Re: AS/400 Vulnerabilities
: Have you ever nmap-ed a network with AS/400s? If you have, you probably
: know that doing so will, in at least half the cases, either crash the
: box, hang up one or more services, or really confuse the IP stack to the
: point that the box almost screeches to a halt.
This is frequently observed by pen-testers for sure but just as frequently
anecdotal. I have personally run into it at least once, where a standard
nmap SYN scan crashed a few AS/400 boxes. Each time it ends there, the
client freaks and little to no more information can be obtained as it is
dropped from the scope. I'd be curious to see how many bug reports IBM has
received on the port scan DoS. Given the lack of information about what
versions or conditions are required for it to happen is why I said it is
mostly anecdotal.
: However, if you search for AS/400 vulnerabilities, you find only about a
: dozen, and most are years old. Nessus only checks for one.
Search your favorite VDB for "OS/400" and you will see more current
issues. Either way, given the distribution of the platform, there are
relatively few vulnerabilities publicly disclosed.
OSVDB Disc Date CVE Vuln
----- --------- --- ----
46082 2008-06-06 IBM OS/400 BrSmRcvAndCheck Boundary
Error Local Overflow
41518 2008-02-04 2008-0694 IBM OS/400 V5R3M0 / V5R4M0 HTTP Server
Expect HTTP Header XSS
37792 2007-06-28 2007-3537 IBM OS/400 on iSeries TCP SYN-FIN
Packet Handling Security Bypass
32812 2007-01-13 2007-0442 IBM OS/400 Unspecified Connection Reset
DoS
30743 2006-11-17 2006-6836 IBM OS/400 osp-cert ASN.1 Certificate
Version Handling Weakness
30744 2006-11-17 2006-6836 IBM OS/400 osp-cert ASN.1 X.509
Certificate Version Weakness
[..]
16606 2005-04-20 2005-1238 AS/400 FTP Server for iSeries Traversal
File Restriction Bypass
15300 2005-04-04 2005-1025 AS/400 iSeries FTP IFS Mode ADDLNK User
Account Disclosure
15079 2005-03-26 2005-0899 AS/400 LDAP User Account Name
Disclosure
15074 2005-03-23 2005-0868 AS/400 Multiple Emulator STRPCO /
STRPCCMD Command Execution
[..]
: This raises a couple of questions:
: 1) Is anyone really doing any vulnerability research in this area?
:
: 2) Are the boxes really just unstable to malformed network data, but
: not exploitable?
I would guess there is little research being done on them. The odds of a
box falling over due to a few malformed TCP packets, but being resistant
or not vulnerable to more complex attacks seems pretty far fetched. While
this vendor and technology is widely deployed, it isn't a sexy target for
research.
Brian
OSVDB.org