Bugtraq mailing list archives
Apparent lack of security on IBM Host on Demand
From: "Jeremy 'Circ' Charles" <circb () WWOC ORG>
Date: Fri, 23 Feb 2001 17:45:13 -0600
A major healthcare organization asked my employer's tech support staff to start using an IBM Host on Demand server to access their hospital's critical systems to provide support. While using Ethereal to watch one of our tech support people use this service, I made a few disturbing observations: 1) Everything happens in the clear, starting with standard HTTP to authenticate to the web server and download the java applet that acts as the terminal emulator front-end for the user. The user's conversation with the target server of interest also happens in the clear, including the user's login name and password. 2) Outside of using HTTP to serve up the java client, the Host on Demand server seems to just act as a port forwarder. You wind up with the java terminal emulator establishing a TCP connection to an obscure port on the HoD server, which then simply forwards the connection to the target machine. 3) After the authorized HoD user establishes the TCP connection to the HoD server, the HoD server continues to listen for additional connections on that same obscure port. It dutifully forwards those additional connections to the target server. 4) The HoD server doesn't seem to care where the TCP connections come from. Assuming the HoD server is at 12.34.56.78 and the obscure port is 1234, I tried the following from a completely unrelated client machine elsewhere on the Internet: "telnet 12.34.56.78 1234" Not only did I connect, but I also immediately got the target machine's banner and login prompt. I'm not sure whether to call this a set of bugs or a serious design flaw. I don't see anything in the Bugtraq archives with the string "host on demand." Has anyone else had experience with this product who can shed light on whether this is just really poor configuration or a real brain-dead product when it comes to security? Jeremy Charles circb () wwoc org
Current thread:
- Apparent lack of security on IBM Host on Demand Jeremy 'Circ' Charles (Feb 26)
- <Possible follow-ups>
- Re: Apparent lack of security on IBM Host on Demand Andrew Spyker (Feb 27)