Apparent lack of security on IBM Host on Demand

["Jeremy 'Circ' Charles" <circb () WWOC ORG>]

A major healthcare organization asked my employer's tech support staff to
start using an IBM Host on Demand server to access their hospital's
critical systems to provide support.  While using Ethereal to watch one of
our tech support people use this service, I made a few disturbing
observations:

1)  Everything happens in the clear, starting with standard HTTP to
authenticate to the web server and download the java applet that acts as
the terminal emulator front-end for the user.  The user's conversation
with the target server of interest also happens in the clear, including
the user's login name and password.

2)  Outside of using HTTP to serve up the java client, the Host on Demand
server seems to just act as a port forwarder.  You wind up with the java
terminal emulator establishing a TCP connection to an obscure port on the
HoD server, which then simply forwards the connection to the target
machine.

3)  After the authorized HoD user establishes the TCP connection to the
HoD server, the HoD server continues to listen for additional connections
on that same obscure port.  It dutifully forwards those additional
connections to the target server.

4)  The HoD server doesn't seem to care where the TCP connections come
from.  Assuming the HoD server is at 12.34.56.78 and the obscure port is
1234, I tried the following from a completely unrelated client machine
elsewhere on the Internet:  "telnet 12.34.56.78 1234"  Not only did I
connect, but I also immediately got the target machine's banner and login
prompt.

I'm not sure whether to call this a set of bugs or a serious design flaw.
I don't see anything in the Bugtraq archives with the string "host on
demand."  Has anyone else had experience with this product who can shed
light on whether this is just really poor configuration or a real
brain-dead product when it comes to security?


Jeremy Charles
circb () wwoc org