PoC: New

2022-07-23T21:34:38Z

New

New page

'''[https://en.wikipedia.org/wiki/Distributed_Data_Management_Architecture DDM]''' uses the '''QUSER''' profile by default, when another machine accesses files. This might pose a possible '''security issue''', because data can be read and written by an anonymous user.

On the AS/400 DDM can be used by creating a DDM file with the <code>CRTDDMF</code> command, and using the <code>RMTFILE</code> parameter fields to point to a valid file on the remote server.

The <code>RMTLOCNAME</code> parameter can either point to a SNA/APPN node, or to an IP host name.
* APPN/APPC is enabled by default on OS/400. As soon as an APPN adjacency has been configured between any two machines, DDM can be used. It's an APPC service which is started on demand by a requesting APPC client. Given the usually limited reach of SNA networks today, and the necessity of former APPN configuration steps, the chance of a really anonymous attacker abusing this capability is low.
* If you don't need DDM functionality over TCP/IP transport, simply <code>ENDTCPSVR SERVER(*DDM)</code>, and make sure you disable autostart (<code>CHGDDMTCPA AUTOSTART(*NO)</code>).
* If you need DDM functionality over TCP/IP transport, make sure you set <code>PWDRQD</code> at least to <code>*YES</code>, better to <code>*ENCRYPTED</code>.

== Weblinks ==
* [https://www.ibm.com/support/pages/changing-ddm-jobs-using-quser-user-profile Changing DDM Jobs from Using the QUSER User Profile], IBM
* [https://www.itjungle.com/2004/05/26/security-and-ddm-files/ Security and DDM Files], IT Jungle

[[Category: Software Configuration Guide]]
[[Category: System Administration]]
[[Category: Security]]

Security considerations with DDM - Revision history

PoC: New