RT @mikeee_walker: The #IBMChampion program is a fantastic program for those who go that extra mile and advocate and share the love for IBM…

IBMChampion Retweets (@IBMCRTWT) retweeted:

The #IBMChampion program is a fantastic program for those who go that extra mile and advocate and share the love for IBM products. Interested in joining? twitter.com/IBMChampions/s…

– Mike Walker (@mikeee_walker)14:04 – Sep 28, 2022Quoted Tweet:

#IBMChampion nominations are open – is there someone who always answers your questions in the #IBMCommunity? Maybe someone whose sessions you always attend at #SHARE or #IDUG or #GSE? Nominate them by 11 November. ibm.co/3fsJ99x pic.twitter.com/YMvm3OeMp9

– IBM Champions (@IBMChampions)06:44 – Sep 28, 2022

Another Tale of IBM i (AS/400) Hacking – Silent Signal Techblog

Our next journey takes us into the infrastructure of a bank. One element of the infrastructure was an IBM i (AS/400) server, and the only piece of information we got to conduct the penetration test was its IP address. We had been collecting a list of common application and service users during previous pentests, so we could check their existence on this host using 5250 and POP3 protocols. By the way, the server exposed 63 remote services – are all of them really necessary? Our first step may seem ridiculous, but it works most of the time in IBM i Land: “does the username equal the password?”. We had discovered one account with Hydra, let’s call it AKELA. The user’s initial menu was *SIGNOFF, meaning that in theory, the only action the user could perform after login was to log out. Setting initial program or menu on the signon screen was not possible because of limitations we will discuss later.

The previous blog post described the ATTN key technique to get command line, which worked in this case too, because setting the initial menu to *SIGNOFF doesn’t really perform a logout, just displays a screen with no functionality to use, but ATTN still works as usual. A minor change had to be made to the previously described procedure: we had to select the menu number 2 (“Work with jobs”) as getting a command line with F9 was not allowed, because of the restrictions on the user profile we will discuss shortly:

Menu displayed on ATTN

The next screen shows that the upcoming “Work with user jobs” display allows providing additional parameters to selected options. For example, if we wanted to end a job immediately, we could type OPTION(*IMMED) as a parameter after typing 4 next to the target job. Conveniently, the same input allows issuing arbitrary commands too. At this point we had command line access, but immediately realized the user is “limited” and we could not run CL commands with 5250:

Restricted command execution

The above error is a typical symptom of the Limited capabilities (LMTCPB) setting being enabled in the current user profile. According to the documentation, with Limited capabilities, only programs with the parameter “Allow Limited User” set to *YES can be executed. This configuration is common in IBM i environments: users who work with 5250 are set up with a single predefined application and can use only the menu-based functions of this application. This restriction is the reason initial program or menu couldn’t be specified, and F9 did not provide a command line.

Setting the user profile “to limited” is the recommended way to restrict users from using the command line, so this must be secure, right? WRONG. The limited user profile setting only applies to some protocols, like 5250 and FTP:

Limited users can’t execute commands over FTP

This is when the high number of exposed ports came handy. IBM i exposes the Remote Command API over port 8475 to allow programmatic access (not requiring terminal emulation) to system commands from regular PCs over the network. We can use this protocol to run CL commands to overcome the limitations of the 5250. A drawback of this protocol is that the API implementation only informs you of the success/fail result, but you can’t access the command output. We wanted interactive command execution, and taking the VPN connection we used to access the system into account (no connect back allowed by the firewall), we decided to use a bind shell. Every IBM i has Java installed that we can use to create a simple app to attach a shell to port 4444.

Bind shell on PASE

This shell provides access to the UNIX subsystem of IBM i called PASE. At this point we have at least two options to inspect the security of the system in more detail: first, the “system” shell command can be used to run CL commands from PASE:

CL command execution from PASE

The second option, the SQL interface allows accessing system configuration in bulk, and with complex filtering, ideal for hunting for misconfigurations. The usual “db2” shell command can be used to execute arbitrary SQL queries. The database service (port 8471) that can be used to run arbitrary SQL queries was protected by an exit program, therefore we used this technique. The following SQL query could be used to enumerate the system users with *ALLOBJ special authorities:

Accessing the IBM i database from PASE and listing privileged user profiles

We can also check, whether we can *USE other profiles – the following screenshot summarizes the result:

Accessing the IBM i database from PASE and listing user profiles that can be impersonated

If there is a match between the two SQL results we win. In our case, the current AKELA user was able to switch to an *ALLOBJ profile that we shall call ROB. Due to the customer request, we had to demonstrate that we had unlimited access to the system, without adding new users to the system. We decided to modify the Limited capabilities profile setting of our AKELA profile from *YES to *NO, took a screenshot for the report and switched back. We used our IBM i pentest tool to perform the profile switching described in the previous blog post:

Executing privileged commands

This worked as expected, we reached our goal:

Modified user profile as evidence of high privileges

Summary

The restrictions bypassed in this blog post are mostly part of “menu security”. This concept is based on the old assumption that restrictions on the presentation layer (the menu-based UI displayed on a 5250 terminal) is sufficient for access control. This may have been true for some time, but as functionality grew, and network services came into play, the significance of this control diminished. Of course, IBM recognized this too, but the relevant documentation is either vague, or just casually mentions the known gaps of security controls that are commonly used as primary defenses.

We also saw another example of misconfigured user profiles that can be exploited for privilege escalation through profile swapping. It’s worth noting that this system was operated by a different team than the one discussed in our previous post, demonstrating the prevalence of such configurations.

We must work hard to get these problems that are carried over from legacy environments out of the way, so we can see what IBM i really has to offer when it comes to security.

Pen Tester Silent Signal Targets IBM i

If you’re in the market for penetration testing services, you might be interested in hearing about a relatively new player in the market named Silent Signal. The Budapest, Hungary-based outfit has been offering IBM i penetration testing for the past year, and it’s already found security vulnerabilities in its clients’ systems.

Silent Signal has been providing penetration testing, IT security assessments, and training since it was founded by a trio of security experts in 2009. With around a dozen security certifications to their credits, the security experts are well versed in the standard methods companies use to block hackers and

The post Pen Tester Silent Signal Targets IBM i appeared first on IT Jungle.

Verified by MonsterInsights