bugtraq June 2008 archive
Main Archive Page > Month Archives  > bugtraq archives
bugtraq: Re: Summary of AS/400 Vulnerability Information

Re: Summary of AS/400 Vulnerability Information

From: Jon Kibler <Jon.Kibler_at_nospam>
Date: Mon Jun 23 2008 - 17:01:16 GMT
To: bugtraq@securityfocus.com


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

I received several off-list requests for a summary of what I learned about AS/400 vulnerabilities. Here is what I have learned. (A lot!) I would like to thank everyone who replied off-list with additional information.

  1. A book on hacking AS/400s: Hacking iSeries by: Shalom Carmel BookSurge Publishing, 2006 ISBN-13: 978-1419625015 http://www.amazon.com/Hacking-iSeries-Shalom-Carmel/dp/1419625012
  2. A book on AS/400 security: Experts' Guide to OS/400 & i5/OS Security by: Carol Woodbury and Patrick Botz 29th Street Press, 2004 ISBN-10: 158304096X http://www.amazon.com/Experts-Guide-OS-400-Security/dp/158304096X
  3. An AS/400 web site (by Shalom Carmel): http://www.hackingiseries.com/
  4. Auditing framework: http://www.security-database.com/toolswatch/AS-400-Auditing-Framework-Beta.html
  5. Comments of note:

> ... some default services on AS/400 allow
> annonymous access including POP3, SMTP, LDAP, FTP, etc. But what
> fails audit almost every time are default passwords.

> ... security of these beasts had not been in forefront for
> most companies. Some of them run their e-commerce solutions on AS/400
> facing the Internet

6) When searching for AS/400 vulnerabilities, you need to search on a bunch of 'not-necessarily-obvious' keywords, including: AS/400 OS/400 iSeries i5/OS SQL/400 DB2/400

7) Known vulnerabilities: CVE ID Disclosed Title CVE-2000-1038 12/11/2000 The web administration interface for IBM AS/400 Firewall allows remote attackers to cause a denial of service via an empty GET request.
CVE-2002-1731 12/31/2002 The System Request menu in IBM AS/400 allows local users to list valid user accounts by viewing the object names that are type USRPRF.
CVE-2005-0868 05/02/2005 AS/400 Telnet 5250 terminal emulation clients, as implemented by (1) IBM client access, (2) Bosanova, (3) PowerTerm, (4) Mochasoft, and possibly other emulations, allows malicious AS/400 servers to execute arbitrary commands via a STRPCO (Start PC Organizer) command followed by STRPCCMD (Start PC command), as demonstrated by creating a backdoor account using REXEC. CVE-2005-0899 05/02/2005 AS/400 running OS400 5.2 installs and enables LDAP by default, which allows remote authenticated users to obtain OS/400 user profiles by performing a search. CVE-2005-1025 05/02/2005 The FTP server in AS/400 4.3, when running in IFS mode, allows remote attackers to obtain sensitive information via a symlink attack using RCMD and the ADDLNK utility, as demonstrated using the QSYS.LIB library.
CVE-2005-1133 05/02/2005 The POP3 server in IBM iSeries AS/400 returns different error messages when the user exists or not, which allows remote attackers to determine valid user IDs on the server. CVE-2005-1182 05/02/2005 Unknown vulnerability in Incoming Remote Command (iSeries Access for Windows Remote Command service) in IBM OS/400 R510, R520, and R530 allows attackers to cause a denial of service (IRC shutdown) via certain inputs. CVE-2005-1238 05/02/2005 By design, the built-in FTP server for iSeries AS/400 systems does not support a restricted document root, which allows attackers to read or write arbitrary files, including sensitive QSYS databases, via a full pathname in a GET or PUT request. CVE-2005-1239 05/02/2005 Directory traversal vulnerability in the third party tool from Raz-Lee, as used to secure the iSeries AS/400 FTP server, allows remote attackers to access arbitrary files, including those from qsys.lib, via ".." sequences in a GET request. CVE-2005-1240 04/20/2005 Directory traversal vulnerability in the third party tool from Castlehill, as used to secure the iSeries AS/400 FTP server, allows remote attackers to access arbitrary files, including those from qsys.lib, via ".." sequences in a GET request. CVE-2005-1241 04/20/2005 Directory traversal vulnerability in the third party tool from Powertech, as used to secure the iSeries AS/400 FTP server, allows remote attackers to access arbitrary files, including those from qsys.lib, via ".." sequences in a GET request. CVE-2005-1242 05/02/2005 Directory traversal vulnerability in the third party tool from Bsafe, as used to secure the iSeries AS/400 FTP server, allows remote attackers to access arbitrary files, including those from qsys.lib, via ".." sequences in a GET request. CVE-2005-1243 05/02/2005 Directory traversal vulnerability in the third party tool from SafeStone, as used to secure the iSeries AS/400 FTP server, allows remote attackers to access arbitrary files, including those from qsys.lib, via ".." sequences in a GET request. CVE-2005-1244 04/20/2005 ** DISPUTED ** Directory traversal vulnerability in the third party tool from NetIQ, as used to secure the iSeries AS/400 FTP server, allows remote attackers to access arbitrary files, including those from qsys.lib, via ".." sequences in a GET request. NOTE: the vendor has disputed this issue, saying that "neither NetIQ Security Manager nor our iSeries Security Solutions are vulnerable." CVE-2006-6836 12/31/2006 Multiple unspecified vulnerabilities in osp-cert in IBM OS/400 V5R3M0 have unspecified impact and attack vectors, related to ASN.1 parsing.
CVE-2007-0442 01/23/2007 Unspecified vulnerability in IBM OS/400 R530 and R535 has unknown impact and remote attack vectors, related to an "Integrity Problem" involving LIC-TCPIP and TCP reset. NOTE: it is possible that this issue is related to CVE-2004-0230, but this is not certain.
CVE-2007-3390 06/25/2007 Wireshark 0.99.5 and 0.10.x up to 0.10.14, when running on certain systems, allows remote attackers to cause a denial of service (crash) via crafted iSeries capture files that trigger a SIGTRAP. CVE-2007-3537 07/03/2007 IBM OS/400 (aka i5/OS) V4R2M0 through V5R3M0 on iSeries machines sends responses to TCP SYN-FIN packets, which allows remote attackers to obtain system information and possibly bypass firewall rules.
CVE-2007-6114 11/23/2007 Multiple buffer overflows in Wireshark (formerly Ethereal) 0.99.0 through 0.99.6 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via (1) the SSL dissector or (2) the iSeries (OS/400) Communication trace file parser.
CVE-2008-0694 02/11/2008 Cross-site scripting (XSS) vulnerability in the HTTP Server in IBM OS/400 V5R3M0 and V5R4M0 allows remote attackers to inject arbitrary web script or HTML via the Expect HTTP header. OSVDB Disclosed Title 5835 2000-09-12 AS/400 Firewall Malformed GET Request DoS 9787 1999-05-04 IBM Lotus Domino for AS/400 SMTP Component Long String Remote DoS 11018 1997-04-17 Microsoft SNA Server AS/400 Local APPC LU Shared Folder Disclosure 15074 2005-03-23 AS/400 Multiple Emulator STRPCO / STRPCCMD Command Execution 15079 2005-03-26 AS/400 LDAP User Account Name Disclosure 15300 2005-04-04 AS/400 iSeries FTP IFS Mode ADDLNK User Account Disclosure 15510 2005-04-15 IBM OS/400 POP3 Server User Account/Profile Enumeration 15651 2005-04-15 IBM OS/400 Incoming Remote Command Remote DoS 15791 2005-04-20 NetIQ Security Manager Traversal File Restriction Bypass 15792 2005-04-20 Bsafe/Global Security for iSeries Traversal File Restriction Bypass 15793 2005-04-20 Castlehill Computer Services SECURE/NET Traversal File Restriction Bypass 15794 2005-04-20 SafeStone DetectIT Directory Traversal File Restriction Bypass 15795 2005-04-20 PowerLock NetworkSecurity Traversal File Restriction Bypass 15796 2005-04-20 RazLee Firewall+++ Traversal File Restriction Bypass 16606 2005-04-20 AS/400 FTP Server for iSeries Traversal File Restriction Bypass 19247 2005-09-08 IBM OS/400 osp-cert X509 Basic Constraint Issue 19248 2005-09-08 IBM OS/400 osp-cert Certificate Store Returned Application Identifier Issue 19249 2005-09-08 IBM OS/400 osp-cert Unspecified ASN.1 Parsing Issue 19250 2005-09-08 IBM OS/400 Malformed SNMP Message Remote DoS 27079 2002-02-10 AS/400 System Request Menu USRPRF Object Name User Account Disclosure 30743 2006-11-17 IBM OS/400 osp-cert ASN.1 Certificate Version Handling Weakness 30744 2006-11-17 IBM OS/400 osp-cert ASN.1 X.509 Certificate Version Weakness 32812 2007-01-13 IBM OS/400 Unspecified Connection Reset DoS 37642 2007-07-05 Wireshark Crafted iSeries Capture File Handling Remote DoS 37792 2007-06-28 IBM OS/400 on iSeries TCP SYN-FIN Packet Handling Security Bypass 40468 2007-11-26 Wireshark iSeries (OS/400) Communication Trace File Parser Unspecified Remote Overflow 41518 2008-02-04 IBM OS/400 V5R3M0 / V5R4M0 HTTP Server Expect HTTP Header XSS 46082 2008-06-06 IBM OS/400 BrSmRcvAndCheck Boundary Error Local Overflow

I hope this summary is of use.

Now, if we can only get some of the vulnerability assessment vendors to take an interest in supporting the AS/400...

Jon Kibler
- --
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc. Charleston, SC USA o: 843-849-8214 c: 843-224-2494 s: 843-564-4224

My PGP Fingerprint is:
BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253 -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkhf1twACgkQUVxQRc85QlMGPgCfaB7GAL0NxM+VYGrw8yIeQoQa +/YAnjyzTOOez8UP0Noz5Z//52OTaeyN
=Mf6U
-----END PGP SIGNATURE-----



Filtered by: TRUSTEM.COM's Email Filtering Service http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.