[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Summary of AS/400 Vulnerability Information



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

I received several off-list requests for a summary of what I learned
about AS/400 vulnerabilities. Here is what I have learned. (A lot!) I
would like to thank everyone who replied off-list with additional
information.

1) A book on hacking AS/400s:
	Hacking iSeries
	by: Shalom Carmel
	BookSurge Publishing, 2006
	ISBN-13: 978-1419625015
	http://www.amazon.com/Hacking-iSeries-Shalom-Carmel/dp/1419625012

2) A book on AS/400 security:
	Experts' Guide to OS/400 & i5/OS Security
	by: Carol Woodbury and  Patrick Botz
	29th Street Press, 2004
	ISBN-10: 158304096X
	http://www.amazon.com/Experts-Guide-OS-400-Security/dp/158304096X

3) An AS/400 web site (by Shalom Carmel):
	http://www.hackingiseries.com/

4) Auditing framework:
	http://www.security-database.com/toolswatch/AS-400-Auditing-Framework-Beta.html

5) Comments of note:

> ... some default services on AS/400 allow
> annonymous access including POP3, SMTP, LDAP, FTP, etc.  But what
> fails audit almost every time are default passwords. 

> ... security of these beasts had not been in forefront for
> most companies.  Some of them run their e-commerce solutions on AS/400
> facing the Internet




6) When searching for AS/400 vulnerabilities, you need to search on a
bunch of 'not-necessarily-obvious' keywords, including:
	AS/400
	OS/400
	iSeries
	i5/OS
	SQL/400
	DB2/400

7) Known vulnerabilities:

CVE ID		Disclosed	Title
CVE-2000-1038	12/11/2000	The web administration interface for IBM AS/400
Firewall allows remote attackers to cause a denial of service via an
empty GET request.
CVE-2002-1731	12/31/2002	The System Request menu in IBM AS/400 allows
local users to list valid user accounts by viewing the object names that
are type USRPRF.
CVE-2005-0868	05/02/2005	AS/400 Telnet 5250 terminal emulation clients,
as implemented by (1) IBM client access, (2) Bosanova, (3) PowerTerm,
(4) Mochasoft, and possibly other emulations, allows malicious AS/400
servers to execute arbitrary commands via a STRPCO (Start PC Organizer)
command followed by STRPCCMD (Start PC command), as demonstrated by
creating a backdoor account using REXEC.
CVE-2005-0899	05/02/2005	AS/400 running OS400 5.2 installs and enables
LDAP by default, which allows remote authenticated users to obtain
OS/400 user profiles by performing a search.
CVE-2005-1025	05/02/2005	The FTP server in AS/400 4.3, when running in
IFS mode, allows remote attackers to obtain sensitive information via a
symlink attack using RCMD and the ADDLNK utility, as demonstrated using
the QSYS.LIB library.
CVE-2005-1133	05/02/2005	The POP3 server in IBM iSeries AS/400 returns
different error messages when the user exists or not, which allows
remote attackers to determine valid user IDs on the server.
CVE-2005-1182	05/02/2005	Unknown vulnerability in Incoming Remote
Command (iSeries Access for Windows Remote Command service) in IBM
OS/400 R510, R520, and R530 allows attackers to cause a denial of
service (IRC shutdown) via certain inputs.
CVE-2005-1238	05/02/2005	By design, the built-in FTP server for iSeries
AS/400 systems does not support a restricted document root, which allows
attackers to read or write arbitrary files, including sensitive QSYS
databases, via a full pathname in a GET or PUT request.
CVE-2005-1239	05/02/2005	Directory traversal vulnerability in the third
party tool from Raz-Lee, as used to secure the iSeries AS/400 FTP
server, allows remote attackers to access arbitrary files, including
those from qsys.lib, via ".." sequences in a GET request.
CVE-2005-1240	04/20/2005	Directory traversal vulnerability in the third
party tool from Castlehill, as used to secure the iSeries AS/400 FTP
server, allows remote attackers to access arbitrary files, including
those from qsys.lib, via ".." sequences in a GET request.
CVE-2005-1241	04/20/2005	Directory traversal vulnerability in the third
party tool from Powertech, as used to secure the iSeries AS/400 FTP
server, allows remote attackers to access arbitrary files, including
those from qsys.lib, via ".." sequences in a GET request.
CVE-2005-1242	05/02/2005	Directory traversal vulnerability in the third
party tool from Bsafe, as used to secure the iSeries AS/400 FTP server,
allows remote attackers to access arbitrary files, including those from
qsys.lib, via ".." sequences in a GET request.
CVE-2005-1243	05/02/2005	Directory traversal vulnerability in the third
party tool from SafeStone, as used to secure the iSeries AS/400 FTP
server, allows remote attackers to access arbitrary files, including
those from qsys.lib, via ".." sequences in a GET request.
CVE-2005-1244	04/20/2005	** DISPUTED ** Directory traversal
vulnerability in the third party tool from NetIQ, as used to secure the
iSeries AS/400 FTP server, allows remote attackers to access arbitrary
files, including those from qsys.lib, via ".." sequences in a GET
request. NOTE: the vendor has disputed this issue, saying that "neither
NetIQ Security Manager nor our iSeries Security Solutions are vulnerable."
CVE-2006-6836	12/31/2006	Multiple unspecified vulnerabilities in
osp-cert in IBM OS/400 V5R3M0 have unspecified impact and attack
vectors, related to ASN.1 parsing.
CVE-2007-0442	01/23/2007	Unspecified vulnerability in IBM OS/400 R530
and R535 has unknown impact and remote attack vectors, related to an
"Integrity Problem" involving LIC-TCPIP and TCP reset. NOTE: it is
possible that this issue is related to CVE-2004-0230, but this is not
certain.
CVE-2007-3390	06/25/2007	Wireshark 0.99.5 and 0.10.x up to 0.10.14, when
running on certain systems, allows remote attackers to cause a denial of
service (crash) via crafted iSeries capture files that trigger a SIGTRAP.
CVE-2007-3537	07/03/2007	IBM OS/400 (aka i5/OS) V4R2M0 through V5R3M0 on
iSeries machines sends responses to TCP SYN-FIN packets, which allows
remote attackers to obtain system information and possibly bypass
firewall rules.
CVE-2007-6114	11/23/2007	Multiple buffer overflows in Wireshark
(formerly Ethereal) 0.99.0 through 0.99.6 allow remote attackers to
cause a denial of service (crash) and possibly execute arbitrary code
via (1) the SSL dissector or (2) the iSeries (OS/400) Communication
trace file parser.
CVE-2008-0694	02/11/2008	Cross-site scripting (XSS) vulnerability in the
HTTP Server in IBM OS/400 V5R3M0 and V5R4M0 allows remote attackers to
inject arbitrary web script or HTML via the Expect HTTP header.


OSVDB	Disclosed	Title
5835	2000-09-12	AS/400 Firewall Malformed GET Request DoS
9787	1999-05-04	IBM Lotus Domino for AS/400 SMTP Component Long String
Remote DoS
11018	1997-04-17	Microsoft SNA Server AS/400 Local APPC LU Shared Folder
Disclosure
15074	2005-03-23	AS/400 Multiple Emulator STRPCO / STRPCCMD Command
Execution
15079	2005-03-26	AS/400 LDAP User Account Name Disclosure
15300	2005-04-04	AS/400 iSeries FTP IFS Mode ADDLNK User Account Disclosure
15510	2005-04-15	IBM OS/400 POP3 Server User Account/Profile Enumeration
15651	2005-04-15	IBM OS/400 Incoming Remote Command Remote DoS
15791	2005-04-20	NetIQ Security Manager Traversal File Restriction Bypass
15792	2005-04-20	Bsafe/Global Security for iSeries Traversal File
Restriction Bypass
15793	2005-04-20	Castlehill Computer Services SECURE/NET Traversal File
Restriction Bypass
15794	2005-04-20	SafeStone DetectIT Directory Traversal File Restriction
Bypass
15795	2005-04-20	PowerLock NetworkSecurity Traversal File Restriction Bypass
15796	2005-04-20	RazLee Firewall+++ Traversal File Restriction Bypass
16606	2005-04-20	AS/400 FTP Server for iSeries Traversal File
Restriction Bypass
19247	2005-09-08	IBM OS/400 osp-cert X509 Basic Constraint Issue
19248	2005-09-08	IBM OS/400 osp-cert Certificate Store Returned
Application Identifier Issue
19249	2005-09-08	IBM OS/400 osp-cert Unspecified ASN.1 Parsing Issue
19250	2005-09-08	IBM OS/400 Malformed SNMP Message Remote DoS
27079	2002-02-10	AS/400 System Request Menu USRPRF Object Name User
Account Disclosure
30743	2006-11-17	IBM OS/400 osp-cert ASN.1 Certificate Version Handling
Weakness
30744	2006-11-17	IBM OS/400 osp-cert ASN.1 X.509 Certificate Version
Weakness
32812	2007-01-13	IBM OS/400 Unspecified Connection Reset DoS
37642	2007-07-05	Wireshark Crafted iSeries Capture File Handling Remote DoS
37792	2007-06-28	IBM OS/400 on iSeries TCP SYN-FIN Packet Handling
Security Bypass
40468	2007-11-26	Wireshark iSeries (OS/400) Communication Trace File
Parser Unspecified Remote Overflow
41518	2008-02-04	IBM OS/400 V5R3M0 / V5R4M0 HTTP Server Expect HTTP
Header XSS
46082	2008-06-06	IBM OS/400 BrSmRcvAndCheck Boundary Error Local Overflow


I hope this summary is of use.

Now, if we can only get some of the vulnerability assessment vendors to
take an interest in supporting the AS/400...

Jon Kibler
- --
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC  USA
o: 843-849-8214
c: 843-224-2494
s: 843-564-4224

My PGP Fingerprint is:
BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkhf1twACgkQUVxQRc85QlMGPgCfaB7GAL0NxM+VYGrw8yIeQoQa
+/YAnjyzTOOez8UP0Noz5Z//52OTaeyN
=Mf6U
-----END PGP SIGNATURE-----




==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.