The AS/400 is considered one of the most secured platforms, however many shops fail to consider the risk from users accessing the platform via desktop application rather than green screen applications. Here we will demonstrate the simplicity of compromising AS/400 security using standard desktop tools by presenting a few scenarios.
To begin with, a hacker wishes to gain access to a fictitious company called ABC in order to gain access read and change sensitive data.
The scenario for Company ABC
Company ABC is using AS/400 with green-screen-based enterprise resource planning (ERP) system and iSeries Access PC5250 is used as the emulation client. The company has established the following policy for the ERP security:
- The ERP users are all part of the group ERP. The group ERP has *ALL authorities to all files in the application.
- Users not from group ERP has read only access to the tables.
- All users of the ERP are required to change their password periodically , password policy prevent default or trivial passwords.
- All users of the ERP system are configured to be with no command line option (LMTCPB parameter in the user profile is set to *YES).
- Auditing in the system is active. All authority failures are logged to the QAUDJRN. Access to highly sensitive files is also audited.
- In active users are disabled from the system after 90 days of in activity.
- Only required TCP IP servers are active. Telnet, sign on, FTP and database are open for application reasons.
For auto login to sign on server the company uses user profile QUSER with password QUSER . QUSER is defined with LMTCPB set to *YES and no initial program or menu.
The hacker mission
Perform the following with minimum trace available,
- Login into ABC's system.
- Retrieve customer list with credit card information.
- Damage financial data.
The hacker will use QUSER user profile. QUSER default password is QUSER and although QUSER is not allowed use green screen it can be used for other access methods to the system.
The hacker will use the well known iSeries Access , it is installed on ABC's offices to allow 5250 emulation.
Phase 1: Find the name of the production library
The hacker's first task is to try and find the exact location of sensitive data in the system. The most convenient way is to look at what other people are doing. So the hacker will login to iSeries Navigator (part of iSeries Access that is installed to provide 5250 emulation).
In Navigator, the hacker chooses the option to display active jobs, and look in the open files of interactive jobs -> open files.
Conclusion: Navigator is not limited to users with limited capabilities. In our scenario let's assume we found out company ABC ERP main library is called SAMPLE.
Phase 2: Get list of sensitive tables
The hacker is now looking for tables related to credit cards, and the easiest way is to query metadata:
The hacker gets a result. The suspected file is in a library they are interested in, so the next step is to get the card numbers.
This step proved that database metadata can be queried without a menu or command line.
Phase 3: The hacker get list of credit card numbers
From navigator we can generate the list of credit cards
Since QUSER is not part of ERP group they can not alter data but they can read data, and the list of credit cards is exposed.
The audit journal will tell the system administrator someone looked into the credit cards file but this someone is QUSER a generic user.
Phase 4: Find users that we can use for damaging data
QUSER is not allowed to update data on library SAMPLE. So, a hacker needs access with different user. The easiest approach is to find a user profile that user QUSER is allowed to use. The hacker will try to produce a list of user profiles QUSER is allowed to display, this is done by displaying the user profile to out file and then query the outfile:
Now it is possible to send commands and query the command results.
Phase 5: Damage the system
Since QUSER has authority to ERP user profile it is now easy for example to clear library SAMPLE. We did not include this last step in the article because we believed it would not be wise to include detailed instructions; however, company ABC can now suffer severe damages.
Security infrastructure is insufficient
Company ABC has a security policy that takes care of security; however, the security infrastructure is no longer sufficient. For example,
- It is possible to query data base remotely.
- It is possible to send command strings to be executed on the server.
- It is possible to see important configuration data and quickly find the "important stuff."
- It is easy to hide everything by using a well known generic user.
The company needs to re evaluate the security measurements it uses. A security tool to monitor and control remote access to the system should be procured. Penetration tests should be performed to check the AS/400 security controls against known net attacks and intrusions. These security tests should be designed to test the security countermeasures in use in the AS/400 environment by carrying out penetration attacks from the customer's network and to achieve the following goals:
- Gaining access to the machine
- Gaining access to sensitive databases
- Testing the ability to change business information especially financial data of the customer application
- Attempting to gain control on the computer, by identifying the system manager password, or creating a user profile with authorities of system manager.
The AS/400 computer is considered to be one of the most secured systems in the world. However, the changes in the IT infrastructure cause the AS/400 resources to become more available to network users and the vulnerability of the computer increases accordingly. So watch out!
ABOUT THE AUTHOR: Shahar Mor is president of Barmor Information Systems, a consulting firm in Israel, which employs over 20 people that work on projects for the AS/400 in the network environment. He also has written a Redbook for IBM on iSeries e-commerce and he is Search400.com site expert for connectivity issues on the iSeries.