Bugtraq: Backdoors in AS/400 emulations allow the server to attack connected PC workstations

["Shalom Carmel" <shalom () venera com>]

Backdoors in AS/400 emulations allow the server to attack connected PC
workstations



Summary:

Nowadays, when working with legacy AS/400 applications, most people use
Telnet based terminal emulation programs, for example IBM Client Access.

The issue found is using these emulations in an unplanned manner with
surprising results.


Overview:

All PC based terminal emulation support a couple of legacy commands
called STRPCO (Start PC Organizer) and STRPCCMD (Start PC command).

The STRPCO and STRPCCMD commands can be scripted inside AS/400 applications.

These commands accept as an input parameter a string, and attempt to execute
this string
as a command on the connected PC.

When the attempt succeeds, the command is executed under the identity of the
PC user.

As a result, a malicious AS/400 application can effectively execute an
arbitrary set of
commands on a connected PC.

This problem affects all AS/400 terminal emulations.

Moreover, the IBM supplied terminal emulation is often installed as part of
the Client Access AS/400 connectivity suite, which by default installs a
service that provides
an rexec daemon on the affected PC. This rexec daemon can be activated via
the previously
mentioned STRPCCMD in a promiscous mode that does not require
authentication,
rendering the PC completely open to remote command execution.


For full details and sample code please read the following PDF file

http://www.venera.com/downloads/Attack_5250_terminal_emulations_from_iSeries_server.pdf

Shalom Carmel