bugtraq June 2008 archive
Main Archive Page > Month Archives  > bugtraq archives
bugtraq: Re: AS/400 Vulnerabilities

Re: AS/400 Vulnerabilities

From: security curmudgeon <jericho_at_nospam>
Date: Fri Jun 13 2008 - 22:52:27 GMT
To: Jon Kibler <Jon.Kibler@aset.com>

: Have you ever nmap-ed a network with AS/400s? If you have, you probably
: know that doing so will, in at least half the cases, either crash the
: box, hang up one or more services, or really confuse the IP stack to the
: point that the box almost screeches to a halt.

This is frequently observed by pen-testers for sure but just as frequently anecdotal. I have personally run into it at least once, where a standard nmap SYN scan crashed a few AS/400 boxes. Each time it ends there, the client freaks and little to no more information can be obtained as it is dropped from the scope. I'd be curious to see how many bug reports IBM has received on the port scan DoS. Given the lack of information about what versions or conditions are required for it to happen is why I said it is mostly anecdotal.

: However, if you search for AS/400 vulnerabilities, you find only about a
: dozen, and most are years old. Nessus only checks for one.

Search your favorite VDB for "OS/400" and you will see more current issues. Either way, given the distribution of the platform, there are relatively few vulnerabilities publicly disclosed. OSVDB Disc Date CVE Vuln ----- --------- --- ---- 46082 2008-06-06 IBM OS/400 BrSmRcvAndCheck Boundary Error Local Overflow 41518 2008-02-04 2008-0694 IBM OS/400 V5R3M0 / V5R4M0 HTTP Server Expect HTTP Header XSS 37792 2007-06-28 2007-3537 IBM OS/400 on iSeries TCP SYN-FIN Packet Handling Security Bypass 32812 2007-01-13 2007-0442 IBM OS/400 Unspecified Connection Reset DoS 30743 2006-11-17 2006-6836 IBM OS/400 osp-cert ASN.1 Certificate Version Handling Weakness 30744 2006-11-17 2006-6836 IBM OS/400 osp-cert ASN.1 X.509 Certificate Version Weakness [..] 16606 2005-04-20 2005-1238 AS/400 FTP Server for iSeries Traversal File Restriction Bypass 15300 2005-04-04 2005-1025 AS/400 iSeries FTP IFS Mode ADDLNK User Account Disclosure 15079 2005-03-26 2005-0899 AS/400 LDAP User Account Name Disclosure 15074 2005-03-23 2005-0868 AS/400 Multiple Emulator STRPCO / STRPCCMD Command Execution [..]

: This raises a couple of questions:
: 1) Is anyone really doing any vulnerability research in this area?
: 2) Are the boxes really just unstable to malformed network data, but
: not exploitable?

I would guess there is little research being done on them. The odds of a box falling over due to a few malformed TCP packets, but being resistant or not vulnerable to more complex attacks seems pretty far fetched. While this vendor and technology is widely deployed, it isn't a sexy target for research.