Subject: | |
From: | |
Reply To: | Johnson, Tracy |
Date: | Mon, 12 Mar 2001 17:03:48 -0500 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
HP seems to have learned a lot of things about MPE lately.
Do you think it will make a ripple in the CERT or CIAC
bulletins?
Tracy Johnson
MSI Schaevitz Sensors
-----Original Message-----
From: Gavin Scott [mailto:[log in to unmask]]
Sent: Monday, March 12, 2001 5:05 PM
To: [log in to unmask]
Subject: Re: Sec. Vulnerability in MPE/ix's AIF
Security Alert writes:
> A. Background
> Hewlett-Packard Company has learned of a procedure by which
> a user can get unauthorized access to user accounts and
> databases using architected interface facility (AIF -
> AIFCHANGELOGON) either directly or indirectly.
Curious. AIFCHANGELOGON is a privileged routine, so I'm fuzzy on why this
is a big deal. Assuming I can call AIFCHANGELOGON I can think of lots of
ways it could be used to override one or another common security mechanism,
but I would think that any privileged program that is using AIFCHANGELOGON
should be required to know what it's doing.
If someone writes a program that lets anyone AIFCHANGELOGON at will, then
they shouldn't be too surprised at the result.
I must assume that there was some particularly egregious and unintended
feature that was removed.
It will be interesting to see if the patch breaks anyone's code.
G.
|
|
|