[<prev] [next>] [day] [month] [year] [list]
Message-ID: <BAY2-DAV15C86D50157EC3D5132E8CB84F0@phx.gbl>
Date: Wed, 23 Mar 2005 17:00:26 +0200
From: "Shalom Carmel" <shalom@...era.com>
To: <bugtraq@...urityfocus.com>
Subject: Backdoors in AS/400 emulations allow the server to attack connected PC workstations
Backdoors in AS/400 emulations allow the server to attack connected PC
workstations
Summary:
Nowadays, when working with legacy AS/400 applications, most people use
Telnet based terminal emulation programs, for example IBM Client Access.
The issue found is using these emulations in an unplanned manner with
surprising results.
Overview:
All PC based terminal emulation support a couple of legacy commands
called STRPCO (Start PC Organizer) and STRPCCMD (Start PC command).
The STRPCO and STRPCCMD commands can be scripted inside AS/400 applications.
These commands accept as an input parameter a string, and attempt to execute
this string
as a command on the connected PC.
When the attempt succeeds, the command is executed under the identity of the
PC user.
As a result, a malicious AS/400 application can effectively execute an
arbitrary set of
commands on a connected PC.
This problem affects all AS/400 terminal emulations.
Moreover, the IBM supplied terminal emulation is often installed as part of
the Client Access AS/400 connectivity suite, which by default installs a
service that provides
an rexec daemon on the affected PC. This rexec daemon can be activated via
the previously
mentioned STRPCCMD in a promiscous mode that does not require
authentication,
rendering the PC completely open to remote command execution.
For full details and sample code please read the following PDF file
http://www.venera.com/downloads/Attack_5250_terminal_emulations_from_iSeries_server.pdf
Shalom Carmel
Powered by blists - more mailing lists