[NEWS] Terminal 5250 Remote Command Execution

• Previous message: SecuriTeam: "[NT] Nortel VPN Client's Password Disclosure"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 24 Mar 2005 19:20:07 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  Terminal 5250 Remote Command Execution
------------------------------------------------------------------------

SUMMARY

Nowadays, when working with legacy AS/400 applications, most people use
Telnet based terminal emulation programs, for example IBM Client Access. A
vulnerability in the terminal 5250 support allows using it to cause the
user to unwillingly execute arbitrary commands.

DETAILS

All PC based terminal emulation support a couple of legacy commands called
STRPCO (Start PC Organizer) and STRPCCMD (Start PC command).

The STRPCO and STRPCCMD commands can be scripted inside AS/400
applications.

These commands accept as an input parameter a string, and attempt to
execute this string
as a command on the connected PC.

When the attempt succeeds, the command is executed under the identity of
the PC user.

As a result, a malicious AS/400 application can effectively execute an
arbitrary set of commands on a connected PC.

This problem affects all AS/400 terminal emulations.

Moreover, the IBM supplied terminal emulation is often installed as part
of the Client Access AS/400 connectivity suite, which by default installs
a service that provides an rexec daemon on the affected PC. This rexec
daemon can be activated via the previously mentioned STRPCCMD in a
promiscuous mode that does not require authentication, rendering the PC
completely open to remote command execution.

For full details and sample code please read the following PDF file
<http://www.venera.com/downloads/Attack_5250_terminal_emulations_from_iSeries_server.pdf> http://www.venera.com/downloads/Attack_5250_terminal_emulations_from_iSeries_server.pdf

ADDITIONAL INFORMATION

The information has been provided by <mailto:shalom@venera.com> Shalom
Carmel.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[NT] Nortel VPN Client's Password Disclosure"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]