Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Summary of AS/400 Vulnerability Information

From: Jon Kibler <Jon.Kibler () aset com>
Date: Mon, 23 Jun 2008 13:01:16 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

I received several off-list requests for a summary of what I learned
about AS/400 vulnerabilities. Here is what I have learned. (A lot!) I
would like to thank everyone who replied off-list with additional
information.

1) A book on hacking AS/400s:
        Hacking iSeries
        by: Shalom Carmel
        BookSurge Publishing, 2006
        ISBN-13: 978-1419625015
        http://www.amazon.com/Hacking-iSeries-Shalom-Carmel/dp/1419625012

2) A book on AS/400 security:
        Experts' Guide to OS/400 & i5/OS Security
        by: Carol Woodbury and  Patrick Botz
        29th Street Press, 2004
        ISBN-10: 158304096X
        http://www.amazon.com/Experts-Guide-OS-400-Security/dp/158304096X

3) An AS/400 web site (by Shalom Carmel):
        http://www.hackingiseries.com/

4) Auditing framework:
        http://www.security-database.com/toolswatch/AS-400-Auditing-Framework-Beta.html

5) Comments of note:


... some default services on AS/400 allow
annonymous access including POP3, SMTP, LDAP, FTP, etc.  But what
fails audit almost every time are default passwords. 



... security of these beasts had not been in forefront for
most companies.  Some of them run their e-commerce solutions on AS/400
facing the Internet





6) When searching for AS/400 vulnerabilities, you need to search on a
bunch of 'not-necessarily-obvious' keywords, including:
        AS/400
        OS/400
        iSeries
        i5/OS
        SQL/400
        DB2/400

7) Known vulnerabilities:

CVE ID          Disclosed       Title
CVE-2000-1038   12/11/2000      The web administration interface for IBM AS/400
Firewall allows remote attackers to cause a denial of service via an
empty GET request.
CVE-2002-1731   12/31/2002      The System Request menu in IBM AS/400 allows
local users to list valid user accounts by viewing the object names that
are type USRPRF.
CVE-2005-0868   05/02/2005      AS/400 Telnet 5250 terminal emulation clients,
as implemented by (1) IBM client access, (2) Bosanova, (3) PowerTerm,
(4) Mochasoft, and possibly other emulations, allows malicious AS/400
servers to execute arbitrary commands via a STRPCO (Start PC Organizer)
command followed by STRPCCMD (Start PC command), as demonstrated by
creating a backdoor account using REXEC.
CVE-2005-0899   05/02/2005      AS/400 running OS400 5.2 installs and enables
LDAP by default, which allows remote authenticated users to obtain
OS/400 user profiles by performing a search.
CVE-2005-1025   05/02/2005      The FTP server in AS/400 4.3, when running in
IFS mode, allows remote attackers to obtain sensitive information via a
symlink attack using RCMD and the ADDLNK utility, as demonstrated using
the QSYS.LIB library.
CVE-2005-1133   05/02/2005      The POP3 server in IBM iSeries AS/400 returns
different error messages when the user exists or not, which allows
remote attackers to determine valid user IDs on the server.
CVE-2005-1182   05/02/2005      Unknown vulnerability in Incoming Remote
Command (iSeries Access for Windows Remote Command service) in IBM
OS/400 R510, R520, and R530 allows attackers to cause a denial of
service (IRC shutdown) via certain inputs.
CVE-2005-1238   05/02/2005      By design, the built-in FTP server for iSeries
AS/400 systems does not support a restricted document root, which allows
attackers to read or write arbitrary files, including sensitive QSYS
databases, via a full pathname in a GET or PUT request.
CVE-2005-1239   05/02/2005      Directory traversal vulnerability in the third
party tool from Raz-Lee, as used to secure the iSeries AS/400 FTP
server, allows remote attackers to access arbitrary files, including
those from qsys.lib, via ".." sequences in a GET request.
CVE-2005-1240   04/20/2005      Directory traversal vulnerability in the third
party tool from Castlehill, as used to secure the iSeries AS/400 FTP
server, allows remote attackers to access arbitrary files, including
those from qsys.lib, via ".." sequences in a GET request.
CVE-2005-1241   04/20/2005      Directory traversal vulnerability in the third
party tool from Powertech, as used to secure the iSeries AS/400 FTP
server, allows remote attackers to access arbitrary files, including
those from qsys.lib, via ".." sequences in a GET request.
CVE-2005-1242   05/02/2005      Directory traversal vulnerability in the third
party tool from Bsafe, as used to secure the iSeries AS/400 FTP server,
allows remote attackers to access arbitrary files, including those from
qsys.lib, via ".." sequences in a GET request.
CVE-2005-1243   05/02/2005      Directory traversal vulnerability in the third
party tool from SafeStone, as used to secure the iSeries AS/400 FTP
server, allows remote attackers to access arbitrary files, including
those from qsys.lib, via ".." sequences in a GET request.
CVE-2005-1244   04/20/2005      ** DISPUTED ** Directory traversal
vulnerability in the third party tool from NetIQ, as used to secure the
iSeries AS/400 FTP server, allows remote attackers to access arbitrary
files, including those from qsys.lib, via ".." sequences in a GET
request. NOTE: the vendor has disputed this issue, saying that "neither
NetIQ Security Manager nor our iSeries Security Solutions are vulnerable."
CVE-2006-6836   12/31/2006      Multiple unspecified vulnerabilities in
osp-cert in IBM OS/400 V5R3M0 have unspecified impact and attack
vectors, related to ASN.1 parsing.
CVE-2007-0442   01/23/2007      Unspecified vulnerability in IBM OS/400 R530
and R535 has unknown impact and remote attack vectors, related to an
"Integrity Problem" involving LIC-TCPIP and TCP reset. NOTE: it is
possible that this issue is related to CVE-2004-0230, but this is not
certain.
CVE-2007-3390   06/25/2007      Wireshark 0.99.5 and 0.10.x up to 0.10.14, when
running on certain systems, allows remote attackers to cause a denial of
service (crash) via crafted iSeries capture files that trigger a SIGTRAP.
CVE-2007-3537   07/03/2007      IBM OS/400 (aka i5/OS) V4R2M0 through V5R3M0 on
iSeries machines sends responses to TCP SYN-FIN packets, which allows
remote attackers to obtain system information and possibly bypass
firewall rules.
CVE-2007-6114   11/23/2007      Multiple buffer overflows in Wireshark
(formerly Ethereal) 0.99.0 through 0.99.6 allow remote attackers to
cause a denial of service (crash) and possibly execute arbitrary code
via (1) the SSL dissector or (2) the iSeries (OS/400) Communication
trace file parser.
CVE-2008-0694   02/11/2008      Cross-site scripting (XSS) vulnerability in the
HTTP Server in IBM OS/400 V5R3M0 and V5R4M0 allows remote attackers to
inject arbitrary web script or HTML via the Expect HTTP header.


OSVDB   Disclosed       Title
5835    2000-09-12      AS/400 Firewall Malformed GET Request DoS
9787    1999-05-04      IBM Lotus Domino for AS/400 SMTP Component Long String
Remote DoS
11018   1997-04-17      Microsoft SNA Server AS/400 Local APPC LU Shared Folder
Disclosure
15074   2005-03-23      AS/400 Multiple Emulator STRPCO / STRPCCMD Command
Execution
15079   2005-03-26      AS/400 LDAP User Account Name Disclosure
15300   2005-04-04      AS/400 iSeries FTP IFS Mode ADDLNK User Account Disclosure
15510   2005-04-15      IBM OS/400 POP3 Server User Account/Profile Enumeration
15651   2005-04-15      IBM OS/400 Incoming Remote Command Remote DoS
15791   2005-04-20      NetIQ Security Manager Traversal File Restriction Bypass
15792   2005-04-20      Bsafe/Global Security for iSeries Traversal File
Restriction Bypass
15793   2005-04-20      Castlehill Computer Services SECURE/NET Traversal File
Restriction Bypass
15794   2005-04-20      SafeStone DetectIT Directory Traversal File Restriction
Bypass
15795   2005-04-20      PowerLock NetworkSecurity Traversal File Restriction Bypass
15796   2005-04-20      RazLee Firewall+++ Traversal File Restriction Bypass
16606   2005-04-20      AS/400 FTP Server for iSeries Traversal File
Restriction Bypass
19247   2005-09-08      IBM OS/400 osp-cert X509 Basic Constraint Issue
19248   2005-09-08      IBM OS/400 osp-cert Certificate Store Returned
Application Identifier Issue
19249   2005-09-08      IBM OS/400 osp-cert Unspecified ASN.1 Parsing Issue
19250   2005-09-08      IBM OS/400 Malformed SNMP Message Remote DoS
27079   2002-02-10      AS/400 System Request Menu USRPRF Object Name User
Account Disclosure
30743   2006-11-17      IBM OS/400 osp-cert ASN.1 Certificate Version Handling
Weakness
30744   2006-11-17      IBM OS/400 osp-cert ASN.1 X.509 Certificate Version
Weakness
32812   2007-01-13      IBM OS/400 Unspecified Connection Reset DoS
37642   2007-07-05      Wireshark Crafted iSeries Capture File Handling Remote DoS
37792   2007-06-28      IBM OS/400 on iSeries TCP SYN-FIN Packet Handling
Security Bypass
40468   2007-11-26      Wireshark iSeries (OS/400) Communication Trace File
Parser Unspecified Remote Overflow
41518   2008-02-04      IBM OS/400 V5R3M0 / V5R4M0 HTTP Server Expect HTTP
Header XSS
46082   2008-06-06      IBM OS/400 BrSmRcvAndCheck Boundary Error Local Overflow


I hope this summary is of use.

Now, if we can only get some of the vulnerability assessment vendors to
take an interest in supporting the AS/400...

Jon Kibler
- --
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC  USA
o: 843-849-8214
c: 843-224-2494
s: 843-564-4224

My PGP Fingerprint is:
BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkhf1twACgkQUVxQRc85QlMGPgCfaB7GAL0NxM+VYGrw8yIeQoQa
+/YAnjyzTOOez8UP0Noz5Z//52OTaeyN
=Mf6U
-----END PGP SIGNATURE-----




==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.
Previous By Date Next
Previous By Thread Next

Current thread: