[Security400] In other news...

["Hall, Philip" <phall@xxxxxxxx>]

Spotted this floating around on a security list;
(If you ignore the fact that you can only really infect yourself, by choosing 
to run the example CLP programs, then it's a nice piece of FUD...)

--phil



Backdoors in AS/400 emulations allow the server to attack connected PC 
workstations



Summary:

Nowadays, when working with legacy AS/400 applications, most people use Telnet 
based terminal emulation programs, for example IBM Client Access.

The issue found is using these emulations in an unplanned manner with 
surprising results.


Overview:

All PC based terminal emulation support a couple of legacy commands called 
STRPCO (Start PC Organizer) and STRPCCMD (Start PC command).

The STRPCO and STRPCCMD commands can be scripted inside AS/400 applications.

These commands accept as an input parameter a string, and attempt to execute 
this string as a command on the connected PC.

When the attempt succeeds, the command is executed under the identity of the PC 
user.

As a result, a malicious AS/400 application can effectively execute an 
arbitrary set of commands on a connected PC.

This problem affects all AS/400 terminal emulations.

Moreover, the IBM supplied terminal emulation is often installed as part of the 
Client Access AS/400 connectivity suite, which by default installs a service 
that provides an rexec daemon on the affected PC. This rexec daemon can be 
activated via the previously mentioned STRPCCMD in a promiscous mode that does 
not require authentication, rendering the PC completely open to remote command 
execution.


For full details and sample code please read the following PDF file

http://www.venera.com/downloads/Attack_5250_terminal_emulations_from_iSeries_server.pdf

Shalom Carmel