Likes Likes:  0
Resultaten 1 tot 5 van de 5
Geen
  1. #1
    Jon Kibler
    AS/400 Vulnerabilities
    Gast
    n/a Berichten
    Berichten zijn liked



    Thread Starter

    AS/400 Vulnerabilities

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Hi,

    Have you ever nmap-ed a network with AS/400s? If you have, you probably
    know that doing so will, in at least half the cases, either crash the
    box, hang up one or more services, or really confuse the IP stack to the
    point that the box almost screeches to a halt.

    Given that those boxes are so brittle to even simple network scans, it
    would seem that they would have to be full of exploitable
    vulnerabilities. If nothing else, a few custom packets should be able to
    DoS a box.

    However, if you search for AS/400 vulnerabilities, you find only about a
    dozen, and most are years old. Nessus only checks for one.

    Since these boxes are a common part of small to medium size business
    infrastructure (especially in manufacturing or organizations that have
    used computers for over 25 years), it looks like they would be ripe for
    exploitation.

    This raises a couple of questions:
    1) Is anyone really doing any vulnerability research in this area?

    2) Are the boxes really just unstable to malformed network data, but
    not exploitable?

    THANKS!
    Jon Kibler
    - --
    Jon R. Kibler
    Chief Technical Officer
    Advanced Systems Engineering Technology, Inc.
    Charleston, SC USA
    o: 843-849-8214
    c: 843-224-2494
    s: 843-564-4224

    My PGP Fingerprint is:
    BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253


    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.8 (Darwin)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

    iEYEARECAAYFAkhRcLIACgkQUVxQRc85QlNhrACfdG7tlp2HbD mnnIAiQS0ROZF0
    CakAn0J0VdEQBhICnxXK5MV/nmiGQGhQ
    =FuL1
    -----END PGP SIGNATURE-----




    ==================================================
    Filtered by: TRUSTEM.COM's Email Filtering Service
    http://www.trustem.com/
    No Spam. No Viruses. Just Good Clean Email.



  2. #2
    Michael Wojcik
    AS/400 Vulnerabilities
    Gast
    n/a Berichten
    Berichten zijn liked



    Thread Starter

    RE: AS/400 Vulnerabilities

    > From: Jon Kibler [mailto:Jon.Kibler@aset.com]
    > Sent: Thursday, 12 June, 2008 14:54
    > To: bugtraq@securityfocus.com
    >
    > 2) Are the boxes really just unstable to malformed network
    > data, but not exploitable?


    Exploiting data-handling vulnerabilities (as opposed to design
    vulnerabilities, like missing access checks) is difficult on the AS/400
    (aka iSeries, and various other names), because it's a capability
    architecture. Attacks like stack overflows don't apply to the '400 the
    way they do to more common virtual-address-space systems.

    Of course that doesn't mean that they're not exploitable, just that the
    exploits will take different forms. (In most cases - processes running
    in the PASE enviroment are an exception, though I couldn't say just what
    access you might get by breaking one.)

    I think it's an area that's definitely worth investigation, but few
    researchers (whatever their hat color) seem to have done much with
    capability architectures in general or the '400 in particular. And it
    doesn't look like many are motivated to acquire the necessary knowledge
    to do so.

    That is a bit of a shame, as capability architectures are interesting in
    themselves, and have interesting security implications, and the '400 has
    shown that they're commercially viable. Intel's early effort at a
    capability architecture (the 432) died because it couldn't compete on
    performance, but the long life of the '400 suggests that perhaps the
    time is right to try again.

    --
    Michael Wojcik
    Principal Software Systems Developer, Micro Focus


  3. #3
    security curmudgeon
    AS/400 Vulnerabilities
    Gast
    n/a Berichten
    Berichten zijn liked



    Thread Starter

    Re: AS/400 Vulnerabilities



    : Have you ever nmap-ed a network with AS/400s? If you have, you probably
    : know that doing so will, in at least half the cases, either crash the
    : box, hang up one or more services, or really confuse the IP stack to the
    : point that the box almost screeches to a halt.

    This is frequently observed by pen-testers for sure but just as frequently
    anecdotal. I have personally run into it at least once, where a standard
    nmap SYN scan crashed a few AS/400 boxes. Each time it ends there, the
    client freaks and little to no more information can be obtained as it is
    dropped from the scope. I'd be curious to see how many bug reports IBM has
    received on the port scan DoS. Given the lack of information about what
    versions or conditions are required for it to happen is why I said it is
    mostly anecdotal.

    : However, if you search for AS/400 vulnerabilities, you find only about a
    : dozen, and most are years old. Nessus only checks for one.

    Search your favorite VDB for "OS/400" and you will see more current
    issues. Either way, given the distribution of the platform, there are
    relatively few vulnerabilities publicly disclosed.

    OSVDB Disc Date CVE Vuln
    ----- --------- --- ----
    46082 2008-06-06 IBM OS/400 BrSmRcvAndCheck Boundary Error Local Overflow
    41518 2008-02-04 2008-0694 IBM OS/400 V5R3M0 / V5R4M0 HTTP Server Expect HTTP Header XSS
    37792 2007-06-28 2007-3537 IBM OS/400 on iSeries TCP SYN-FIN Packet Handling Security Bypass
    32812 2007-01-13 2007-0442 IBM OS/400 Unspecified Connection Reset DoS
    30743 2006-11-17 2006-6836 IBM OS/400 osp-cert ASN.1 Certificate Version Handling Weakness
    30744 2006-11-17 2006-6836 IBM OS/400 osp-cert ASN.1 X.509 Certificate Version Weakness
    [..]

    16606 2005-04-20 2005-1238 AS/400 FTP Server for iSeries Traversal File Restriction Bypass
    15300 2005-04-04 2005-1025 AS/400 iSeries FTP IFS Mode ADDLNK User Account Disclosure
    15079 2005-03-26 2005-0899 AS/400 LDAP User Account Name Disclosure
    15074 2005-03-23 2005-0868 AS/400 Multiple Emulator STRPCO / STRPCCMD Command Execution
    [..]

    : This raises a couple of questions:
    : 1) Is anyone really doing any vulnerability research in this area?
    :
    : 2) Are the boxes really just unstable to malformed network data, but
    : not exploitable?

    I would guess there is little research being done on them. The odds of a
    box falling over due to a few malformed TCP packets, but being resistant
    or not vulnerable to more complex attacks seems pretty far fetched. While
    this vendor and technology is widely deployed, it isn't a sexy target for
    research.

    Brian
    OSVDB.org


  4. #4
    Marco Ivaldi
    AS/400 Vulnerabilities
    Gast
    n/a Berichten
    Berichten zijn liked



    Thread Starter

    Re: AS/400 Vulnerabilities

    Hello Bugtraq,

    On Fri, 13 Jun 2008, security curmudgeon wrote:

    > I would guess there is little research being done on them. The odds of a
    > box falling over due to a few malformed TCP packets, but being resistant
    > or not vulnerable to more complex attacks seems pretty far fetched.
    > While this vendor and technology is widely deployed, it isn't a sexy
    > target for research.


    Speaking of AS/400 security research, I'd like to point out the following
    resources:

    http://seclists.org/pen-test/2008/Feb/0083.html
    http://www.venera.com/downloads.htm
    http://www.venera.com/order.htm
    http://www.security-database.com/too...work-Beta.html

    Cheers,

    --
    Marco Ivaldi, OPST
    Red Team Coordinator Data Security Division
    @ Mediaservice.net Srl http://mediaservice.net/




  5. #5
    Jon Kibler
    AS/400 Vulnerabilities
    Gast
    n/a Berichten
    Berichten zijn liked



    Thread Starter

    Re: Summary of AS/400 Vulnerability Information

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Hello,

    I received several off-list requests for a summary of what I learned
    about AS/400 vulnerabilities. Here is what I have learned. (A lot!) I
    would like to thank everyone who replied off-list with additional
    information.

    1) A book on hacking AS/400s:
    Hacking iSeries
    by: Shalom Carmel
    BookSurge Publishing, 2006
    ISBN-13: 978-1419625015
    http://www.amazon.com/Hacking-iSerie.../dp/1419625012

    2) A book on AS/400 security:
    Experts' Guide to OS/400 & i5/OS Security
    by: Carol Woodbury and Patrick Botz
    29th Street Press, 2004
    ISBN-10: 158304096X
    http://www.amazon.com/Experts-Guide-.../dp/158304096X

    3) An AS/400 web site (by Shalom Carmel):
    http://www.hackingiseries.com/

    4) Auditing framework:
    http://www.security-database.com/too...work-Beta.html

    5) Comments of note:

    > ... some default services on AS/400 allow
    > annonymous access including POP3, SMTP, LDAP, FTP, etc. But what
    > fails audit almost every time are default passwords.


    > ... security of these beasts had not been in forefront for
    > most companies. Some of them run their e-commerce solutions on AS/400
    > facing the Internet





    6) When searching for AS/400 vulnerabilities, you need to search on a
    bunch of 'not-necessarily-obvious' keywords, including:
    AS/400
    OS/400
    iSeries
    i5/OS
    SQL/400
    DB2/400

    7) Known vulnerabilities:

    CVE ID Disclosed Title
    CVE-2000-1038 12/11/2000 The web administration interface for IBM AS/400
    Firewall allows remote attackers to cause a denial of service via an
    empty GET request.
    CVE-2002-1731 12/31/2002 The System Request menu in IBM AS/400 allows
    local users to list valid user accounts by viewing the object names that
    are type USRPRF.
    CVE-2005-0868 05/02/2005 AS/400 Telnet 5250 terminal emulation clients,
    as implemented by (1) IBM client access, (2) Bosanova, (3) PowerTerm,
    (4) Mochasoft, and possibly other emulations, allows malicious AS/400
    servers to execute arbitrary commands via a STRPCO (Start PC Organizer)
    command followed by STRPCCMD (Start PC command), as demonstrated by
    creating a backdoor account using REXEC.
    CVE-2005-0899 05/02/2005 AS/400 running OS400 5.2 installs and enables
    LDAP by default, which allows remote authenticated users to obtain
    OS/400 user profiles by performing a search.
    CVE-2005-1025 05/02/2005 The FTP server in AS/400 4.3, when running in
    IFS mode, allows remote attackers to obtain sensitive information via a
    symlink attack using RCMD and the ADDLNK utility, as demonstrated using
    the QSYS.LIB library.
    CVE-2005-1133 05/02/2005 The POP3 server in IBM iSeries AS/400 returns
    different error messages when the user exists or not, which allows
    remote attackers to determine valid user IDs on the server.
    CVE-2005-1182 05/02/2005 Unknown vulnerability in Incoming Remote
    Command (iSeries Access for Windows Remote Command service) in IBM
    OS/400 R510, R520, and R530 allows attackers to cause a denial of
    service (IRC shutdown) via certain inputs.
    CVE-2005-1238 05/02/2005 By design, the built-in FTP server for iSeries
    AS/400 systems does not support a restricted document root, which allows
    attackers to read or write arbitrary files, including sensitive QSYS
    databases, via a full pathname in a GET or PUT request.
    CVE-2005-1239 05/02/2005 Directory traversal vulnerability in the third
    party tool from Raz-Lee, as used to secure the iSeries AS/400 FTP
    server, allows remote attackers to access arbitrary files, including
    those from qsys.lib, via ".." sequences in a GET request.
    CVE-2005-1240 04/20/2005 Directory traversal vulnerability in the third
    party tool from Castlehill, as used to secure the iSeries AS/400 FTP
    server, allows remote attackers to access arbitrary files, including
    those from qsys.lib, via ".." sequences in a GET request.
    CVE-2005-1241 04/20/2005 Directory traversal vulnerability in the third
    party tool from Powertech, as used to secure the iSeries AS/400 FTP
    server, allows remote attackers to access arbitrary files, including
    those from qsys.lib, via ".." sequences in a GET request.
    CVE-2005-1242 05/02/2005 Directory traversal vulnerability in the third
    party tool from Bsafe, as used to secure the iSeries AS/400 FTP server,
    allows remote attackers to access arbitrary files, including those from
    qsys.lib, via ".." sequences in a GET request.
    CVE-2005-1243 05/02/2005 Directory traversal vulnerability in the third
    party tool from SafeStone, as used to secure the iSeries AS/400 FTP
    server, allows remote attackers to access arbitrary files, including
    those from qsys.lib, via ".." sequences in a GET request.
    CVE-2005-1244 04/20/2005 ** DISPUTED ** Directory traversal
    vulnerability in the third party tool from NetIQ, as used to secure the
    iSeries AS/400 FTP server, allows remote attackers to access arbitrary
    files, including those from qsys.lib, via ".." sequences in a GET
    request. NOTE: the vendor has disputed this issue, saying that "neither
    NetIQ Security Manager nor our iSeries Security Solutions are vulnerable."
    CVE-2006-6836 12/31/2006 Multiple unspecified vulnerabilities in
    osp-cert in IBM OS/400 V5R3M0 have unspecified impact and attack
    vectors, related to ASN.1 parsing.
    CVE-2007-0442 01/23/2007 Unspecified vulnerability in IBM OS/400 R530
    and R535 has unknown impact and remote attack vectors, related to an
    "Integrity Problem" involving LIC-TCPIP and TCP reset. NOTE: it is
    possible that this issue is related to CVE-2004-0230, but this is not
    certain.
    CVE-2007-3390 06/25/2007 Wireshark 0.99.5 and 0.10.x up to 0.10.14, when
    running on certain systems, allows remote attackers to cause a denial of
    service (crash) via crafted iSeries capture files that trigger a SIGTRAP.
    CVE-2007-3537 07/03/2007 IBM OS/400 (aka i5/OS) V4R2M0 through V5R3M0 on
    iSeries machines sends responses to TCP SYN-FIN packets, which allows
    remote attackers to obtain system information and possibly bypass
    firewall rules.
    CVE-2007-6114 11/23/2007 Multiple buffer overflows in Wireshark
    (formerly Ethereal) 0.99.0 through 0.99.6 allow remote attackers to
    cause a denial of service (crash) and possibly execute arbitrary code
    via (1) the SSL dissector or (2) the iSeries (OS/400) Communication
    trace file parser.
    CVE-2008-0694 02/11/2008 Cross-site scripting (XSS) vulnerability in the
    HTTP Server in IBM OS/400 V5R3M0 and V5R4M0 allows remote attackers to
    inject arbitrary web script or HTML via the Expect HTTP header.


    OSVDB Disclosed Title
    5835 2000-09-12 AS/400 Firewall Malformed GET Request DoS
    9787 1999-05-04 IBM Lotus Domino for AS/400 SMTP Component Long String
    Remote DoS
    11018 1997-04-17 Microsoft SNA Server AS/400 Local APPC LU Shared Folder
    Disclosure
    15074 2005-03-23 AS/400 Multiple Emulator STRPCO / STRPCCMD Command
    Execution
    15079 2005-03-26 AS/400 LDAP User Account Name Disclosure
    15300 2005-04-04 AS/400 iSeries FTP IFS Mode ADDLNK User Account Disclosure
    15510 2005-04-15 IBM OS/400 POP3 Server User Account/Profile Enumeration
    15651 2005-04-15 IBM OS/400 Incoming Remote Command Remote DoS
    15791 2005-04-20 NetIQ Security Manager Traversal File Restriction Bypass
    15792 2005-04-20 Bsafe/Global Security for iSeries Traversal File
    Restriction Bypass
    15793 2005-04-20 Castlehill Computer Services SECURE/NET Traversal File
    Restriction Bypass
    15794 2005-04-20 SafeStone DetectIT Directory Traversal File Restriction
    Bypass
    15795 2005-04-20 PowerLock NetworkSecurity Traversal File Restriction Bypass
    15796 2005-04-20 RazLee Firewall+++ Traversal File Restriction Bypass
    16606 2005-04-20 AS/400 FTP Server for iSeries Traversal File
    Restriction Bypass
    19247 2005-09-08 IBM OS/400 osp-cert X509 Basic Constraint Issue
    19248 2005-09-08 IBM OS/400 osp-cert Certificate Store Returned
    Application Identifier Issue
    19249 2005-09-08 IBM OS/400 osp-cert Unspecified ASN.1 Parsing Issue
    19250 2005-09-08 IBM OS/400 Malformed SNMP Message Remote DoS
    27079 2002-02-10 AS/400 System Request Menu USRPRF Object Name User
    Account Disclosure
    30743 2006-11-17 IBM OS/400 osp-cert ASN.1 Certificate Version Handling
    Weakness
    30744 2006-11-17 IBM OS/400 osp-cert ASN.1 X.509 Certificate Version
    Weakness
    32812 2007-01-13 IBM OS/400 Unspecified Connection Reset DoS
    37642 2007-07-05 Wireshark Crafted iSeries Capture File Handling Remote DoS
    37792 2007-06-28 IBM OS/400 on iSeries TCP SYN-FIN Packet Handling
    Security Bypass
    40468 2007-11-26 Wireshark iSeries (OS/400) Communication Trace File
    Parser Unspecified Remote Overflow
    41518 2008-02-04 IBM OS/400 V5R3M0 / V5R4M0 HTTP Server Expect HTTP
    Header XSS
    46082 2008-06-06 IBM OS/400 BrSmRcvAndCheck Boundary Error Local Overflow


    I hope this summary is of use.

    Now, if we can only get some of the vulnerability assessment vendors to
    take an interest in supporting the AS/400...

    Jon Kibler
    - --
    Jon R. Kibler
    Chief Technical Officer
    Advanced Systems Engineering Technology, Inc.
    Charleston, SC USA
    o: 843-849-8214
    c: 843-224-2494
    s: 843-564-4224

    My PGP Fingerprint is:
    BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253


    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.8 (Darwin)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

    iEYEARECAAYFAkhf1twACgkQUVxQRc85QlMGPgCfaB7GAL0NxM +VYGrw8yIeQoQa
    +/YAnjyzTOOez8UP0Noz5Z//52OTaeyN
    =Mf6U
    -----END PGP SIGNATURE-----




    ==================================================
    Filtered by: TRUSTEM.COM's Email Filtering Service
    http://www.trustem.com/
    No Spam. No Viruses. Just Good Clean Email.



Webhostingtalk.nl

Contact

  • Rokin 113-115
  • 1012 KP, Amsterdam
  • Nederland
  • Contact
© Copyright 2001-2021 Webhostingtalk.nl.
Web Statistics