Midrange Programmer--OS/400 Alert: OS/400 Passwords Can Be Seen

This week I'll explain how easy it is to view and steal encrypted OS/400 passwords, and how you can prevent such activities. Although the technique has been available for several years, it's likely that most people just never considered this vulnerability to OS/400 security. I'll also tell you about a vulnerability in Internet Explorer that lets Web sites install and run programs on your PC, a virus that can steal your credit card information, and my favorite PTFs of the week.

We all know the iSeries is the world's most secure computer, receiving the government's highest security rating of C2. And one of the reasons OS/400 is so secure is its one-way password encryption. We feel good about this and thumb our noses at our Windows, Linux, and Unix brethren and say, "Nyah, nyah, nyah!" But before you get to feeling too cocky there, you need to be aware that, under the right conditions, and using a very simple RPG program, all of your OS/400 user profile/passwords can be seen and stored for future, nefarious use.

Way back in OS/400 V3R1, IBM gave us a whole bunch of new APIs and exit point programs. Among them was an exit point program for the Change Password (CHGPWD) command. The exit point program is referred to as the validate password exit program, and it is called every time the CHGPWD command is executed or the QSYCHGPW (change password) API is called. The idea behind the validate password exit program is a good one: you can use it to enhance your own OS/400 security protocols by applying your own password protection rules. If you had an internal policy that a password could not be, for instance, the color yellow, then you could monitor for such a request, so that when someone attempted to use the CHGPWD command and the new password "yellow," your own program would deny this change. In this manner, you could ensure that your corporate-level security policy was enforced for OS/400 user passwords.

But while you can enforce password rules, you can also steal and store passwords.

User who have authority to change exit points in the OS/400 registry, using the Work with Registration Information (WRKREGINF) command, and who also have *SECOFR and *ALLOBJ authority in their user profile, can add their own custom program to the exit point. This program (which may look very much like the one in the download file) could then accept the old and new password information and do two things. First, it could validate the new password, based on some internal security policy you defined for your organization. Second, the program could cache, or store, the password information in a database, along with the user profile it belongs to, where it could later be used to gain access to your AS/400 or iSeries.

The security information is passed, via the exit point program, to your own custom program in a data structure, which, in the example code is named ExitInfo. Within this data structure are the user profile of the user requesting a password change and the old and new passwords. Your custom program can evaluate this information to decide whether you want to allow the new password. If you don't want the user to be able to use the new password, set the Return Indicator variable to other than 0.

Note that the exit point program is called only after the OS/400 password rules, defined in System Values, have been evaluated. If the password-change request passes those rules, your custom program is called. Also be aware that, for your custom program to be called, it must first exist in either the system auxiliary storage pool or in one of the basic user auxiliary storage pools before adding it to the exit point, using the WRKREGINF command. Also, the user profile adding the exit program must have *ALLOBJ and *SECADM authority to add this program. And, finally, you must set the system security value QPWDVLDPGM to *REGFAC for the exit point to know to call your custom program.

What can you do to protect your system against an inside attack like this? For one, you can ensure that only trusted employees, with an actual and ongoing need, have *SECADM and *ALLOBJ authority in their user profiles. Most programmers and users simply do not need this much authority for their daily jobs. Second, you can turn on system auditing to allow the system to journal changes to the system. And you can institute a policy of regularly reviewing the OS/400 registry, by using the WRKREGINF command, to ensure that any exit program attached to system exit points is supposed to be there. This is truly one of those times when an ounce of prevention is worth a pound of cure.

W32.Cesca is a virus that copies itself onto floppy disks, then copies itself to your hard drive from the floppy, using a set of random file names it carries.

PWSteal.Firum should be of concern to anyone doing electronic commerce on a Web site or to anyone paying by credit card on someone else's Web site. PWSteal.Firum is a virus that attempts to steal credit card information--specifically Mastercard, Visa, American Express, and Eurocard--as it is entered into Web forms.

W32.HLLW.Gaboot.AZ is a virus that attempts to spread network shares and allows access to an infected computer through unmonitored Internet Relay Chat services on your PC.

W32.Remable.Worm is a worm that attempts to spread itself through your network, and may have backdoor capabilities.

W32.Tofazzol is another virus spread via floppy disks, staying in memory once it's activated, then attempting to delete all the JPG, WAV, MP3, BMP, and MPG files on your hard drive.

Microsoft has released a new patch for users of Internet Explorer 6.0. This new patch is for a vulnerability in Internet Explorer 5.0, 5.5, and 6.0 that can allow unauthorized programs to run on your PC. Specifically, IE does not correctly determine an object type returned from a pop-up window in a Web server. A savvy attacker can exploit this vulnerability by running arbitrary programs on your PC, causing all kinds of havoc. What's more, unless those programs caused damage, you might not even know they were running. And to further compound the problem, all you have to do is to visit such a Web site, nothing more. The malicious program can be installed by simply displaying the pop-up window. Complete details on this vulnerability and the patch can be found on Microsoft's Web site (MS03-040: October 2003 cumulative patch for Internet Explorer).

The latest cumulative package for OS/400 V5R2 customers is the one IBM issued on September 9. The latest HIPER package was released October 14. The Database Group PTF has not been updated since mid-August, so if you've applied one in the last few weeks, you're probably okay for the foreseeable future. For complete details on this week's recommended fixes, go to IBM's technical support site.

MF31201 (V5R2)--If you have an AS/400 or iSeries running logical partitions, and you are doing dynamic memory allocation, you may occasionally experience a system hang. When this happens, your only recourse is to IPL. PTF MF31201 addresses this problem by locking in the dynamic size adjustment at its smallest size to prevent user and software tool confusion that could cause the system to hang.

SF99169 (V5R2)--Are you programming Java applications for your AS/400 or iSeries? If so, you'll be interested in PTF SF99169, which is the group PTF for Java. This group PTF contains updates (MF30832) to Java Development Kit Version 1.3.1. Also included in this group PTF is PTF SI09883, which addresses problems with certain parameters on the command "java" for java applications running in the PASE environment.