe?

The Syntax used to send multiple commands is:

rmtcmd /I rmtcmds.txt

(Where rmtcmds.txt is the name of a text file containing the list of commands to be executed.)

Here is an example.

Using Notepad, enter the Control Language commands that are to be executed, and save to a text file. Here's an example you can try.


Run the rmtcmd.exe specifying the name of the file which contains the commands.

C:\>rmtcmd /I rmtcmds.txt

Here is the result. (Note: You may be prompted to Logon, depending on your IBM i Access settings.)

IBM i Access for Windows
Version 7 Release 1 Level 0
Submit Remote Command
(C) Copyright IBM Corporation and Others 1984, 2010. All rights reserved.
U.S. Government Users Restricted Rights - Use, duplication or disclosure
restricted by GSA ADP Schedule Contract with IBM Corp.
Licensed Materials - Property of IBM

The remote system name is MYSYSTEM.
CPC2102 - Library MYTESTLIB created.
CPC7301 - File MYTESTFILE created in library MYTESTLIB.
CPC7305 - Member MYTESTFILE added to file MYTESTFILE in MYTESTLIB.
CPI2201 - Authority given to user *PUBLIC for object MYTESTLIB in QSYS object type *LIB.
CPC2201 - Object authority granted.
CPC1221 - Job 115263/MYUSER/MYTEST submitted to job queue QBATCH in library QGPL.

RMTCMD.exe Security Implications

While the RMTCMD.exe is great in functionality, it also brings with its functionality, a serious security issue that you will want to be aware of.

Limited Capabiliy Users (LMTCPB(*YES)) can run CL Commands using RMTCMD.exe. The RMTCMD.exe does not honor the LMTCPB attribute of a User Profile.

For more information on this topic, see the article The Reality of User Limited Capabilities LMTCPB(*YES) in the April 9, 2014 issue of the SecureMyi Security Newsletter.

Sponsored Links

IBM i, iSeries and AS/400
Security Services from SecureMyi

IT Security and Compliance Group

In Depth Security Assessment of IBM i
Upgrade to QSECURITY level 40 or 50
Forensic Research and Analysis
Audit Assistance and Remediation
Security Training for IT and Audit Staff
Software Selection & Configuration
Security and Systems Programming

LIVE Training from The 400 School, Inc

Customized IBM i (iSeries, AS/400) Training -
    Presented Live at your offices

LIVE Online Hands-On Workshops

ILE RPG IV Programming
ILE COBOL Programming
Interactive Programming Workshops
System Operations Workshops
System Administration and Control
Security and Auditing Workshops
Control Language Programming
IBM i Concepts and Facilities
Query Workshop

Training from The 400 School
Security Training from The 400 School

Send your IBM i Security and Systems Management News and Events!           Send your Questions, Comments, Tips and Stories

Copyright 2014 -, all rights reserved | St Louis MO 63017