Things that make you go hmmmm ... #3

work   war stories  

Having worked on main frames for a while I decided to move onto PCs. At that time we were just getting them instead of dumb terminals to talk to the main frame and things like Visual Basic were all the rage, but not yet accepted by business as a viable tool.

The government department was being sold off to private enterprise and I was moving out of the Adabase/Natural department and into another area which was not being sold off. I was angling for a redundancy even though it was not officially being offered. I knew they would have to offer it because my skills were not in an area they had a job going - it was just a matter of time and patience.

I had a week or so to kill before moving out of the mainframe area and being bored I decided to explore some parts of the system I'd not had a chance to look at yet.

The Adabas/Natural environment ran in a number of MVS CICS regions. As a developer you log into a region to do your work. Rather like logging in as a different user on a PC. As part of getting development access to the mainframe, security allocated a number of default CICS regions to each developer. One for developing, one for access the databases (thats another story) and a number of others. It was these others I was interested in exploring as I had not used them and wondered what they were for.

I logged into the first region on the list and looked around. Mainly at two things - what source code was there and what databases where accessible. So far, nothing useful, interesting or exciting. The next region on the list was pretty much the same. But the third was something else entirely.

To my complete surprise, when I listed the database tables available I got a complete list of all the security tables - With full read/write access!

I was stunned. Every developer on the system had access to this region. In other words - Complete access to the security system, and from there - complete access to the entire system!

To understand just how bad this was, this system dealt with large amounts of money. With this access I could take complete control. For example I could modify the production code to inject fake accounts, transfer money, hide the transactions from the monitoring systems and logs, and then remove the modifications as if nothing had every happened. I owned the system! What really worried me was that every developer had this same access. White collar crime city !

I had two choices at this stage. 1 - I could report this vulnerability to security. Or 2 - I could just ignore it and pretend I had not noticed.

OK, there is a 3, but I don't do that.

I decided on 1. But knowing some of the security people personally I also knew that they would not take me seriously because they generally were of the opinion that they were the only ones who knew anything about security. I was not of the same opinion of their abilities as proven by what I had found so easily.

So I did a quite update to my own security profile through the access hole I had discovered. I added a comment "Your system is broken!" and walked over to the security team who happened to be on the same floor in the building I was in.

I asked a person I knew to open my profile and browse the comments. Then told them how I updated them and left.

Needless to say the security hole had been quietly closed by the next day when I re-checked the CICS region.

I always wondered if I was the only person who found this hole. It seems unlikely to me that no other developer had ever found this massive mistake. But then again, it was government and generally speaking most of the developers there weren't that smart.


Comments powered by Disqus