Seems as if the 400 still isn't out of the woods yet. Through the use of the DmpSysObj command, anyone with authority to this command can see any signed-on user's password. I just verified that it works. Bill
Unconfigured Ad Widget
Collapse
Announcement
Collapse
No announcement yet.
I can get your password
Collapse
X
-
I can get your password
David, To answer your questions: I am a Security Officer, we are at Lvl30, I have AllObj. To answer between the lines: If a user obtains the authority to run DmpSysObj and has read authority to the subsystem description, I believe this will still work. The person supplying this method did not give any caveats as to security level restrictions. Bill
Comment
-
I can get your password
Joe, I understand your apprehension, but I will let my reputation on these forums stand on it's own. I hope you will understand the sensitive nature of this subject and my unwillingness to post the complete method here. My purpose is not tease everyone with a "I know something you don't know", but to put everyone on notice that there are still some holes that need to be filled. I believe that there are a couple of other participants in these forums who also have access to the same source where I obtained this exposure. Hopefully, they will post a confirmation note that there is a problem as well. Bill
Comment
-
I can get your password
Bill, "I believe that there are a couple of other participants in these forums who also have access to the same source where I obtained this exposure. Hopefully, they will post a confirmation note that there is a problem as well." Yes, there is a "son of sniff" RPG program. This one is 34 lines, but is even more dastardly then the first one. This original program gave you the password to whoever happened to be the last one to signon in your subsytem. The new program (which works even with the PTFs for the original exposure applied) lets you name any specific device in your current subsystem. It will provide the password for that user, provided they are signed on. The RPG program only runs at level 30 or below, unless patched to system state (where it can run at level 50). The DMPSYSOBJ command Bill referred to is the equivalent of the RPG program, but will run even at level 50 since it is already system state. It actually takes more than one DMPSYSOBJ command to exploit this particular vulnerability. Bottom line: level 30 gives you a false sense of security. There are *lots* of holes which can be exploited. The above referenced RPG program is just another one of them, and armed with the source nearly anyone could exploit it. The DMPSYSOBJ command by default is not available to regular users, but is to those with a QSYSOPR or QPGMR class. IMHO, they should be excluded too. Doug PS - Last I checked there were only 218 subscribers to the source Bill was referring to (assuming he got it from the same source I did). And no public archives. PPS - The RPG version was posted on July 14. The MI version on the 18th, and the DMPSYSOBJ version today.
Comment
-
I can get your password
Susan, Ouch! Good questions. No, I haven't contacted them. The source(s) of my information have much larger and more respected names than I do, in fact I believe that IBMer's are participants in this information source as well. It took IBM a week last time, let's see what it takes this time. Bill
Comment
Comment