Beruflich Dokumente
Kultur Dokumente
com
Insecure Shells:
Hackingiseries.com
You are going to see how SSH deployment on IBM i may cause unexpected, major security risks
Hackingiseries.com
Shalom Carmel is a security expert and the author of the Hacking iSeries book. He can be contacted at shalom@hackingiseries.com
This presentation is sponsored by Raz-Lee Security, a leading security solution provider for IBM i.
Hackingiseries.com
SSH functionality
sftp, scp Secure file transfer ssh - Secure shell (like Telnet) Available on IBM i since 5.3
Hackingiseries.com
SSH is good
Hackingiseries.com
However
SSH deployment on IBM i may cause
Hackingiseries.com
System configuration
Application Security
Exit program security System Object security
Too often not implemented well.
Hackingiseries.com
Session Timeout Limit QSECOFR access Limit virtual devices 5250 policies irrelevant to SSH
Password policies
Hackingiseries.com
Hackingiseries.com
Hackingiseries.com
Hackingiseries.com
Hackingiseries.com
No application security
Use the db2 utility to access or modify data
$ $ qsh -c 'db2 "select * from NWDB.products"' > products.txt $
Hackingiseries.com
Hackingiseries.com
Mar Mar Oct Oct Oct Mar Mar Mar Oct Mar Mar
13 13 17 17 17 13 13 13 17 13 13
2011 2011 14:23 16:08 14:56 2011 2011 2011 15:45 2011 2011
KOKO.USRPRF MARYLIN.USRPRF MENNY.USRPRF QDBSHR.USRPRF QDBSHRDO.USRPRF QTMPLPD.USRPRF RON.USRPRF ROSY.USRPRF SHALOM.USRPRF TAMMI.USRPRF TOBIAS.USRPRF
Hackingiseries.com
User profiles
psftp> cd /qsys.lib Remote directory is now /qsys.lib psftp> ls *.USRPRF Listing directory /qsys.lib ?rwx-----1 qsecofr 0 217088 ?rwx-----1 qsecofr 0 548864 ?rwx---r-x 1 vndprof 0 389120 ?rwx-----1 qsys 0 8466432 ?rwx-----1 qsys 0 2699264 ?rwx-----1 qsys 0 110592 ?rwx-----1 qsecofr 0 1150976 ?rwx-----1 qsecofr 0 221184 ?rwx-----1 qsecofr 0 241664 ?rwx-----1 qsecofr 0 258048 ?rwx-----1 qsecofr 0 2719744 psftp>
Mar Mar Oct Oct Oct Mar Mar Mar Oct Mar Mar
13 13 17 17 17 13 13 13 17 13 13
2011 2011 14:23 16:08 14:56 2011 2011 2011 15:45 2011 2011
KOKO.USRPRF MARYLIN.USRPRF MENNY.USRPRF QDBSHR.USRPRF QDBSHRDO.USRPRF QTMPLPD.USRPRF RON.USRPRF ROSY.USRPRF SHALOM.USRPRF TAMMI.USRPRF TOBIAS.USRPRF
Hackingiseries.com
Mar Mar Mar Dec Dec Mar Dec Mar Mar Oct Mar
13 13 13 17 17 13 17 13 13 17 13
2011 2011 2011 14:56 16:08 2011 14:23 2011 2011 15:45 2011
AAETEST2.LIB ABCDATAD.LIB ABCDATAP.LIB ABCDATAQA.LIB ABCPGMD.LIB ABCPGMP.LIB ABCPGMQA.LIB ADTSLAB.LIB APBENNY.LIB APSHPY.LIB AU117FR.LIB
Hackingiseries.com
Hackingiseries.com
System configuration
Application Security
Exit program security System Object security
Hackingiseries.com
System configuration
Application Security
Exit program security System Object security
Hackingiseries.com
Hackingiseries.com
Hackingiseries.com
A shell is
a piece of software that provides an interface for users of an operating system which provides access to the services of a kernel.
Wikipedia
Hackingiseries.com
60. More user task options 90. Sign off Selection or command ===> __________________________________________________________________________ _______________________________________________________________________________ F3=Exit F4=Prompt F9=Retrieve F12=Cancel F13=Information Assistant F16=System Main menu (C) COPYRIGHT IBM CORP. 1980, 2007.
Hackingiseries.com
But so is this
The QSH command
QSH Command Entry Hello SHALOM $
===>______________________________________________________________ __________________________________________________________________ __________________________________________________________________ _____________________________________ F3=Exit F6=Print F9=Retrieve F12=Disconnect F13=Clear F17=Top F18=Bottom F21=CL command entry
Hackingiseries.com
And this
PASE AIX emulation: CALL QP2TERM
/QOpenSys/usr/bin/-sh Hello SHALOM #
===>______________________________________________________________ __________________________________________________________________ __________________________________________________________________ _____________________________________ F3=Exit F6=Print F9=Retrieve F11=Truncate/Wrap F13=Clear F17=Top F18=Bottom F21=CL command entry
Hackingiseries.com
Hackingiseries.com
Shell mix up
The AS400 command line is the primary shell Were good at limiting it, managing access and setting up defaults Very little thought given to proper setup of the other shells
Hackingiseries.com
Hackingiseries.com
Hackingiseries.com
Hackingiseries.com
Either a user with *ALLOBJ authority Or a user who owns their home directory
Hackingiseries.com
*ALLOBJ considerations
If the perpetrator has *ALLOBJ authority, there are still good reasons for him to be able to masquerade as someone else
A perpetrator with *ALLOBJ can setup another user without the elaborate preparations detailed in this presentation
Hackingiseries.com
Hackingiseries.com
Hackingiseries.com
Removes all public authority from the home directory, the .ssh directory and authorized_keys
Sets ownership of the home directory to self
Hackingiseries.com
Hackingiseries.com
Step 4: Wait
As previously stated, this only works with users who run interactive, non-5250 shell sessions. Typically, these are the power IT users
If you have *ALLOBJ authority, you can set up all the necessary files and permissions yourself
Or find another creative way to force a user to run some code. Read my book for ideas!
Hackingiseries.com
Hackingiseries.com
Mitigation: Prevention
Manage a white list of allowed users and IP addresses in the sshd configuration file Improve the native object security Jail (chroot) your ssh users (good luck with it) Create a secure home directory for all relevant users
Hackingiseries.com
Mitigation: Audit
Have a syslog daemon running and log ssh authentication Audit the /QopenSys/etc/profile and the /etc/profile files
Hackingiseries.com
References