[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: AS/400 Vulnerabilities




: Have you ever nmap-ed a network with AS/400s? If you have, you probably 
: know that doing so will, in at least half the cases, either crash the 
: box, hang up one or more services, or really confuse the IP stack to the 
: point that the box almost screeches to a halt.

This is frequently observed by pen-testers for sure but just as frequently 
anecdotal. I have personally run into it at least once, where a standard 
nmap SYN scan crashed a few AS/400 boxes. Each time it ends there, the 
client freaks and little to no more information can be obtained as it is 
dropped from the scope. I'd be curious to see how many bug reports IBM has 
received on the port scan DoS. Given the lack of information about what 
versions or conditions are required for it to happen is why I said it is 
mostly anecdotal.

: However, if you search for AS/400 vulnerabilities, you find only about a 
: dozen, and most are years old. Nessus only checks for one.

Search your favorite VDB for "OS/400" and you will see more current 
issues. Either way, given the distribution of the platform, there are 
relatively few vulnerabilities publicly disclosed.

OSVDB	Disc Date	CVE		Vuln
-----   ---------	---		----
46082	2008-06-06			IBM OS/400 BrSmRcvAndCheck Boundary Error Local Overflow 
41518	2008-02-04	2008-0694	IBM OS/400 V5R3M0 / V5R4M0 HTTP Server Expect HTTP Header XSS 
37792	2007-06-28	2007-3537	IBM OS/400 on iSeries TCP SYN-FIN Packet Handling Security Bypass 
32812	2007-01-13	2007-0442	IBM OS/400 Unspecified Connection Reset DoS 
30743	2006-11-17	2006-6836	IBM OS/400 osp-cert ASN.1 Certificate Version Handling Weakness 
30744	2006-11-17	2006-6836	IBM OS/400 osp-cert ASN.1 X.509 Certificate Version Weakness
[..]

16606	2005-04-20	2005-1238	AS/400 FTP Server for iSeries Traversal File Restriction Bypass 
15300	2005-04-04	2005-1025	AS/400 iSeries FTP IFS Mode ADDLNK User Account Disclosure 
15079	2005-03-26	2005-0899	AS/400 LDAP User Account Name Disclosure 
15074	2005-03-23	2005-0868	AS/400 Multiple Emulator STRPCO / STRPCCMD Command Execution
[..]

: This raises a couple of questions:
:   1) Is anyone really doing any vulnerability research in this area?
: 
:   2) Are the boxes really just unstable to malformed network data, but
: not exploitable?

I would guess there is little research being done on them. The odds of a 
box falling over due to a few malformed TCP packets, but being resistant 
or not vulnerable to more complex attacks seems pretty far fetched. While 
this vendor and technology is widely deployed, it isn't a sexy target for 
research.

Brian
OSVDB.org