[NEWS] Terminal 5250 Remote Command Execution

From: SecuriTeam (support_at_securiteam.com)
Date: 03/24/05

  • Next message: SecuriTeam: "[UNIX] Topic Calendar Cross Site Scripting"
    To: list@securiteam.com
    Date: 24 Mar 2005 19:20:07 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.

    - - - - - - - - -

      Terminal 5250 Remote Command Execution


    Nowadays, when working with legacy AS/400 applications, most people use
    Telnet based terminal emulation programs, for example IBM Client Access. A
    vulnerability in the terminal 5250 support allows using it to cause the
    user to unwillingly execute arbitrary commands.


    All PC based terminal emulation support a couple of legacy commands called
    STRPCO (Start PC Organizer) and STRPCCMD (Start PC command).

    The STRPCO and STRPCCMD commands can be scripted inside AS/400

    These commands accept as an input parameter a string, and attempt to
    execute this string
    as a command on the connected PC.

    When the attempt succeeds, the command is executed under the identity of
    the PC user.

    As a result, a malicious AS/400 application can effectively execute an
    arbitrary set of commands on a connected PC.

    This problem affects all AS/400 terminal emulations.

    Moreover, the IBM supplied terminal emulation is often installed as part
    of the Client Access AS/400 connectivity suite, which by default installs
    a service that provides an rexec daemon on the affected PC. This rexec
    daemon can be activated via the previously mentioned STRPCCMD in a
    promiscuous mode that does not require authentication, rendering the PC
    completely open to remote command execution.

    For full details and sample code please read the following PDF file
    <http://www.venera.com/downloads/Attack_5250_terminal_emulations_from_iSeries_server.pdf> http://www.venera.com/downloads/Attack_5250_terminal_emulations_from_iSeries_server.pdf


    The information has been provided by <mailto:shalom@venera.com> Shalom


    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[UNIX] Topic Calendar Cross Site Scripting"