[NEWS] Terminal 5250 Remote Command Execution
From: SecuriTeam (support_at_securiteam.com)
To: firstname.lastname@example.org Date: 24 Mar 2005 19:20:07 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
- - - - - - - - -
Terminal 5250 Remote Command Execution
Nowadays, when working with legacy AS/400 applications, most people use
Telnet based terminal emulation programs, for example IBM Client Access. A
vulnerability in the terminal 5250 support allows using it to cause the
user to unwillingly execute arbitrary commands.
All PC based terminal emulation support a couple of legacy commands called
STRPCO (Start PC Organizer) and STRPCCMD (Start PC command).
The STRPCO and STRPCCMD commands can be scripted inside AS/400
These commands accept as an input parameter a string, and attempt to
execute this string
as a command on the connected PC.
When the attempt succeeds, the command is executed under the identity of
the PC user.
As a result, a malicious AS/400 application can effectively execute an
arbitrary set of commands on a connected PC.
This problem affects all AS/400 terminal emulations.
Moreover, the IBM supplied terminal emulation is often installed as part
of the Client Access AS/400 connectivity suite, which by default installs
a service that provides an rexec daemon on the affected PC. This rexec
daemon can be activated via the previously mentioned STRPCCMD in a
promiscuous mode that does not require authentication, rendering the PC
completely open to remote command execution.
For full details and sample code please read the following PDF file
The information has been provided by <mailto:email@example.com> Shalom
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: firstname.lastname@example.org
In order to subscribe to the mailing list, simply forward this email to: email@example.com
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.