One other Story of IBM i (AS/400) Hacking – Silent Sign Techblog

Our subsequent journey takes us into the infrastructure of a financial institution. One ingredient of the infrastructure was an IBM i (AS/400) server, and the one piece of knowledge we bought to conduct the penetration check was its IP handle. We had been gathering an inventory of frequent software and repair customers throughout earlier pentests, so we might verify their existence on this host utilizing 5250 and POP3 protocols. By the way in which, the server uncovered 63 distant companies – are all of them actually obligatory? Our first step could appear ridiculous, but it surely works more often than not in IBM i Land: “does the username equal the password?”. We had found one account with Hydra, let’s name it AKELA. The consumer’s preliminary menu was *SIGNOFF, which means that in concept, the one motion the consumer might carry out after login was to sign off. Setting preliminary program or menu on the signon display was not doable due to limitations we are going to talk about later.
The earlier weblog post described the ATTN key method to get command line, which labored on this case too, as a result of setting the preliminary menu to *SIGNOFF doesn’t actually carry out a logout, simply shows a display with no performance to make use of, however ATTN nonetheless works as regular. A minor change needed to be made to the beforehand described process: we needed to choose the menu quantity 2 (“Work with jobs”) as getting a command line with F9 was not allowed, due to the restrictions on the consumer profile we are going to talk about shortly:
The subsequent display exhibits that the upcoming “Work with consumer jobs” show permits offering further parameters to chose choices. For instance, if we wished to finish a job immediately, we might kind OPTION(*IMMED) as a parameter after typing 4 subsequent to the goal job. Conveniently, the identical enter permits issuing arbitrary instructions too. At this level we had command line entry, however instantly realized the consumer is “restricted” and we couldn’t run CL instructions with 5250:
The above error is a typical symptom of the Restricted capabilities (LMTCPB) setting being enabled within the present consumer profile. In keeping with the documentation, with Restricted capabilities, solely packages with the parameter “Enable Restricted Person” set to *YES could be executed. This configuration is frequent in IBM i environments: customers who work with 5250 are arrange with a single predefined software and might use solely the menu-based features of this software. This restriction is the explanation preliminary program or menu couldn’t be specified, and F9 didn’t present a command line.
Setting the consumer profile “to restricted” is the really useful approach to restrict users from using the command line, so this have to be safe, proper? WRONG. The restricted consumer profile setting solely applies to some protocols, like 5250 and FTP:
That is when the excessive variety of uncovered ports got here helpful. IBM i exposes the Remote Command API over port 8475 to permit programmatic access (not requiring terminal emulation) to system instructions from common PCs over the community. We will use this protocol to run CL instructions to beat the constraints of the 5250. A disadvantage of this protocol is that the API implementation solely informs you of the success/fail consequence, however you may’t entry the command output. We wished interactive command execution, and taking the VPN connection we used to entry the system into consideration (no join again allowed by the firewall), we determined to make use of a bind shell. Each IBM i has Java put in that we will use to create a easy app to connect a shell to port 4444.
This shell gives entry to the UNIX subsystem of IBM i known as PASE. At this level now we have at the very least two choices to examine the safety of the system in additional element: first, the “system” shell command can be utilized to run CL instructions from PASE:

The second choice, the SQL interface permits accessing system configuration in bulk, and with complicated filtering, superb for looking for misconfigurations. The same old “db2” shell command can be utilized to execute arbitrary SQL queries. The database service (port 8471) that can be utilized to run arbitrary SQL queries was protected by an exit program, due to this fact we used this system. The next SQL question may very well be used to enumerate the system customers with *ALLOBJ particular authorities:
We will additionally verify, whether or not we will *USE different profiles – the next screenshot summarizes the consequence:
If there’s a match between the 2 SQL outcomes we win. In our case, the present AKELA consumer was in a position to change to an *ALLOBJ profile that we will name ROB. As a result of buyer request, we needed to exhibit that we had limitless entry to the system, with out including new customers to the system. We determined to switch the Restricted capabilities profile setting of our AKELA profile from *YES to *NO, took a screenshot for the report and switched again. We used our IBM i pentest instrument to carry out the profile switching described within the earlier weblog submit:
This labored as anticipated, we reached our objective:
Abstract
The restrictions bypassed on this weblog submit are largely a part of “menu safety”. This idea is predicated on the previous assumption that restrictions on the presentation layer (the menu-based UI displayed on a 5250 terminal) is enough for entry management. This will likely have been true for a while, however as performance grew, and community companies got here into play, the importance of this management diminished. After all, IBM acknowledged this too, however the related documentation is both vague, or simply casually mentions the recognized gaps of safety controls which can be generally used as major defenses.
We additionally noticed one other instance of misconfigured consumer profiles that may be exploited for privilege escalation by means of profile swapping. It’s value noting that this technique was operated by a special workforce than the one mentioned in our earlier submit, demonstrating the prevalence of such configurations.
We should work arduous to get these issues which can be carried over from legacy environments out of the way in which, so we will see what IBM i actually has to supply relating to safety.