Back to Blog
Tn5250 protocol6/23/2023 ![]() The first task was trying to break out of the initial program limitation. While the default menu allows access to the Command Language (CL) prompt (the “shell”), this can be replaced by configuring custom initial programs for users, that provide only limited features, such as executing predefined database queries. However, instead of providing raw shell access, TN5250 usually displays menu-based user interfaces (the “green screen”). Native programs of IBM i are commonly accessed remotely on a telnet-like protocol, called TN5250. ![]() The user had an initial program configured after logging in on TLS wrapped TN5250, so direct CL command execution was not possible. The presented techniques stem from misconfigurations common on this platform – this post only covers one privilege escalation path, but the comprehensive configuration audit of the same system uncovered several local and even remote vulnerabilities.įor the penetration testing the Client provided network access to the machine in the internal network, one low-level user account with special authority *NONE and limit capabilities value set to *PARTIAL. This blog post is the first step of publishing our findings to the security community, where I would like to share a walkthrough of the penetration testing result of an IBM i system. Recognizing, that these systems are here to stay, and that information critical to understanding their security architecture is scarce and sometimes inaccurate, we decided to create our own IBM i lab, that allowed us to familiarize ourselves with these systems, create new methodologies and tools to assess their security, and even to identify previously unknown vulnerabilities in them. ![]()
0 Comments
Read More
Leave a Reply. |