[NEWS] Terminal 5250 Remote Command Execution

From: SecuriTeam (support_at_securiteam.com)
Date: 03/24/05

  • Next message: SecuriTeam: "[UNIX] Topic Calendar Cross Site Scripting"
    To: list@securiteam.com
    Date: 24 Mar 2005 19:20:07 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Terminal 5250 Remote Command Execution
    ------------------------------------------------------------------------

    SUMMARY

    Nowadays, when working with legacy AS/400 applications, most people use
    Telnet based terminal emulation programs, for example IBM Client Access. A
    vulnerability in the terminal 5250 support allows using it to cause the
    user to unwillingly execute arbitrary commands.

    DETAILS

    All PC based terminal emulation support a couple of legacy commands called
    STRPCO (Start PC Organizer) and STRPCCMD (Start PC command).

    The STRPCO and STRPCCMD commands can be scripted inside AS/400
    applications.

    These commands accept as an input parameter a string, and attempt to
    execute this string
    as a command on the connected PC.

    When the attempt succeeds, the command is executed under the identity of
    the PC user.

    As a result, a malicious AS/400 application can effectively execute an
    arbitrary set of commands on a connected PC.

    This problem affects all AS/400 terminal emulations.

    Moreover, the IBM supplied terminal emulation is often installed as part
    of the Client Access AS/400 connectivity suite, which by default installs
    a service that provides an rexec daemon on the affected PC. This rexec
    daemon can be activated via the previously mentioned STRPCCMD in a
    promiscuous mode that does not require authentication, rendering the PC
    completely open to remote command execution.

    For full details and sample code please read the following PDF file
    <http://www.venera.com/downloads/Attack_5250_terminal_emulations_from_iSeries_server.pdf> http://www.venera.com/downloads/Attack_5250_terminal_emulations_from_iSeries_server.pdf

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:shalom@venera.com> Shalom
    Carmel.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[UNIX] Topic Calendar Cross Site Scripting"

    Relevant Pages

    • [UNIX] Open Webmail Remote Command Execution (userstat.pl)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... A remote attacker can run arbitrary commands with the web ... The vulnerability was discovered in an obsolete script named userstat.pl ... commands an attacker would want to execute. ...
      (Securiteam)
    • Backdoors in AS/400 emulations allow the server to attack connected PC workstations
      ... Telnet based terminal emulation programs, ... The STRPCO and STRPCCMD commands can be scripted inside AS/400 applications. ... These commands accept as an input parameter a string, and attempt to execute ... the Client Access AS/400 connectivity suite, ...
      (Bugtraq)
    • [NT] Multiple Vendor Insecure use of CreateProcess()
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Improper use of Windows API command CreateProcess allows attackers to ... until a module is encountered to execute. ... This creates a scenario whereby arbitrary code could be executed. ...
      (Securiteam)
    • [UNIX] AsteriDex Code Execution (Asterisk and Trixbox)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... AsteriDex Code Execution (Asterisk and Trixbox) ... of arbitrary operating system commands as the 'asterisk' user. ... Originate' command which is used to ...
      (Securiteam)
    • [NEWS] Barracuda Spam Firewall Administrator Level Command Execution
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... interface allows execution of commands by unauthenticated users. ... through the web interface using a path sanitation ... It was then possible to leverage further privileges, ...
      (Securiteam)