On Tue, 3 Nov 2009 17:36:05 -0500, Tony Harminc wrote: > >The argument would be that if such a program fails only because it >copies <parmlength> bytes to a 100-byte buffer without checking that >the length does not exceed 100, it does not compromise MVS System >Integrity, since the Integrity statement talks about Installation >Control, and clearly the installation has the ability to disallow the >invocation of such programs via TSO/E CALL, TESTAUTH, authorized REXX, >and so on. > >However this could be tested, I believe, by using the EXECMVS >(BPX1EXM) service. This can pass a parm string of length up to 4096 >(yet another arbitrary number) to any program in linklist (or possibly >a private STEPLIB), and will invoke AC(1) programs in an authorized >state, with, as far as I know, no method of installation control other >than denying UNIX access entirely. An attack based on this would take >some effort, even assuming a buffer overflow and subsequent code >execution can be accomplished, not least because the overlaying code >would have to come from global storage. But PC malware authors have >done the same under more difficult conditions. > >So if someone can find an AC(1) IBM module in linklist that does >something Really Bad with a long parm string, this'd be the way. > BPX1EXM invokes its target program as a new jobstep with no DD statements in effect. So someone would need to find an AC(1) IBM module in linklist that does something Really Bad with a long parm string and no DD statements. Quite a challenge.
-- gil ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html