[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: AS/400 Vulnerabilities
: Have you ever nmap-ed a network with AS/400s? If you have, you probably
: know that doing so will, in at least half the cases, either crash the
: box, hang up one or more services, or really confuse the IP stack to the
: point that the box almost screeches to a halt.
This is frequently observed by pen-testers for sure but just as frequently
anecdotal. I have personally run into it at least once, where a standard
nmap SYN scan crashed a few AS/400 boxes. Each time it ends there, the
client freaks and little to no more information can be obtained as it is
dropped from the scope. I'd be curious to see how many bug reports IBM has
received on the port scan DoS. Given the lack of information about what
versions or conditions are required for it to happen is why I said it is
: However, if you search for AS/400 vulnerabilities, you find only about a
: dozen, and most are years old. Nessus only checks for one.
Search your favorite VDB for "OS/400" and you will see more current
issues. Either way, given the distribution of the platform, there are
relatively few vulnerabilities publicly disclosed.
OSVDB Disc Date CVE Vuln
----- --------- --- ----
46082 2008-06-06 IBM OS/400 BrSmRcvAndCheck Boundary Error Local Overflow
41518 2008-02-04 2008-0694 IBM OS/400 V5R3M0 / V5R4M0 HTTP Server Expect HTTP Header XSS
37792 2007-06-28 2007-3537 IBM OS/400 on iSeries TCP SYN-FIN Packet Handling Security Bypass
32812 2007-01-13 2007-0442 IBM OS/400 Unspecified Connection Reset DoS
30743 2006-11-17 2006-6836 IBM OS/400 osp-cert ASN.1 Certificate Version Handling Weakness
30744 2006-11-17 2006-6836 IBM OS/400 osp-cert ASN.1 X.509 Certificate Version Weakness
16606 2005-04-20 2005-1238 AS/400 FTP Server for iSeries Traversal File Restriction Bypass
15300 2005-04-04 2005-1025 AS/400 iSeries FTP IFS Mode ADDLNK User Account Disclosure
15079 2005-03-26 2005-0899 AS/400 LDAP User Account Name Disclosure
15074 2005-03-23 2005-0868 AS/400 Multiple Emulator STRPCO / STRPCCMD Command Execution
: This raises a couple of questions:
: 1) Is anyone really doing any vulnerability research in this area?
: 2) Are the boxes really just unstable to malformed network data, but
: not exploitable?
I would guess there is little research being done on them. The odds of a
box falling over due to a few malformed TCP packets, but being resistant
or not vulnerable to more complex attacks seems pretty far fetched. While
this vendor and technology is widely deployed, it isn't a sexy target for