Bugtraq mailing list archives
Re: Summary of AS/400 Vulnerability Information
From: Jon Kibler <Jon.Kibler () aset com>
Date: Mon, 23 Jun 2008 13:01:16 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, I received several off-list requests for a summary of what I learned about AS/400 vulnerabilities. Here is what I have learned. (A lot!) I would like to thank everyone who replied off-list with additional information. 1) A book on hacking AS/400s: Hacking iSeries by: Shalom Carmel BookSurge Publishing, 2006 ISBN-13: 978-1419625015 http://www.amazon.com/Hacking-iSeries-Shalom-Carmel/dp/1419625012 2) A book on AS/400 security: Experts' Guide to OS/400 & i5/OS Security by: Carol Woodbury and Patrick Botz 29th Street Press, 2004 ISBN-10: 158304096X http://www.amazon.com/Experts-Guide-OS-400-Security/dp/158304096X 3) An AS/400 web site (by Shalom Carmel): http://www.hackingiseries.com/ 4) Auditing framework: http://www.security-database.com/toolswatch/AS-400-Auditing-Framework-Beta.html 5) Comments of note:
... some default services on AS/400 allow annonymous access including POP3, SMTP, LDAP, FTP, etc. But what fails audit almost every time are default passwords.
... security of these beasts had not been in forefront for most companies. Some of them run their e-commerce solutions on AS/400 facing the Internet
6) When searching for AS/400 vulnerabilities, you need to search on a bunch of 'not-necessarily-obvious' keywords, including: AS/400 OS/400 iSeries i5/OS SQL/400 DB2/400 7) Known vulnerabilities: CVE ID Disclosed Title CVE-2000-1038 12/11/2000 The web administration interface for IBM AS/400 Firewall allows remote attackers to cause a denial of service via an empty GET request. CVE-2002-1731 12/31/2002 The System Request menu in IBM AS/400 allows local users to list valid user accounts by viewing the object names that are type USRPRF. CVE-2005-0868 05/02/2005 AS/400 Telnet 5250 terminal emulation clients, as implemented by (1) IBM client access, (2) Bosanova, (3) PowerTerm, (4) Mochasoft, and possibly other emulations, allows malicious AS/400 servers to execute arbitrary commands via a STRPCO (Start PC Organizer) command followed by STRPCCMD (Start PC command), as demonstrated by creating a backdoor account using REXEC. CVE-2005-0899 05/02/2005 AS/400 running OS400 5.2 installs and enables LDAP by default, which allows remote authenticated users to obtain OS/400 user profiles by performing a search. CVE-2005-1025 05/02/2005 The FTP server in AS/400 4.3, when running in IFS mode, allows remote attackers to obtain sensitive information via a symlink attack using RCMD and the ADDLNK utility, as demonstrated using the QSYS.LIB library. CVE-2005-1133 05/02/2005 The POP3 server in IBM iSeries AS/400 returns different error messages when the user exists or not, which allows remote attackers to determine valid user IDs on the server. CVE-2005-1182 05/02/2005 Unknown vulnerability in Incoming Remote Command (iSeries Access for Windows Remote Command service) in IBM OS/400 R510, R520, and R530 allows attackers to cause a denial of service (IRC shutdown) via certain inputs. CVE-2005-1238 05/02/2005 By design, the built-in FTP server for iSeries AS/400 systems does not support a restricted document root, which allows attackers to read or write arbitrary files, including sensitive QSYS databases, via a full pathname in a GET or PUT request. CVE-2005-1239 05/02/2005 Directory traversal vulnerability in the third party tool from Raz-Lee, as used to secure the iSeries AS/400 FTP server, allows remote attackers to access arbitrary files, including those from qsys.lib, via ".." sequences in a GET request. CVE-2005-1240 04/20/2005 Directory traversal vulnerability in the third party tool from Castlehill, as used to secure the iSeries AS/400 FTP server, allows remote attackers to access arbitrary files, including those from qsys.lib, via ".." sequences in a GET request. CVE-2005-1241 04/20/2005 Directory traversal vulnerability in the third party tool from Powertech, as used to secure the iSeries AS/400 FTP server, allows remote attackers to access arbitrary files, including those from qsys.lib, via ".." sequences in a GET request. CVE-2005-1242 05/02/2005 Directory traversal vulnerability in the third party tool from Bsafe, as used to secure the iSeries AS/400 FTP server, allows remote attackers to access arbitrary files, including those from qsys.lib, via ".." sequences in a GET request. CVE-2005-1243 05/02/2005 Directory traversal vulnerability in the third party tool from SafeStone, as used to secure the iSeries AS/400 FTP server, allows remote attackers to access arbitrary files, including those from qsys.lib, via ".." sequences in a GET request. CVE-2005-1244 04/20/2005 ** DISPUTED ** Directory traversal vulnerability in the third party tool from NetIQ, as used to secure the iSeries AS/400 FTP server, allows remote attackers to access arbitrary files, including those from qsys.lib, via ".." sequences in a GET request. NOTE: the vendor has disputed this issue, saying that "neither NetIQ Security Manager nor our iSeries Security Solutions are vulnerable." CVE-2006-6836 12/31/2006 Multiple unspecified vulnerabilities in osp-cert in IBM OS/400 V5R3M0 have unspecified impact and attack vectors, related to ASN.1 parsing. CVE-2007-0442 01/23/2007 Unspecified vulnerability in IBM OS/400 R530 and R535 has unknown impact and remote attack vectors, related to an "Integrity Problem" involving LIC-TCPIP and TCP reset. NOTE: it is possible that this issue is related to CVE-2004-0230, but this is not certain. CVE-2007-3390 06/25/2007 Wireshark 0.99.5 and 0.10.x up to 0.10.14, when running on certain systems, allows remote attackers to cause a denial of service (crash) via crafted iSeries capture files that trigger a SIGTRAP. CVE-2007-3537 07/03/2007 IBM OS/400 (aka i5/OS) V4R2M0 through V5R3M0 on iSeries machines sends responses to TCP SYN-FIN packets, which allows remote attackers to obtain system information and possibly bypass firewall rules. CVE-2007-6114 11/23/2007 Multiple buffer overflows in Wireshark (formerly Ethereal) 0.99.0 through 0.99.6 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via (1) the SSL dissector or (2) the iSeries (OS/400) Communication trace file parser. CVE-2008-0694 02/11/2008 Cross-site scripting (XSS) vulnerability in the HTTP Server in IBM OS/400 V5R3M0 and V5R4M0 allows remote attackers to inject arbitrary web script or HTML via the Expect HTTP header. OSVDB Disclosed Title 5835 2000-09-12 AS/400 Firewall Malformed GET Request DoS 9787 1999-05-04 IBM Lotus Domino for AS/400 SMTP Component Long String Remote DoS 11018 1997-04-17 Microsoft SNA Server AS/400 Local APPC LU Shared Folder Disclosure 15074 2005-03-23 AS/400 Multiple Emulator STRPCO / STRPCCMD Command Execution 15079 2005-03-26 AS/400 LDAP User Account Name Disclosure 15300 2005-04-04 AS/400 iSeries FTP IFS Mode ADDLNK User Account Disclosure 15510 2005-04-15 IBM OS/400 POP3 Server User Account/Profile Enumeration 15651 2005-04-15 IBM OS/400 Incoming Remote Command Remote DoS 15791 2005-04-20 NetIQ Security Manager Traversal File Restriction Bypass 15792 2005-04-20 Bsafe/Global Security for iSeries Traversal File Restriction Bypass 15793 2005-04-20 Castlehill Computer Services SECURE/NET Traversal File Restriction Bypass 15794 2005-04-20 SafeStone DetectIT Directory Traversal File Restriction Bypass 15795 2005-04-20 PowerLock NetworkSecurity Traversal File Restriction Bypass 15796 2005-04-20 RazLee Firewall+++ Traversal File Restriction Bypass 16606 2005-04-20 AS/400 FTP Server for iSeries Traversal File Restriction Bypass 19247 2005-09-08 IBM OS/400 osp-cert X509 Basic Constraint Issue 19248 2005-09-08 IBM OS/400 osp-cert Certificate Store Returned Application Identifier Issue 19249 2005-09-08 IBM OS/400 osp-cert Unspecified ASN.1 Parsing Issue 19250 2005-09-08 IBM OS/400 Malformed SNMP Message Remote DoS 27079 2002-02-10 AS/400 System Request Menu USRPRF Object Name User Account Disclosure 30743 2006-11-17 IBM OS/400 osp-cert ASN.1 Certificate Version Handling Weakness 30744 2006-11-17 IBM OS/400 osp-cert ASN.1 X.509 Certificate Version Weakness 32812 2007-01-13 IBM OS/400 Unspecified Connection Reset DoS 37642 2007-07-05 Wireshark Crafted iSeries Capture File Handling Remote DoS 37792 2007-06-28 IBM OS/400 on iSeries TCP SYN-FIN Packet Handling Security Bypass 40468 2007-11-26 Wireshark iSeries (OS/400) Communication Trace File Parser Unspecified Remote Overflow 41518 2008-02-04 IBM OS/400 V5R3M0 / V5R4M0 HTTP Server Expect HTTP Header XSS 46082 2008-06-06 IBM OS/400 BrSmRcvAndCheck Boundary Error Local Overflow I hope this summary is of use. Now, if we can only get some of the vulnerability assessment vendors to take an interest in supporting the AS/400... Jon Kibler - -- Jon R. Kibler Chief Technical Officer Advanced Systems Engineering Technology, Inc. Charleston, SC USA o: 843-849-8214 c: 843-224-2494 s: 843-564-4224 My PGP Fingerprint is: BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkhf1twACgkQUVxQRc85QlMGPgCfaB7GAL0NxM+VYGrw8yIeQoQa +/YAnjyzTOOez8UP0Noz5Z//52OTaeyN =Mf6U -----END PGP SIGNATURE----- ================================================== Filtered by: TRUSTEM.COM's Email Filtering Service http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email.
Current thread:
- AS/400 Vulnerabilities Jon Kibler (Jun 13)
- RE: AS/400 Vulnerabilities Michael Wojcik (Jun 13)
- Re: AS/400 Vulnerabilities security curmudgeon (Jun 14)
- Re: AS/400 Vulnerabilities Marco Ivaldi (Jun 16)
- Re: Summary of AS/400 Vulnerability Information Jon Kibler (Jun 23)