subject:"IKJEFTxx should fail if not JobStep Task"

Re: IKJEFTxx should fail if not JobStep Task

2017-11-02 Thread Mark Jacobs - Listserv

Yes I did. Gave them the same treatment as the French Soldier in Monty 
Python and the Holy Grail when he taunted King Arthur.


Mark Jacobs


Edward Gould 
October 30, 2017 at 2:26 PM
Semi on topic.
Have any of you seen the “video” that claims that they can bypass 
system integrity with one program?
I saw one such presentation and asked the golden question about update 
access to an APF library.

They never got around to answering my question.
BTW: IIRC it was some dog and pony show to sell you security. Its been 
a couple of months and I just don’t remember the name.


Ed


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN



Please be alert for any emails that may ask you for login information 
or directs you to login via a link. If you believe this message is a 
phish or aren't sure whether this message is trustworthy, please send 
the original message as an attachment to 'phish...@timeinc.com'.


Steve Smith 
October 30, 2017 at 10:15 AM
There is no need here to document the exact methods the OP used to
bypass restrictions and violate system integrity. It's not hard to
figure out if you have much experience.

Given access to an APF-authorized library, one can do whatever one
wants, regardless of the "rules".

sas

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN



Please be alert for any emails that may ask you for login information 
or directs you to login via a link. If you believe this message is a 
phish or aren't sure whether this message is trustworthy, please send 
the original message as an attachment to 'phish...@timeinc.com'.


Peter Hunkeler 
October 30, 2017 at 2:53 AM

The TSO TMP is designed to be attached only by EXEC PGM=IKJEFTxx, or by the 
TSO/E Session Manager (when Session Manager is the EXEC PGM= on the logon 
proc). Attaching the TMP by any other program is unsupported.



Attaching the TMP in an IMS dependent region or a CICS AOR will violate the 
System Integrity and thus the security of your system, since it will allow the 
unauthorized transaction programs in those regions to take over the system in 
anyway that they desire.



This raises the question then, why does IKJEFTxx *not* check this and fail if 
not run as job step task?



Because it requires APF to invoke the TMP. And if you allow your CICS or IMS to 
run APF, this is the least of your problems.





In the first paragraph, there is no talk about APF. When it comes to running 
things with APF when they should not, I fully agree.
I understand the comment to say that running PGM A via EXEC PGM=A, and then PGM 
A attaches or links to IKJEFTxx, this is not supported. If this means that 
things may not work as expected, there is no support. If this means that things 
may not work as expected *and* things may endanger system integrity, then I 
think it should not be possible to get into that situation (as unauthorized 
program).


But, even if the region controllers in IMS and CICS run authorized (I guess 
they do), they are designed to run application (transaction) programs with only 
problem state authority. Why would the TMP be attached in a different mode it 
run as transaction program?


--
Peter Hunkeler



--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN



Please be alert for any emails that may ask you for login information or 
directs you to login via a link. If you believe this message is a phish or 
aren't sure whether this message is trustworthy, please send the original 
message as an attachment to 'phish...@timeinc.com'.

Binyamin Dissen 
October 29, 2017 at 3:07 PM
On Sun, 29 Oct 2017 16:00:20 +0100 Peter Hunkeler  wrote:

:>>The TSO TMP is designed to be attached only by EXEC PGM=IKJEFTxx, 
or by the TSO/E Session Manager (when Session Manager is the EXEC PGM= 
on the logon proc). Attaching the TMP by any other program is unsupported.


:>>Attaching the TMP in an IMS dependent region or a CICS AOR will 
violate the System Integrity and thus the security of your system, 
since it will allow the unauthorized transaction programs in those 
regions to take over the system in anyway that they desire.


:>This raises the question then, why does IKJEFTxx *not* check this 
and fail if not run as job step task?


Because it requires APF to invoke the TMP. And if you allow your CICS 
or IMS

to run APF, this is the least of your problems.

MVS provides the child hammer for non-APF and the real hammer for APF. You
want to use it on your toes

Re: IKJEFTxx should fail if not JobStep Task (was: Batch TSO command ... )

2017-10-30 Thread Paul Gilmartin

On Sun, 29 Oct 2017 21:07:33 +0200, Binyamin Dissen 
 wrote:

>On Sun, 29 Oct 2017 16:00:20 +0100 Peter Hunkeler  wrote:
>
>:>>The TSO TMP is designed to be attached only by EXEC PGM=IKJEFTxx, or by the 
>TSO/E Session Manager (when Session Manager is the EXEC PGM= on the logon 
>proc). Attaching the TMP by any other program is unsupported.
>
>:>>Attaching the TMP in an IMS dependent region or a CICS AOR will violate the 
>System Integrity and thus the security of your system, since it will allow the 
>unauthorized transaction programs in those regions to take over the system in 
>anyway that they desire.
>
>:>This raises the question then, why does IKJEFTxx *not* check this and fail 
>if not run as job step task?
>
>Because it requires APF to invoke the TMP. And if you allow your CICS or IMS
>to run APF, this is the least of your problems.
>
What's the precise definition of a "job step (jobstep? usage?) task?  I've 
regularly
used the Rexx ADDRESS TSO surrogate, available only under UNIX, not IRXJCL,
which fork()s a child address space in which the TMP runs to much avail.  I know
of no attendant integrity exposure.  Does this meet the definiton (stated 
where?)
of a job step task?  What about using BPX1EXM to start a TMP?  (I've not tried
that.)

(The Glossary of z/OS terms and abbreviations discusses "job step" only in 
connection
with batch JCL.  RCF?)

(OK.  The description of BPX1EXM says it "inserts a new step".  I suppose that 
makes the
program invoked a "job step task".  I don't see that the UNIX Rexx manual 
mentions a job
step.)

-- gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: IKJEFTxx should fail if not JobStep Task (was: Batch TSO command ... )

2017-10-30 Thread Edward Gould

> On Oct 30, 2017, at 9:15 AM, Steve Smith  wrote:
> 
> There is no need here to document the exact methods the OP used to
> bypass restrictions and violate system integrity.  It's not hard to
> figure out if you have much experience.
> 
> Given access to an APF-authorized library, one can do whatever one
> wants, regardless of the "rules".
> 
> sas
Semi on topic.
 Have any of you seen the “video” that claims that they can bypass system 
integrity with one program?
I saw one such presentation and asked the golden question about update access 
to an APF library.
They never got around to answering my question.
BTW: IIRC it was some dog and pony show to sell you security. Its been a couple 
of months and I just don’t remember the name.

Ed


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: AW: Re: IKJEFTxx should fail if not JobStep Task (was: Batch TSO command ... )

2017-10-30 Thread Jim Mulder

  Attaching the TMP from an unauthorized program will simply not work, 
with no 
system integrity exposure.  The TMP will fail when it tries to do 
something 
which requires authorization, and that would be the case if someone tried 
to attach the
TMP from an unauthorized CICS or IMS transaction program. 

Jim Mulder z/OS Diagnosis, Design, Development, Test  IBM Corp. 
Poughkeepsie NY

IBM Mainframe Discussion List  wrote on 
10/30/2017 02:53:00 AM:

> >>>The TSO TMP is designed to be attached only by EXEC PGM=IKJEFTxx,
> or by the TSO/E Session Manager (when Session Manager is the EXEC 
> PGM= on the logon proc). Attaching the TMP by any other program is 
> unsupported. 
> 
> >>>Attaching the TMP in an IMS dependent region or a CICS AOR will 
> violate the System Integrity and thus the security of your system, 
> since it will allow the unauthorized transaction programs in those 
> regions to take over the system in anyway that they desire. 
> 
> >>This raises the question then, why does IKJEFTxx *not* check this 
> and fail if not run as job step task? 
> 
> >Because it requires APF to invoke the TMP. And if you allow your 
> CICS or IMS to run APF, this is the least of your problems. 
> 
> In the first paragraph, there is no talk about APF. When it comes to
> running things with APF when they should not, I fully agree.
> I understand the comment to say that running PGM A via EXEC PGM=A, 
> and then PGM A attaches or links to IKJEFTxx, this is not supported.
> If this means that things may not work as expected, there is no 
> support. If this means that things may not work as expected *and* 
> things may endanger system integrity, then I think it should not be 
> possible to get into that situation (as unauthorized program).
> 
> 
> But, even if the region controllers in IMS and CICS run authorized 
> (I guess they do), they are designed to run application 
> (transaction) programs with only problem state authority. Why would 
> the TMP be attached in a different mode it run as transaction program?



--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: IKJEFTxx should fail if not JobStep Task (was: Batch TSO command ... )

2017-10-30 Thread Steve Smith

There is no need here to document the exact methods the OP used to
bypass restrictions and violate system integrity.  It's not hard to
figure out if you have much experience.

Given access to an APF-authorized library, one can do whatever one
wants, regardless of the "rules".

sas

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

AW: Re: IKJEFTxx should fail if not JobStep Task (was: Batch TSO command ... )

2017-10-29 Thread Peter Hunkeler

>>>The TSO TMP is designed to be attached only by EXEC PGM=IKJEFTxx, or by the 
>>>TSO/E Session Manager (when Session Manager is the EXEC PGM= on the logon 
>>>proc). Attaching the TMP by any other program is unsupported.

>>>Attaching the TMP in an IMS dependent region or a CICS AOR will violate the 
>>>System Integrity and thus the security of your system, since it will allow 
>>>the unauthorized transaction programs in those regions to take over the 
>>>system in anyway that they desire.

>>This raises the question then, why does IKJEFTxx *not* check this and fail if 
>>not run as job step task?

>Because it requires APF to invoke the TMP. And if you allow your CICS or IMS 
>to run APF, this is the least of your problems.




In the first paragraph, there is no talk about APF. When it comes to running 
things with APF when they should not, I fully agree.
I understand the comment to say that running PGM A via EXEC PGM=A, and then PGM 
A attaches or links to IKJEFTxx, this is not supported. If this means that 
things may not work as expected, there is no support. If this means that things 
may not work as expected *and* things may endanger system integrity, then I 
think it should not be possible to get into that situation (as unauthorized 
program).


But, even if the region controllers in IMS and CICS run authorized (I guess 
they do), they are designed to run application (transaction) programs with only 
problem state authority. Why would the TMP be attached in a different mode it 
run as transaction program?


--
Peter Hunkeler



--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: IKJEFTxx should fail if not JobStep Task (was: Batch TSO command ... )

2017-10-29 Thread Binyamin Dissen

On Sun, 29 Oct 2017 16:00:20 +0100 Peter Hunkeler  wrote:

:>>The TSO TMP is designed to be attached only by EXEC PGM=IKJEFTxx, or by the 
TSO/E Session Manager (when Session Manager is the EXEC PGM= on the logon 
proc). Attaching the TMP by any other program is unsupported.

:>>Attaching the TMP in an IMS dependent region or a CICS AOR will violate the 
System Integrity and thus the security of your system, since it will allow the 
unauthorized transaction programs in those regions to take over the system in 
anyway that they desire. 
 
:>This raises the question then, why does IKJEFTxx *not* check this and fail if 
not run as job step task? 

Because it requires APF to invoke the TMP. And if you allow your CICS or IMS
to run APF, this is the least of your problems.

MVS provides the child hammer for non-APF and the real hammer for APF. You
want to use it on your toes, go ahead.

--
Binyamin Dissen 
http://www.dissensoftware.com

Director, Dissen Software, Bar & Grill - Israel


Should you use the mailblocks package and expect a response from me,
you should preauthorize the dissensoftware.com domain.

I very rarely bother responding to challenge/response systems,
especially those from irresponsible companies.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

IKJEFTxx should fail if not JobStep Task (was: Batch TSO command ... )

2017-10-29 Thread Peter Hunkeler



>The TSO TMP is designed to be attached only by EXEC PGM=IKJEFTxx, or by the 
>TSO/E Session Manager (when Session Manager is the EXEC PGM= on the logon 
>proc). Attaching the TMP by any other program is unsupported.


>Attaching the TMP in an IMS dependent region or a CICS AOR will violate the 
>System Integrity and thus the security of your system, since it will allow the 
>unauthorized transaction programs in those regions to take over the system in 
>anyway that they desire.

This raises the question then, why does IKJEFTxx *not* check this and fail if 
not run as job step task?


--
Peter Hunkeler

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: IKJEFTxx should fail if not JobStep Task

Re: IKJEFTxx should fail if not JobStep Task (was: Batch TSO command ... )

Re: IKJEFTxx should fail if not JobStep Task (was: Batch TSO command ... )

Re: AW: Re: IKJEFTxx should fail if not JobStep Task (was: Batch TSO command ... )

Re: IKJEFTxx should fail if not JobStep Task (was: Batch TSO command ... )

AW: Re: IKJEFTxx should fail if not JobStep Task (was: Batch TSO command ... )

Re: IKJEFTxx should fail if not JobStep Task (was: Batch TSO command ... )

IKJEFTxx should fail if not JobStep Task (was: Batch TSO command ... )

8 matches

Site Navigation

Mail list logo

Footer information