Backdoors in AS/400 emulations allow the server to attack connected PC workstations Summary: Nowadays, when working with legacy AS/400 applications, most people use Telnet based terminal emulation programs, for example IBM Client Access. The issue found is using these emulations in an unplanned manner with surprising results. Overview: All PC based terminal emulation support a couple of legacy commands called STRPCO (Start PC Organizer) and STRPCCMD (Start PC command). The STRPCO and STRPCCMD commands can be scripted inside AS/400 applications. These commands accept as an input parameter a string, and attempt to execute this string as a command on the connected PC. When the attempt succeeds, the command is executed under the identity of the PC user. As a result, a malicious AS/400 application can effectively execute an arbitrary set of commands on a connected PC. This problem affects all AS/400 terminal emulations. Moreover, the IBM supplied terminal emulation is often installed as part of the Client Access AS/400 connectivity suite, which by default installs a service that provides an rexec daemon on the affected PC. This rexec daemon can be activated via the previously mentioned STRPCCMD in a promiscous mode that does not require authentication, rendering the PC completely open to remote command execution. For full details and sample code please read the following PDF file http://www.venera.com/downloads/Attack_5250_terminal_emulations_from_iSeries_server.pdf Shalom Carmel
