search

ayoul3 / Privesc

Privilege escalation tools on Mainframe
73 stars 38 forks source link

"NO RACF PROFILE" but there is! #1

Closed lnlyssg closed 6 years ago

lnlyssg commented 7 years ago

Just tried this on my Hercules set-up and get lots of output saying there's no RACF profile e.g:

 SYS1.LINKLIB ,  NO RACF PROFILE
 SYS1.SVCLIB ,  NO RACF PROFILE

However there are RACF profiles in place for all the APF authed datasets. Having traced the Rexx I suspect the issue is on line 180

180 *-*        DSN = arg(1)
        >L>          "1"
        >F>          "DSN"
    181 *-*        X = OUTTRAP('OUT.')
        >L>          "OUT."
        >F>          "OUT."
    182 *-*        ADDRESS TSO "LD DA('"DSN"') GEN"
        >L>          "LD DA('"
        >V>          "DSN"
       >O>          "LD DA('DSN"
        >L>          "') GEN"
        >O>          "LD DA('DSN') GEN"
        +++ RC(4) +++

Alas my Rexx skills are rather rusty so I'm not sure how to fix this otherwise I would offer a suggestion!

lnlyssg commented 7 years ago

After some tweaking changing line 180 to

DSN = DSN.NUMAPF Seems to do the trick

And while I'm at it, I'd suggest changing line 182 to:

ADDRESS TSO "LD DA('"DSN"') GEN"

That way if there isn't a specific profile it will list the relevant one that covers the dataset e.g.

NO RACF DESCRIPTION FOUND FOR SYS1.LINKLIB vs

INFORMATION FOR DATASET SYS1.*.** (G)

 LEVEL  OWNER    UNIVERSAL ACCESS   WARNING   ERASE
 -----  -------- ----------------   -------   -----
  00    GROUP1          READ          NO      NO

 AUDITING
 --------
 FAILURES(READ)
NOTIFY
 --------
 NO USER TO BE NOTIFIED

 YOUR ACCESS  CREATION GROUP  DATASET TYPE
 -----------  --------------  ------------
     READ        GROUP1         NON-VSAM
ayoul3 commented 7 years ago

Dude you rule !!
Thank you so much for taking the time to fixing it directly. I accepted the pull request.

++

lnlyssg commented 7 years ago

Happy to help 👍 I had an idea about tweaking the Rexx so that it would only write out datasets where you have higher than READ access but need to remind myself how to use SELECT WHEN in Rexx first!

lnlyssg commented 7 years ago

I'm afraid arg(1) is still causing issues for me when using the LIST option, below is a result of setting trace i in the check_priv function. I have tested this on two different systems and get the same on both....

APF_DSN, ACCESS
149 - NOT_AUTH="NOT AUTHORIZED"

L> "NOT AUTHORIZED"
150 - NO_PROFILE="NO RACF"
L> "NO RACF"
151 - DSN = arg(1)
L> "1"
F> "DSN"
152 - X = OUTTRAP('OUT.')
L> "OUT."
F> "OUT."
153 - ADDRESS TSO "LD DA('"DSN"') GEN"
L> "LD DA('"
V> "DSN"
O> "LD DA('DSN"
L> "') GEN"
O> "LD DA('DSN') GEN"
+++ RC(4) +++
154 - Y = OUTTRAP('OFF')
L> "OFF"
F> "OFF"
155 - IF OUT.0 == 1 & INDEX(OUT.1,NOT_AUTH)>0
V> "1"
L> "1"
O> "1"
V> "ICH35003I NO RACF DESCRIPTION FOUND FOR DSN
"
V> "NOT AUTHORIZED"
F> "0"
L> "0"
O> "0"
O> "0"
158 - IF OUT.0 == 1 & INDEX(OUT.1,NO_PROFILE)>0
V> "1"
L> "1"
O> "1"
V> "ICH35003I NO RACF DESCRIPTION FOUND FOR DSN
"
V> "NO RACF"
F> "11"
L> "0"
O> "1"
O> "1"
- THEN
- DO
159 - return "NO RACF PROFILE"
L> "NO RACF PROFILE"
SYS1.LINKLIB , NO RACF PROFILE

lnlyssg commented 6 years ago

Closing as out of date :)