I can get your password

Bill, I am not so worried about the CL command because none of our users have access to "Q" user profiles and the dmpsysobj command is locked down. Also, the *allobj users are system administrators who could easily write a password trapping program using a system value. What I AM Worried about is the RPG version. Would a programmer not having any large amounts of authority to the system itself have enough power to bypass the dmpsysobj CL command by using another interface? Can someone without much authority get an RPG program to a "system state" very easily? If you can't go into much detail, I understand.... Thanks Scott

I can get your password

Scott, "What I AM Worried about is the RPG version. Would a programmer not having any large amounts of authority to the system itself have enough power to bypass the dmpsysobj CL command by using another interface? Can someone without much authority get an RPG program to a "system state" very easily?" You cannot make a program system state without service authority. And if you patch a program to system state on one machine, then try and save/restore it (even to the same machine), it will revert to user state because of how OS/400 implements checksums on the objects. It *is* possible to circumvent that too, by patching the checksum as well, but the checksum algorithm is non-trivial and not widely known. There are probably fewer people who know how to do that than who know of other vulnerabilities. Another way to patch the program to system state is via DST, provided you have physical access to the machine during off hours and know the DST passwords. At level 30 or below, you don't need any special authorities to run the RPG program. It works at user state. All you need is the source and to know how to run the CRTBNDRPG command, then call the program. Regarding contacting IBM. There are some good IBM folks who subscribe to the same source of information, and they no doubt are very aware of the issue. I am fairly confident the information would have been passed on to the proper folks. It was last time. I have not yet seen a response from IBM. But although the RPG program showed up on the 14th, it was easy to miss what it really did unless you complied the code and ran it. I suspect most subscribers, and perhaps IBM, were not really aware of it until at least the 18th or possibly today. Doug PS - People in the know have said it for years, but it bears repeating. Don't trust security level 30.

I can get your password

Scott, There are others with much greater qualifications than myself who can answer you question better. It sounds like Doug can do a much better job than I. I'll give it a stab as best as I can. RPG programs now have the ability to call C functions that have the ability to access MI functions. MI could be considered the equivalent of Assembly language programming on the 400. It allows you access to all sorts of goodies and internal objects on the 400. The one hitch is that a programmer has to know these where these internals are and how to access them and how to interpret their structures. Once a programmer understands the where's and the why's of system internals, he can gain access behind the curtain of the Wizard of Oz, so to speak. Bill

I can get your password

Thank you Doug and Bill. You guys know too much. I am already at level 40. We have never considered taking the system to level 50 because of a supposed 20% performance hit. Knowing what you do (and others out there too) would you ever recommend level 50? Is anyone at level 50 besides the gov.?

I can get your password

Bill, "RPG programs now have the ability to call C functions that have the ability to access MI functions" And in addition, RPG can invoke many MI functions directly using "MI builtins". This particular program used one MI builtin and two C library wrappers to MI functions. However, authoring these kind of exploits takes much more than just knowledge of how the MI builtins or C library functions work. It takes a level of knowledge of system internals well beyond what most of us possess. I understand how these programs work. But that is a far cry from being the one to find the vulnerability and how to exploit it. The author is in a rather elite league of (non-IBM) programmers. Doug

I can get your password

You are right Doug. I saw those programs go by and didn't know what they were really for. Darnit, I don't archive that source either. Bill

I can get your password

Bill, Your ability to display other's passwords is only one of many security issues on your system. I would put it pretty far down the list. David Morris

I can get your password

Scott, "You guys know too much." It's not what you know, it's who you know. "Knowing what you do (and others out there too) would you ever recommend level 50? Is anyone at level 50 besides the gov.?" I don't know how many installations run at level 50 outside the government. I suspect some banks do and likely others with a high liability or those who want to be able to claim in court they did everything they knew of to maximize security. Do I use it myself? No. But I don't have any clients in what I'd consider a highly sensitive position should security be breached. Only recently did a major client of mine decide to make passwords expire periodically. They just don't see it as that high of an exposure. (Payroll is out-sourced.) Doug

I can get your password

And this really brings home the fallacy of "Security through Obscurity". While I have an outrageously small knowledge of internals (believe me, you put me on too high a pedestal), I keep my ears and eyes open. Through this observation I now have some dangerous capabilities. But like Doug said, I couldn't have come up with any of this on my own. The scary part is that if I wanted to, I could make a posting to Alt.2600 and educate some characters of questionable character. Bill

I can get your password

Scott, "We have never considered taking the system to level 50 because of a supposed 20% performance hit." One of the people who I highly respect as very knowledgeable on AS/400 security just posted this observation on another forum: "If you think the performance impact at level 50 is bad, you should see the performance impact of a damaged or destroyed system at level 30 or 40!" Food for thought. Doug

I can get your password

Bill, "Darnit, I don't archive that source either." Well, I guess that means we're down to no more than 217 of us who have the original posting. Or whoever they shared it with. I've not been watching places like 2600. Doug

I can get your password

When Level 50 Security was announced (V3R0M5 in 1994?) it was touted as bearing a 5-15% performance penalty. More recently, IBM security and performance specialists have said that the impact is more like 2-3%. We run Level 50 all the time. If you're not banging the inside walls of your processor(95% and higher), you could probably run at 50 as well and never see the performance hit. jte MC Security Editor

I can get your password

As Usual, David Morris nails the issue. This is a level 30 issue.... there are many other (and far less technical) issues that make Level 30 a leaking sieve when it comes to security. If you are still at level 30, you have larger fish to fry. If you are at level 40 , and have your service tools (*SERVICE Special Authority and the DMPSYSOBJ command) locked up, there is much less to worry about. jte MC Security Editor

I can get your password

An exellent description Doug. I haven't talked to anyone at IBM, so this is just my own gut feel, but I would not be surprized if IBM chose not to fix this problem... or at least not the RPG problem. To the extent that this can be called a QSECURITY level 30 problem, IBM may well shrug their shoulders and advise everyone to move to Level 40 because their are numerous problems at 30 (And IMHO, they would be correct in taking this position). The DMPSYSOBJ command may be more troublesome. I would expect a reaction on that. jte MC Security Editor

I can get your password

Hi all, imho the positngs regarding the password problem went too far. To make it short: I read the postings regarding dmpsysobj and used it to find passwords. That means that this is not so difficult to achive, And my conclusion is that too many "clues" found their way to the postings thus make some "regular" guys able to find the key. I off course was just an innocent curious guy, But this may not always be the case. BTW - How can i join the mi mailing list (NOT FOR THE HACKING, sometimes i use it for my needs) So, Lets get more quite, Apply ptf's and upgrade our security over the non secured 30 level. Regards