Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NEWS] Terminal 5250 Remote Command Execution

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NEWS] Terminal 5250 Remote Command Execution
Date: 24 Mar 2005 19:20:07 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Terminal 5250 Remote Command Execution
------------------------------------------------------------------------


SUMMARY

Nowadays, when working with legacy AS/400 applications, most people use 
Telnet based terminal emulation programs, for example IBM Client Access. A 
vulnerability in the terminal 5250 support allows using it to cause the 
user to unwillingly execute arbitrary commands.

DETAILS

All PC based terminal emulation support a couple of legacy commands called 
STRPCO (Start PC Organizer) and STRPCCMD (Start PC command).

The STRPCO and STRPCCMD commands can be scripted inside AS/400 
applications.

These commands accept as an input parameter a string, and attempt to 
execute this string
as a command on the connected PC.

When the attempt succeeds, the command is executed under the identity of 
the PC user.

As a result, a malicious AS/400 application can effectively execute an 
arbitrary set of commands on a connected PC.

This problem affects all AS/400 terminal emulations.

Moreover, the IBM supplied terminal emulation is often installed as part 
of the Client Access AS/400 connectivity suite, which by default installs 
a service that provides an rexec daemon on the affected PC. This rexec 
daemon can be activated via the previously mentioned STRPCCMD in a 
promiscuous mode that does not require authentication, rendering the PC 
completely open to remote command execution.

For full details and sample code please read the following PDF file  
<http://www.venera.com/downloads/Attack_5250_terminal_emulations_from_iSeries_server.pdf>
 
http://www.venera.com/downloads/Attack_5250_terminal_emulations_from_iSeries_server.pdf


ADDITIONAL INFORMATION

The information has been provided by  <mailto:shalom@venera.com> Shalom 
Carmel.



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NEWS] Terminal 5250 Remote Command Execution, SecuriTeam <=
Previous by Date:  [NT] Nortel VPN Client's Password Disclosure, SecuriTeam
Next by Date:  [UNIX] Topic Calendar Cross Site Scripting, SecuriTeam
Previous by Thread:  [NT] Nortel VPN Client's Password Disclosure, SecuriTeam
Next by Thread:  [UNIX] Topic Calendar Cross Site Scripting, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]