From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Date: 17 Apr 2005 19:37:28 +0200
Subject: [UNIX] AS/400 Users Enumeration via POP3
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20050417171133.4A794574D@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
AS/400 Users Enumeration via POP3
------------------------------------------------------------------------
SUMMARY
The POP3 service installed on all modern AS/400 servers, which is turned
on by default even in those cases where email serving was not setup,
allows remote attackers to enumerate local users of the AS/400 machine.
DETAILS
Vulnerable Systems:
* AS/400 version 4.5 and prior
Note: Previous versions display an uninteresting generic message "-ERR
Logon attempt invalid".
To access a POP3 server, you must authenticate and provide a user and a
password. Unfortunately, the POP3 users represent real AS/400 user
profiles, POP3 will authenticate any valid user profile, and the service
provides too much information during authentication.
Let's select a random list of names and passwords, connect to POP3 with a
telnet client of your choice, and try to authenticate. Here is what a POP3
session with an AS/400 server looks like:
+OK POP3 server ready
USER bogus
+OK POP3 server ready
PASS xyz
-ERR Logon attempt invalid CPF2204
USER qsysopr
+OK POP3 server ready
PASS xyz
-ERR Logon attempt invalid CPF22E2
USER jdavid
+OK POP3 server ready
PASS xyz
-ERR Logon attempt invalid CPF22E3
USER rbenny
+OK POP3 server ready
PASS xyz
-ERR Logon attempt invalid CPF22E4
USER qspl
+OK POP3 server ready
PASS xyz
-ERR Logon attempt invalid CPF22E5
USER SCARMEL
+OK POP3 server ready
PASS myrealpwd
+OK start sending message
quit
The error messages can interpreted as:
bogus Error CPF2204 User profile not found
qsysopr Error CPF22E2 Good user, password not correct for user profile
jdavid Error CPF22E3 Good user, bur user profile is disabled
rbenny Error CPF22E4 Good user, but password for user profile has expired
qspl Error CPF22E5 Good user, but no password associated with user profile
scarmel OK Good password, good user
The POP3 gateway provides us with yet another way to verify the existence
and validity of AS/400 user profiles and passwords. In contrast with
Telnet, this method will not disable the terminal device because there is
no device. This behavior is similar to that of FTP, which also does not
disable the client after unsuccessful login attempts. However, the amount
of information disclosed by the server is significantly higher than that
of FTP. An automated tool can easily create a list of valid user profiles
and of their current status on the server, providing a vector for a social
engineering attack. Another factor that is relevant to the POP3 technique
is the lack of exit programs associated with the service. Most other
services that demand user authentication can be associated with a
user-defined exit program that runs whenever the protocol is used.
Unsuccessful log in attempts are logged only in the security audit
journal, and only if it is turned on. This lack! of control makes POP3
the easier anonymous way to enumerate and list the user profiles.
Countermeasures:
The POP3 service is very rarely used on iSeries servers, and therefore
should be stopped and disabled from starting. The unsuccessful attempts
are logged only in the security audit log, if the audit log is turned on.
ADDITIONAL INFORMATION
The information has been provided by <mailto:shalom@venera.com. > Shalom
Carmel.
The original article can be found at:
<http://www.venera.com/downloads/Enumeration_of_AS400_users_via_pop3.pdf>;
http://www.venera.com/downloads/Enumeration_of_AS400_users_via_pop3.pdf
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
