Re: AS/400 Vulnerabilities

To: Jon Kibler <Jon.Kibler@xxxxxxxx>
Subject: Re: AS/400 Vulnerabilities
From: security curmudgeon <jericho@xxxxxxxxxxxxx>
Date: Fri, 13 Jun 2008 22:52:27 +0000 (UTC)
Cc: bugtraq@xxxxxxxxxxxxxxxxx
In-reply-to: <485170B2.7030008@xxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <485170B2.7030008@xxxxxxxx>


: Have you ever nmap-ed a network with AS/400s? If you have, you probably 
: know that doing so will, in at least half the cases, either crash the 
: box, hang up one or more services, or really confuse the IP stack to the 
: point that the box almost screeches to a halt.

This is frequently observed by pen-testers for sure but just as frequently 
anecdotal. I have personally run into it at least once, where a standard 
nmap SYN scan crashed a few AS/400 boxes. Each time it ends there, the 
client freaks and little to no more information can be obtained as it is 
dropped from the scope. I'd be curious to see how many bug reports IBM has 
received on the port scan DoS. Given the lack of information about what 
versions or conditions are required for it to happen is why I said it is 
mostly anecdotal.

: However, if you search for AS/400 vulnerabilities, you find only about a 
: dozen, and most are years old. Nessus only checks for one.

Search your favorite VDB for "OS/400" and you will see more current 
issues. Either way, given the distribution of the platform, there are 
relatively few vulnerabilities publicly disclosed.

OSVDB   Disc Date       CVE             Vuln
-----   ---------       ---             ----
46082   2008-06-06                      IBM OS/400 BrSmRcvAndCheck Boundary 
Error Local Overflow 
41518   2008-02-04      2008-0694       IBM OS/400 V5R3M0 / V5R4M0 HTTP Server 
Expect HTTP Header XSS 
37792   2007-06-28      2007-3537       IBM OS/400 on iSeries TCP SYN-FIN 
Packet Handling Security Bypass 
32812   2007-01-13      2007-0442       IBM OS/400 Unspecified Connection Reset 
DoS 
30743   2006-11-17      2006-6836       IBM OS/400 osp-cert ASN.1 Certificate 
Version Handling Weakness 
30744   2006-11-17      2006-6836       IBM OS/400 osp-cert ASN.1 X.509 
Certificate Version Weakness
[..]

16606   2005-04-20      2005-1238       AS/400 FTP Server for iSeries Traversal 
File Restriction Bypass 
15300   2005-04-04      2005-1025       AS/400 iSeries FTP IFS Mode ADDLNK User 
Account Disclosure 
15079   2005-03-26      2005-0899       AS/400 LDAP User Account Name 
Disclosure 
15074   2005-03-23      2005-0868       AS/400 Multiple Emulator STRPCO / 
STRPCCMD Command Execution
[..]

: This raises a couple of questions:
:   1) Is anyone really doing any vulnerability research in this area?
: 
:   2) Are the boxes really just unstable to malformed network data, but
: not exploitable?

I would guess there is little research being done on them. The odds of a 
box falling over due to a few malformed TCP packets, but being resistant 
or not vulnerable to more complex attacks seems pretty far fetched. While 
this vendor and technology is widely deployed, it isn't a sexy target for 
research.

Brian
OSVDB.org

Follow-Ups:
- Re: AS/400 Vulnerabilities
  - From: Marco Ivaldi

References:
- AS/400 Vulnerabilities
  - From: Jon Kibler

Prev by Date: [ MDVSA-2008:113 ] - Updated kernel packages fix security issue
Next by Date: Collection of Vulnerabilities in Fully Patched Vim 7.1
Previous by thread: RE: AS/400 Vulnerabilities
Next by thread: Re: AS/400 Vulnerabilities
Index(es):
- Date
- Thread