<<< Date Index >>>     <<< Thread Index >>>

Re: Summary of AS/400 Vulnerability Information



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

I received several off-list requests for a summary of what I learned
about AS/400 vulnerabilities. Here is what I have learned. (A lot!) I
would like to thank everyone who replied off-list with additional
information.

1) A book on hacking AS/400s:
        Hacking iSeries
        by: Shalom Carmel
        BookSurge Publishing, 2006
        ISBN-13: 978-1419625015
        http://www.amazon.com/Hacking-iSeries-Shalom-Carmel/dp/1419625012

2) A book on AS/400 security:
        Experts' Guide to OS/400 & i5/OS Security
        by: Carol Woodbury and  Patrick Botz
        29th Street Press, 2004
        ISBN-10: 158304096X
        http://www.amazon.com/Experts-Guide-OS-400-Security/dp/158304096X

3) An AS/400 web site (by Shalom Carmel):
        http://www.hackingiseries.com/

4) Auditing framework:
        
http://www.security-database.com/toolswatch/AS-400-Auditing-Framework-Beta.html

5) Comments of note:

> ... some default services on AS/400 allow
> annonymous access including POP3, SMTP, LDAP, FTP, etc.  But what
> fails audit almost every time are default passwords. 

> ... security of these beasts had not been in forefront for
> most companies.  Some of them run their e-commerce solutions on AS/400
> facing the Internet




6) When searching for AS/400 vulnerabilities, you need to search on a
bunch of 'not-necessarily-obvious' keywords, including:
        AS/400
        OS/400
        iSeries
        i5/OS
        SQL/400
        DB2/400

7) Known vulnerabilities:

CVE ID          Disclosed       Title
CVE-2000-1038   12/11/2000      The web administration interface for IBM AS/400
Firewall allows remote attackers to cause a denial of service via an
empty GET request.
CVE-2002-1731   12/31/2002      The System Request menu in IBM AS/400 allows
local users to list valid user accounts by viewing the object names that
are type USRPRF.
CVE-2005-0868   05/02/2005      AS/400 Telnet 5250 terminal emulation clients,
as implemented by (1) IBM client access, (2) Bosanova, (3) PowerTerm,
(4) Mochasoft, and possibly other emulations, allows malicious AS/400
servers to execute arbitrary commands via a STRPCO (Start PC Organizer)
command followed by STRPCCMD (Start PC command), as demonstrated by
creating a backdoor account using REXEC.
CVE-2005-0899   05/02/2005      AS/400 running OS400 5.2 installs and enables
LDAP by default, which allows remote authenticated users to obtain
OS/400 user profiles by performing a search.
CVE-2005-1025   05/02/2005      The FTP server in AS/400 4.3, when running in
IFS mode, allows remote attackers to obtain sensitive information via a
symlink attack using RCMD and the ADDLNK utility, as demonstrated using
the QSYS.LIB library.
CVE-2005-1133   05/02/2005      The POP3 server in IBM iSeries AS/400 returns
different error messages when the user exists or not, which allows
remote attackers to determine valid user IDs on the server.
CVE-2005-1182   05/02/2005      Unknown vulnerability in Incoming Remote
Command (iSeries Access for Windows Remote Command service) in IBM
OS/400 R510, R520, and R530 allows attackers to cause a denial of
service (IRC shutdown) via certain inputs.
CVE-2005-1238   05/02/2005      By design, the built-in FTP server for iSeries
AS/400 systems does not support a restricted document root, which allows
attackers to read or write arbitrary files, including sensitive QSYS
databases, via a full pathname in a GET or PUT request.
CVE-2005-1239   05/02/2005      Directory traversal vulnerability in the third
party tool from Raz-Lee, as used to secure the iSeries AS/400 FTP
server, allows remote attackers to access arbitrary files, including
those from qsys.lib, via ".." sequences in a GET request.
CVE-2005-1240   04/20/2005      Directory traversal vulnerability in the third
party tool from Castlehill, as used to secure the iSeries AS/400 FTP
server, allows remote attackers to access arbitrary files, including
those from qsys.lib, via ".." sequences in a GET request.
CVE-2005-1241   04/20/2005      Directory traversal vulnerability in the third
party tool from Powertech, as used to secure the iSeries AS/400 FTP
server, allows remote attackers to access arbitrary files, including
those from qsys.lib, via ".." sequences in a GET request.
CVE-2005-1242   05/02/2005      Directory traversal vulnerability in the third
party tool from Bsafe, as used to secure the iSeries AS/400 FTP server,
allows remote attackers to access arbitrary files, including those from
qsys.lib, via ".." sequences in a GET request.
CVE-2005-1243   05/02/2005      Directory traversal vulnerability in the third
party tool from SafeStone, as used to secure the iSeries AS/400 FTP
server, allows remote attackers to access arbitrary files, including
those from qsys.lib, via ".." sequences in a GET request.
CVE-2005-1244   04/20/2005      ** DISPUTED ** Directory traversal
vulnerability in the third party tool from NetIQ, as used to secure the
iSeries AS/400 FTP server, allows remote attackers to access arbitrary
files, including those from qsys.lib, via ".." sequences in a GET
request. NOTE: the vendor has disputed this issue, saying that "neither
NetIQ Security Manager nor our iSeries Security Solutions are vulnerable."
CVE-2006-6836   12/31/2006      Multiple unspecified vulnerabilities in
osp-cert in IBM OS/400 V5R3M0 have unspecified impact and attack
vectors, related to ASN.1 parsing.
CVE-2007-0442   01/23/2007      Unspecified vulnerability in IBM OS/400 R530
and R535 has unknown impact and remote attack vectors, related to an
"Integrity Problem" involving LIC-TCPIP and TCP reset. NOTE: it is
possible that this issue is related to CVE-2004-0230, but this is not
certain.
CVE-2007-3390   06/25/2007      Wireshark 0.99.5 and 0.10.x up to 0.10.14, when
running on certain systems, allows remote attackers to cause a denial of
service (crash) via crafted iSeries capture files that trigger a SIGTRAP.
CVE-2007-3537   07/03/2007      IBM OS/400 (aka i5/OS) V4R2M0 through V5R3M0 on
iSeries machines sends responses to TCP SYN-FIN packets, which allows
remote attackers to obtain system information and possibly bypass
firewall rules.
CVE-2007-6114   11/23/2007      Multiple buffer overflows in Wireshark
(formerly Ethereal) 0.99.0 through 0.99.6 allow remote attackers to
cause a denial of service (crash) and possibly execute arbitrary code
via (1) the SSL dissector or (2) the iSeries (OS/400) Communication
trace file parser.
CVE-2008-0694   02/11/2008      Cross-site scripting (XSS) vulnerability in the
HTTP Server in IBM OS/400 V5R3M0 and V5R4M0 allows remote attackers to
inject arbitrary web script or HTML via the Expect HTTP header.


OSVDB   Disclosed       Title
5835    2000-09-12      AS/400 Firewall Malformed GET Request DoS
9787    1999-05-04      IBM Lotus Domino for AS/400 SMTP Component Long String
Remote DoS
11018   1997-04-17      Microsoft SNA Server AS/400 Local APPC LU Shared Folder
Disclosure
15074   2005-03-23      AS/400 Multiple Emulator STRPCO / STRPCCMD Command
Execution
15079   2005-03-26      AS/400 LDAP User Account Name Disclosure
15300   2005-04-04      AS/400 iSeries FTP IFS Mode ADDLNK User Account 
Disclosure
15510   2005-04-15      IBM OS/400 POP3 Server User Account/Profile Enumeration
15651   2005-04-15      IBM OS/400 Incoming Remote Command Remote DoS
15791   2005-04-20      NetIQ Security Manager Traversal File Restriction Bypass
15792   2005-04-20      Bsafe/Global Security for iSeries Traversal File
Restriction Bypass
15793   2005-04-20      Castlehill Computer Services SECURE/NET Traversal File
Restriction Bypass
15794   2005-04-20      SafeStone DetectIT Directory Traversal File Restriction
Bypass
15795   2005-04-20      PowerLock NetworkSecurity Traversal File Restriction 
Bypass
15796   2005-04-20      RazLee Firewall+++ Traversal File Restriction Bypass
16606   2005-04-20      AS/400 FTP Server for iSeries Traversal File
Restriction Bypass
19247   2005-09-08      IBM OS/400 osp-cert X509 Basic Constraint Issue
19248   2005-09-08      IBM OS/400 osp-cert Certificate Store Returned
Application Identifier Issue
19249   2005-09-08      IBM OS/400 osp-cert Unspecified ASN.1 Parsing Issue
19250   2005-09-08      IBM OS/400 Malformed SNMP Message Remote DoS
27079   2002-02-10      AS/400 System Request Menu USRPRF Object Name User
Account Disclosure
30743   2006-11-17      IBM OS/400 osp-cert ASN.1 Certificate Version Handling
Weakness
30744   2006-11-17      IBM OS/400 osp-cert ASN.1 X.509 Certificate Version
Weakness
32812   2007-01-13      IBM OS/400 Unspecified Connection Reset DoS
37642   2007-07-05      Wireshark Crafted iSeries Capture File Handling Remote 
DoS
37792   2007-06-28      IBM OS/400 on iSeries TCP SYN-FIN Packet Handling
Security Bypass
40468   2007-11-26      Wireshark iSeries (OS/400) Communication Trace File
Parser Unspecified Remote Overflow
41518   2008-02-04      IBM OS/400 V5R3M0 / V5R4M0 HTTP Server Expect HTTP
Header XSS
46082   2008-06-06      IBM OS/400 BrSmRcvAndCheck Boundary Error Local Overflow


I hope this summary is of use.

Now, if we can only get some of the vulnerability assessment vendors to
take an interest in supporting the AS/400...

Jon Kibler
- --
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC  USA
o: 843-849-8214
c: 843-224-2494
s: 843-564-4224

My PGP Fingerprint is:
BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkhf1twACgkQUVxQRc85QlMGPgCfaB7GAL0NxM+VYGrw8yIeQoQa
+/YAnjyzTOOez8UP0Noz5Z//52OTaeyN
=Mf6U
-----END PGP SIGNATURE-----




==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.