Nefarious Masqueraders - AS/400 Trojan Horse programs
By Dan Riehl
Adapted from the book Power Tips for OS/400 Security
© 2003-2009 Dan Riehl, All rights reserved.
Ne-far-i-ous, adj. extremely wicked or villainous: a nefarious plot
Mas-quer-ade, v.i. to present oneself falsely
When I speak of a nefarious masquerader I am referring to a program which is inserted into the OS/400 operating system at a strategic position, masquerading as a legitimate program, to perform wicked or evil work, aka, a Trojan horse. As an example, suppose your system start-up program QSTRUP was modified to perform a command to power down the system. Yikes…. This is only one possible example, but in this article we'll explore some of the more obvious and not so obvious ways for introducing nefarious programs into OS/400.
For openers, one possibility is that these evil programs may be used to execute powerful commands when it is determined that the job is running under a powerful profile. For a simple example, a database trigger program can check to see who is the initiating user. If it is QSECOFR, the trigger program can execute any command on the system. As in:
IF (&USER = "QSECOFR") DO
CHGUSRPRF MYPROFILE SPCAUT(*ALLOBJ *SECADM *AUDIT)
Obviously, you need to be vigilant in protecting your system from these programs and monitor for the existence of them on a continuing basis.
The following are some of the places you will want to protect and watch. This is not a comprehensive list, but makes for a great start in protecting your system.
The system value QSTRUPPGM (System Start-Up Program)
This value controls the name of the program that starts your subsystems, communications, and printers. If a change is made to this system value, or the program that runs, you may not be able to start your system.
The CHGSYSVAL command is restricted, shipped with *PUBLIC AUT(*EXCLUDE), but any user with *ALLOBJ special authority, or IBM profiles QPGMR, QSYSOPR or QSRV can set this value.
Not only must you protect against someone changing the name of the program in the system values, but you must protect against the program being changed. Restrict changes to this program by securing the program with AUT(*USE).
The best way to track this is to Start Security Auditing and watch for changes to system values. You will also want to turn on Object Auditing for your Startup program.
The system value PWDVLDPGM(Password Validation Program)
This system value can identify the name of a program that is called when someone issues the command CHGPWD, or uses the change password API. The purpose of a password validation program is normally to enforce additional rules over those available in the other password formation system values. The IBM shipped default for the name of the password validation program is *NONE.
If a program name is specified in this system value, the program will be passed, as parameters, the UserID and the old and new password in clear text. This can be used as a means of recording passwords. The system value may also specify the value *REGFAC, in which case the OS/400 registration facility is used to maintain the name of the program.
The best way to track this is to Start Security Auditing and watch for changes to system values. If a program is named, make sure you know exactly what it's doing, and set the authority to AUT(*USE).
The system value QATNPGM(Attention Key Handling Program)
The Attention key program allows a user to press the Attention Key to escape their current application and use an alternate application, and then seamlessly return to their work at the point of exit. Attention Programs are useful for IT staff as they can allow quick access to a command line without closing out of the current screen.
The shipped default is a program named QEZMAIN, which is the Operational Assistant Main Menu. But the system value can be set to any program. The attention key program can also be set at the user profile level.
If an attention key handling program exists, including QEZMAIN, you must protect it from modification with AUT(*USE).
The best way to track changes is to Start Security Auditing, and watch for changes to system values, and changes to user profiles. You will also want to turn on Object Auditing for any existing attention key handling programs.
Other system Values that Specify a program name to monitor
You also need to monitor changes to these system values as well as their corresponding programs.
QPRBFTR Problem log filter
QRMTSIGN Remote sign-on control
Database Trigger Programs
A database trigger program is a user written program that is called when a database operation(read, update, add, delete) is performed against a file. Any user with *OBJALTER, *OBJMGT, *READ, *OBJOPR and *EXECUTE rights to a file can add a trigger program to the file. A trigger program can do anything the user running the database operation is authorized to. If a check is made inside the program for the user running the trigger, and it is found to be a powerful user, the program can do great mischief.
The best way to track this is to use the command PRTTRGPGM(Print Trigger Programs). The command allows you to list all trigger programs in a library, or list only the ones that have been added since you last ran the command. Secure trigger program with AUT(*USE).
You may also want to turn on Security Auditing and specify an AUDLVL of *CREATE, to capture newly created programs. You will want to turn on Object Auditing (*CHANGE level) for any existing trigger programs.
Network Attributes Exit programs
The network Attributes PCSACC and DDMACC control the handling of certain communication functions. A user written program may be specified for these two network attributes. In order to change these entries, ALLOBJ and IOSYSCFG special authority is required. If a program is named, it must be secured using AUT(*USE)protected against modification
The best way to track this is to Start Security Auditing, and watch for *SECURITY changes. You will also want to turn on Object Auditing for any existing exit programs.
Registered Exit Programs
The WRKREGINF(Work with Registration Information) command lists various categories of exit points for system functions. If an exit program is attached to an exit point, the program will be called when the associated activity is requested. For example, password validation programs may be specified in the exit point named QIBM_QSY_VLD_PASSWRD, and when a request is made to change a password the program name is retrieved and executed.
In order to add an exit program to an exit point, ALLOBJ special authority is required, but the exit program itself must be protected against modification with AUT(*USE).
The best way to track this is to Start Security Auditing, and watch for SECURITY changes. You will also want to turn on Object Auditing (*CHANGE Level) for any existing exit programs.
Changes to Commands
You need to watch for changes to IBM supplied Control Language commands and your own custom commands. Commands provide multiple avenues for mischief. Each command can have several programs called as a result of the command being executed, or even simply prompted(using F4 Key). These programs include the command validity checking program, command processing program, prompt control program, prompt override program and prompt choice control program. If someone were to add a validity checking program to a command, for example, that program would run under the authority of the user running the command, and could do anything that the user is authorized to do.
Another area of concern for creating and changing commands is the ability to add a product library into the job's library list and to change the job's current library. The product library and current library are placed ahead of the user portion of the job's library list, and therefore mischievous programs and other objects can masquerade as your real production applications.
You need to restrict access to the CRTCMD and CHGCMD commands with AUT(*EXCLUDE)..
The best way to track this is to turn on Object Auditing (*USE level) for the CHGCMD and CRTCMD commands to record each time the commands are used.
The CHGMSGD(Change Message Description) command allows you to specify a default error handling program in the DFTPGM parameter of a message stored in a message file. The default program is called whenever the particular message is sent as an *ESCAPE or *NOTIFY message.
To track this, turn on object auditing (*CHANGE level) for message files, and make sure message files are secured with PUBLIC(*USE).
What to do now
We have dealt with many of the places where nefarious masqueraders can be inserted into your operating system, and how to thwart these attempts. In some cases, you will be able only to decipher and eliminate the effect of these attacks after the fact by viewing your security audit journals. Here are the first few steps you should consider.
1) Start Security Auditing with Object Auditing, and review the reports regularly.
2) Take the other recommended steps discussed in this article.
Since many of these attacks can be exploited only by a user with elevated security privileges, take these steps to help you protect you system from powerful user profiles.
1) Do not allow *ALLOBJ special authority to get out of hand.
· Only a very trusted few should have access to a powerful user profile.
· Signing on as a powerful user, should be a very rare occasion.
2) Run your system at QSECURITY level 40 or 50
Many of you may astutely inquire, "What about the exposures within my own custom production applications? Aren't they susceptible to this same kind of threat?" Yes, certainly they are. To protect you own application objects, ensure that change control policies are not just a trivial matter of moving test objects to production, but that you have strict control and auditing of anything moved to the production environment. I recommend regular, or at the least, random source code reviews. To help you, you can use the command CMPPFM(Compare physical file member), which can list out for you the changed lines of source code before moving to production.
Start Security Auditing
To start security auditing, you can use the command CHGSECAUD(Change Security Auditing). The command creates the QAUDJRN audit journal and its receiver (if they don’t already exist) and changes the system values to the values you specify. Here’s a sample CHGSECAUD command:
CHGSECAUD QAUDCTL(*AUDLVL *OBJAUD *NOQTEMP) +
QAUDLVL(*AUTFAIL *SECURITY *SERVICE +
*DELETE *OBJMGT *PGMFAIL *CREATE) +
As with most journals, you'll need to manage the journal receivers.
© 2003-2009 Dan Riehl, All Rights reserved.