lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <BAY2-DAV15C86D50157EC3D5132E8CB84F0@phx.gbl>
Date: Wed, 23 Mar 2005 17:00:26 +0200
From: "Shalom Carmel" <shalom@...era.com>
To: <bugtraq@...urityfocus.com>
Subject: Backdoors in AS/400 emulations allow the server to attack connected PC workstations


Backdoors in AS/400 emulations allow the server to attack connected PC
workstations



Summary:

Nowadays, when working with legacy AS/400 applications, most people use
Telnet based terminal emulation programs, for example IBM Client Access.

The issue found is using these emulations in an unplanned manner with
surprising results.


Overview:

All PC based terminal emulation support a couple of legacy commands
called STRPCO (Start PC Organizer) and STRPCCMD (Start PC command).

The STRPCO and STRPCCMD commands can be scripted inside AS/400 applications.

These commands accept as an input parameter a string, and attempt to execute
this string
as a command on the connected PC.

When the attempt succeeds, the command is executed under the identity of the
PC user.

As a result, a malicious AS/400 application can effectively execute an
arbitrary set of
commands on a connected PC.

This problem affects all AS/400 terminal emulations.

Moreover, the IBM supplied terminal emulation is often installed as part of
the Client Access AS/400 connectivity suite, which by default installs a
service that provides
an rexec daemon on the affected PC. This rexec daemon can be activated via
the previously
mentioned STRPCCMD in a promiscous mode that does not require
authentication,
rendering the PC completely open to remote command execution.


For full details and sample code please read the following PDF file

http://www.venera.com/downloads/Attack_5250_terminal_emulations_from_iSeries_server.pdf

Shalom Carmel



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ