[OWASP-TESTING] Hacking AS400, anybody done this?

Victor Chapela victor at sm4rt.com
Tue May 17 12:29:46 EDT 2005


Hi Eoin,

We have hacked AS-400 repeatedly for several of our clients. It is mainly
through configuration errors though, there is little vulnerabilities besides
that. I have never tried to do SQL Injection into an AS/400 DB2 but
theoretically that should work. Here are a few links that may prove useful:

- http://www.venera.com/downloads.htm
- http://www.securityfocus.com/archive/1/241592/2005-01-16/2005-01-22/1
- http://www.securityfocus.com/bid/4059/discussion/
- http://www.itjungle.com/tfh/tfh111102-story04.html


Also keep in mind that most web vulnerabilities (cross site scripting,
session management, sql injection, etc.) are completely OS independent and
should work regardless of the underlying server.

There is no guide for configuration errors, but keep in mind that ftp is one
of their main holes; you can execute commands using QUOTE and access most of
the files in a normal configuration (in addition to easy sniffing or brute
forcing of the password). The other big problem we normally find is all
object privileges for "unprivileged" users. There are a few ways of getting
execution or privilege escalation but they would require a deep knowledge of
OS/400. We can discuss further if you have a specific questions. I hope this
helps.

Greetings,
Victor

> -----Original Message-----
> From: owasp-testing-admin at lists.sourceforge.net 
> [mailto:owasp-testing-admin at lists.sourceforge.net] On Behalf 
> Of Eoin Keary
> Sent: Tuesday, May 17, 2005 9:39 AM
> To: owasp-testing at lists.sourceforge.net
> Subject: [OWASP-TESTING] Hacking AS400, anybody done this?
> 
> Good Day, Ladies and Gents,
> Has anvbody ever Hacked an AS400 box?
> I have done a code review on a Web-enabled AS400 box and see 
> some fields are not data validated.
> 
> The box vested interests say "you can't hack an AS400 man"!! 
> Yeah right, they have thrown down the gauntlet so I must 
> respond with furious wrath and use myt Jedi skills to prove 
> them wrong.
> .... Enough if the gibberish (too much coffee).
> 
> ,anyways Anybody any experience in this area, 
> help/advice/tips would be appreciated.
> 
> best regards,
> Eoin.
> 
> _________________________________________________________________
> Upgrade to Messenger 7.0 - more fun features, still totally FREE! 
> http://messenger.msn.co.uk
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by Oracle Space Sweepstakes 
> Want to be the first software developer in space?
> Enter now for the Oracle Space Sweepstakes!
> http://ads.osdn.com/?ad_id=7412&alloc_id=16344&op=click
> _______________________________________________
> owasp-testing mailing list
> owasp-testing at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/owasp-testing
> 





More information about the Owasp-testing mailing list