IBOD can get onto your AS/400 without even signing on. This is accomplished by using Distributed Data Management (DDM).

You create a DDM file using the CRTDDMF command specifying the APPN name of the remote AS/400 and the name of file. The named file need not exist at the time of the DDMF creation.

Along with remote file access using DDM, you execute commands on the remote host by executing the Submit Remote Command (SBMRMTCMD) command.

IBM got wise to this one so you can't actually execute a PRDWNSYS *IMMED anymore. The example is here for effect only.

. Where the real exposure is though, is when vendors use Display Station Passthrough (DSP) to provide fixes and enhancements to your application. The vendor needs a valid user profile and password to use DSP, but if they have an open line to your AS/400 then so too do you to theirs! Moreover, by using DDM, you do not need a password to get onto their machine.

Consider this. If IBOD can get onto to one vendor's machine, it is possible if their security is lax, for him to harvest user profiles and passwords on that remote host. Moreover, if that remote host uses FTP script files to connect to other hosts, these user profiles and passwords can be harvested also. Now IBOD can invade the other clients of this vendor and it is very likely that some of these clients use another vendor's software. So the process continues.

To stop any DDM access change the network attributes to *REJECT, viz:- CHGNETA DDMACC(*REJECT)

If that solution is too restrictive then an exit point program should be used.

Home | Software Solutions | iSeries Security | Tips & Techniques | Consulting | About us | Contact Us