AFAIK, UID(0) (via CNMEUNIX) has nothing to do with reading
(downloading) the unprotected RACF Database.
There is another factor ... the uneducated/inexperienced administrators
did not protect a multi-session product (IIRC, it was TPX).
As well, the hackers found a bug in NVAS ... changing a non-display
field on the screen allowed them to bypass certain controls.
On 2022-01-30 18:18, Tom Brennan wrote:
Thanks, so the ASM program from the blog was never used, but the main
problems were:
1) Some way to get UID=0 access (I think Soldier of Fortan mentioned
this years ago, which I hope has been fixed).
2) RACF DB that was not read protected (not the brightest)
On 1/30/2022 12:09 PM, Itschak Mugzach wrote:
Ho Tom,
Once they got root, they were able to unload racf DB that was not well
protected and run an (open source) password cracker. They had time to
get
many user passwords. No user SVC was involved, not needed. I don't know
where David collects his information, but the breach is well
documented in
many reports.
Best,
ITschak
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
