Re: Summary of AS/400 Vulnerability Information
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello,
I received several off-list requests for a summary of what I learned
about AS/400 vulnerabilities. Here is what I have learned. (A lot!) I
would like to thank everyone who replied off-list with additional
information.
1) A book on hacking AS/400s:
Hacking iSeries
by: Shalom Carmel
BookSurge Publishing, 2006
ISBN-13: 978-1419625015
http://www.amazon.com/Hacking-iSeries-Shalom-Carmel/dp/1419625012
2) A book on AS/400 security:
Experts' Guide to OS/400 & i5/OS Security
by: Carol Woodbury and Patrick Botz
29th Street Press, 2004
ISBN-10: 158304096X
http://www.amazon.com/Experts-Guide-OS-400-Security/dp/158304096X
3) An AS/400 web site (by Shalom Carmel):
http://www.hackingiseries.com/
4) Auditing framework:
http://www.security-database.com/toolswatch/AS-400-Auditing-Framework-Beta.html
5) Comments of note:
> ... some default services on AS/400 allow
> annonymous access including POP3, SMTP, LDAP, FTP, etc. But what
> fails audit almost every time are default passwords.
> ... security of these beasts had not been in forefront for
> most companies. Some of them run their e-commerce solutions on AS/400
> facing the Internet
6) When searching for AS/400 vulnerabilities, you need to search on a
bunch of 'not-necessarily-obvious' keywords, including:
AS/400
OS/400
iSeries
i5/OS
SQL/400
DB2/400
7) Known vulnerabilities:
CVE ID Disclosed Title
CVE-2000-1038 12/11/2000 The web administration interface for IBM AS/400
Firewall allows remote attackers to cause a denial of service via an
empty GET request.
CVE-2002-1731 12/31/2002 The System Request menu in IBM AS/400 allows
local users to list valid user accounts by viewing the object names that
are type USRPRF.
CVE-2005-0868 05/02/2005 AS/400 Telnet 5250 terminal emulation clients,
as implemented by (1) IBM client access, (2) Bosanova, (3) PowerTerm,
(4) Mochasoft, and possibly other emulations, allows malicious AS/400
servers to execute arbitrary commands via a STRPCO (Start PC Organizer)
command followed by STRPCCMD (Start PC command), as demonstrated by
creating a backdoor account using REXEC.
CVE-2005-0899 05/02/2005 AS/400 running OS400 5.2 installs and enables
LDAP by default, which allows remote authenticated users to obtain
OS/400 user profiles by performing a search.
CVE-2005-1025 05/02/2005 The FTP server in AS/400 4.3, when running in
IFS mode, allows remote attackers to obtain sensitive information via a
symlink attack using RCMD and the ADDLNK utility, as demonstrated using
the QSYS.LIB library.
CVE-2005-1133 05/02/2005 The POP3 server in IBM iSeries AS/400 returns
different error messages when the user exists or not, which allows
remote attackers to determine valid user IDs on the server.
CVE-2005-1182 05/02/2005 Unknown vulnerability in Incoming Remote
Command (iSeries Access for Windows Remote Command service) in IBM
OS/400 R510, R520, and R530 allows attackers to cause a denial of
service (IRC shutdown) via certain inputs.
CVE-2005-1238 05/02/2005 By design, the built-in FTP server for iSeries
AS/400 systems does not support a restricted document root, which allows
attackers to read or write arbitrary files, including sensitive QSYS
databases, via a full pathname in a GET or PUT request.
CVE-2005-1239 05/02/2005 Directory traversal vulnerability in the third
party tool from Raz-Lee, as used to secure the iSeries AS/400 FTP
server, allows remote attackers to access arbitrary files, including
those from qsys.lib, via ".." sequences in a GET request.
CVE-2005-1240 04/20/2005 Directory traversal vulnerability in the third
party tool from Castlehill, as used to secure the iSeries AS/400 FTP
server, allows remote attackers to access arbitrary files, including
those from qsys.lib, via ".." sequences in a GET request.
CVE-2005-1241 04/20/2005 Directory traversal vulnerability in the third
party tool from Powertech, as used to secure the iSeries AS/400 FTP
server, allows remote attackers to access arbitrary files, including
those from qsys.lib, via ".." sequences in a GET request.
CVE-2005-1242 05/02/2005 Directory traversal vulnerability in the third
party tool from Bsafe, as used to secure the iSeries AS/400 FTP server,
allows remote attackers to access arbitrary files, including those from
qsys.lib, via ".." sequences in a GET request.
CVE-2005-1243 05/02/2005 Directory traversal vulnerability in the third
party tool from SafeStone, as used to secure the iSeries AS/400 FTP
server, allows remote attackers to access arbitrary files, including
those from qsys.lib, via ".." sequences in a GET request.
CVE-2005-1244 04/20/2005 ** DISPUTED ** Directory traversal
vulnerability in the third party tool from NetIQ, as used to secure the
iSeries AS/400 FTP server, allows remote attackers to access arbitrary
files, including those from qsys.lib, via ".." sequences in a GET
request. NOTE: the vendor has disputed this issue, saying that "neither
NetIQ Security Manager nor our iSeries Security Solutions are vulnerable."
CVE-2006-6836 12/31/2006 Multiple unspecified vulnerabilities in
osp-cert in IBM OS/400 V5R3M0 have unspecified impact and attack
vectors, related to ASN.1 parsing.
CVE-2007-0442 01/23/2007 Unspecified vulnerability in IBM OS/400 R530
and R535 has unknown impact and remote attack vectors, related to an
"Integrity Problem" involving LIC-TCPIP and TCP reset. NOTE: it is
possible that this issue is related to CVE-2004-0230, but this is not
certain.
CVE-2007-3390 06/25/2007 Wireshark 0.99.5 and 0.10.x up to 0.10.14, when
running on certain systems, allows remote attackers to cause a denial of
service (crash) via crafted iSeries capture files that trigger a SIGTRAP.
CVE-2007-3537 07/03/2007 IBM OS/400 (aka i5/OS) V4R2M0 through V5R3M0 on
iSeries machines sends responses to TCP SYN-FIN packets, which allows
remote attackers to obtain system information and possibly bypass
firewall rules.
CVE-2007-6114 11/23/2007 Multiple buffer overflows in Wireshark
(formerly Ethereal) 0.99.0 through 0.99.6 allow remote attackers to
cause a denial of service (crash) and possibly execute arbitrary code
via (1) the SSL dissector or (2) the iSeries (OS/400) Communication
trace file parser.
CVE-2008-0694 02/11/2008 Cross-site scripting (XSS) vulnerability in the
HTTP Server in IBM OS/400 V5R3M0 and V5R4M0 allows remote attackers to
inject arbitrary web script or HTML via the Expect HTTP header.
OSVDB Disclosed Title
5835 2000-09-12 AS/400 Firewall Malformed GET Request DoS
9787 1999-05-04 IBM Lotus Domino for AS/400 SMTP Component Long String
Remote DoS
11018 1997-04-17 Microsoft SNA Server AS/400 Local APPC LU Shared Folder
Disclosure
15074 2005-03-23 AS/400 Multiple Emulator STRPCO / STRPCCMD Command
Execution
15079 2005-03-26 AS/400 LDAP User Account Name Disclosure
15300 2005-04-04 AS/400 iSeries FTP IFS Mode ADDLNK User Account
Disclosure
15510 2005-04-15 IBM OS/400 POP3 Server User Account/Profile Enumeration
15651 2005-04-15 IBM OS/400 Incoming Remote Command Remote DoS
15791 2005-04-20 NetIQ Security Manager Traversal File Restriction Bypass
15792 2005-04-20 Bsafe/Global Security for iSeries Traversal File
Restriction Bypass
15793 2005-04-20 Castlehill Computer Services SECURE/NET Traversal File
Restriction Bypass
15794 2005-04-20 SafeStone DetectIT Directory Traversal File Restriction
Bypass
15795 2005-04-20 PowerLock NetworkSecurity Traversal File Restriction
Bypass
15796 2005-04-20 RazLee Firewall+++ Traversal File Restriction Bypass
16606 2005-04-20 AS/400 FTP Server for iSeries Traversal File
Restriction Bypass
19247 2005-09-08 IBM OS/400 osp-cert X509 Basic Constraint Issue
19248 2005-09-08 IBM OS/400 osp-cert Certificate Store Returned
Application Identifier Issue
19249 2005-09-08 IBM OS/400 osp-cert Unspecified ASN.1 Parsing Issue
19250 2005-09-08 IBM OS/400 Malformed SNMP Message Remote DoS
27079 2002-02-10 AS/400 System Request Menu USRPRF Object Name User
Account Disclosure
30743 2006-11-17 IBM OS/400 osp-cert ASN.1 Certificate Version Handling
Weakness
30744 2006-11-17 IBM OS/400 osp-cert ASN.1 X.509 Certificate Version
Weakness
32812 2007-01-13 IBM OS/400 Unspecified Connection Reset DoS
37642 2007-07-05 Wireshark Crafted iSeries Capture File Handling Remote
DoS
37792 2007-06-28 IBM OS/400 on iSeries TCP SYN-FIN Packet Handling
Security Bypass
40468 2007-11-26 Wireshark iSeries (OS/400) Communication Trace File
Parser Unspecified Remote Overflow
41518 2008-02-04 IBM OS/400 V5R3M0 / V5R4M0 HTTP Server Expect HTTP
Header XSS
46082 2008-06-06 IBM OS/400 BrSmRcvAndCheck Boundary Error Local Overflow
I hope this summary is of use.
Now, if we can only get some of the vulnerability assessment vendors to
take an interest in supporting the AS/400...
Jon Kibler
- --
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC USA
o: 843-849-8214
c: 843-224-2494
s: 843-564-4224
My PGP Fingerprint is:
BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkhf1twACgkQUVxQRc85QlMGPgCfaB7GAL0NxM+VYGrw8yIeQoQa
+/YAnjyzTOOez8UP0Noz5Z//52OTaeyN
=Mf6U
-----END PGP SIGNATURE-----
==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.