![]() ![]() ![]() This will succeed if the submitting user has *USE authority over the specified User Profile, just like in our case. Submit a new Job – The SBMJOB command allows specifying a User Profile with which a new Job (a command scheduled for execution) should be submitted.The current system security level is 40 in this case we can do at least two things: This means, that because of weak object configuration we can impersonate this user and run CL commands with *ALLOBJ authority. The *USE authority allows impersonation of the User Profile, in this case for all authenticated users of the system. In the above example, the *USE authority (permission) is provided for the *PUBLIC subject – this special entry serves as a fallback when the accessing user doesn’t match any other access control entry. On IBM i all objects – including User Profiles – have an associated list of access controls entries. Object Authority of the target high-privileged profile Fortunately, the 5250 terminals and thus the TN5250 protocol supports an extended keyboard layout, allowing to trigger special menus by sending special key events, even when they are not available from the user interface of the initial program: After enumerating all the application menus, it became apparent, that there is no potential to run CL commands. The first task was trying to break out of the initial program limitation. While the default menu allows access to the Command Language (CL) prompt (the “shell”), this can be replaced by configuring custom initial programs for users, that provide only limited features, such as executing predefined database queries. However, instead of providing raw shell access, TN5250 usually displays menu-based user interfaces (the “green screen”). Native programs of IBM i are commonly accessed remotely on a telnet-like protocol, called TN5250. The user had an initial program configured after logging in on TLS wrapped TN5250, so direct CL command execution was not possible. The presented techniques stem from misconfigurations common on this platform – this post only covers one privilege escalation path, but the comprehensive configuration audit of the same system uncovered several local and even remote vulnerabilities.įor the penetration testing the Client provided network access to the machine in the internal network, one low-level user account with special authority *NONE and limit capabilities value set to *PARTIAL. This blog post is the first step of publishing our findings to the security community, where I would like to share a walkthrough of the penetration testing result of an IBM i system. Recognizing, that these systems are here to stay, and that information critical to understanding their security architecture is scarce and sometimes inaccurate, we decided to create our own IBM i lab, that allowed us to familiarize ourselves with these systems, create new methodologies and tools to assess their security, and even to identify previously unknown vulnerabilities in them. – The compiler is tightly coupled with the OS, which, besides hardware independence also supports implementing memory safety checks at compile time even for languages like C – A database engine is integrated into the operating system, so you can have an SQL view of practically any component of the system – Thanks to complete ISA abstraction, programs can be executed unmodified even when the hardware architecture changes – It is an object-oriented operating system, where object types determine what operations on a piece of data can be performed Some properties, that differentiate IBM i from your average server platform:
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |