Ethical Hackers Discuss Penetration Work On IBM i
September 16, 2024 Alex Woodie
The IBM i server is heralded as a secure platform, but in reality, it is susceptible to a range of attacks, including common ones and others that are unique to the platform. To help push the security ball forward and encourage secure IBM i configurations, researchers from Silent Signal recently discussed their latest work during a European ethical hacking conference.
In just a few years working on IBM i, Bálint Varga-Perke and Zoltan Panczel, the co-founders of the Hungarian company Silent Signal, have identified a handful security vulnerabilities on the platform, including a moderate security flaw in DDN in July 2023 and more serious flaws in Facsimile Support for i and Performance Tools the same month.
As they continued their penetration testing work, the researchers continued to find vulnerabilities in IBM i, including flaws with software as well as ways to exploit common misconfigurations on IBM i. To demonstrate their work, Varga-Perke and Zoltan Panczel presented a session called “IBM i for Wintel Hackers” during TROOPERs, a security conference that took place in Heidelberg, Germany, at the end of June.
“Since this is a security conference, we won’t really go into the deep details of how the system works and how it can be operated,” Varga-Perke said at the beginning of the nearly hour-long presentation, which is posted on YouTube. “Instead, we will try to give you a crash course basically on the attack surfaces that we exploited, so you will be able to apply your existing hacking skills to IBM i. We will cover a lot of bugs, a lot of demos, and a lot of new material so fasten your seat belts.”
Clearly, users with special authorities like ALLOBJ and QSECOF have elevated privileges on IBM i, and therefore should be used sparingly. But as security surveys often show, these special authorities are much more prevalent than they should be. Profile swapping is another potential source of trouble on IBM i, according to Varga-Perke.
Library lists are also source of potential abuse on IBM i. “Libraries may seem innocuous, but they are key elements of multiple vulnerability classes,” he said.
For a Windows hacker, library lists on IBM i work similarly to path definitions on Windows, Varga-Perke said. An attacker targeting Windows with the right level of access could insert DLLs or EXEs into a Windows path, thereby gaining horizontal or vertical privilege escalation, he said.
“And this is very similar to what’s happening on IBM i,” he said. “This is why IBM explicitly discourages the so-called unqualified library calls when we try to call a program like this. Because, as the manual shows, the user may end up working with an unexpected malicious object in the end.”
The key for an attacker is to find vulnerable programs on IBM i that can be used for privilege escalation, he said. Luckily, the database makes it easy to harvest “low-hanging fruit” by filtering program objects that can be executed by anyone and run with owner privileges, he said.
Varga-Perke shared with the audience the tools he uses to find vulnerable programs using unqualified library calls. “These basic tools are surprisingly effective in discovering potential vulnerabilities in PGM and SRVPGM objects,” he said.
Varga-Perke and his colleague Panczel have used this approach to find lots of vulnerabilities on IBM i over the past few years.
“So one thing to know about this library list issue is that we’ve already discovered like literally hundreds of these,” Varga-Perke said. “So this is not an exception. It seems to be the rule. IBM is cleaning up the place right now, as you can see in their advisories. But yeah, it’s a really rich attack surface. And as you can see, it’s like basic logic bugs. You can find it if you have access to such a system really easily using basically strings.”
Another way to elevate privileges on IBM i is through command injection, he said. While it’s not common to use local privilege escalation on other systems, but on IBM i “it really works,” Varga-Perke said. “So it’s almost getting boring, right? Like, there are so many venues for attack locally,” he said.
Silent Signal has used its tools and techniques to find vulnerabilities “at each layer of the software stack from the from the Web scripts to the translated SQL programs,” Varga-Perke. “The important thing to highlight here is that the integrated nature of the system really blurs the lines between the database component and the operating system component.
For instance, Varga-Perke used his database query techniques to “find some nice bugs,” including another SQL injection flaw. However, the flaw would have limited the injection attack to two characters, “which is like kind of impossible to exploit,” he said.
To show how easy it is to find flaws in IBM i, the Silent Signal researchers conducted a live demo of a vulnerability search during the TROOPERS session. Lo and behold, it turned up another flaw.
“It’s not every day that you see a fuzzer finding a bug on stage,” Panzel said, “but this is live actually, so yeah.”
Silent Signal employs ethical hackers, so they communicate to IBM when they find flaws. IBM presumably fixes them when they’re found and pushes out fixes as emergency PTFs. It’s given credit to Silent Signal for several flaws, but one gets the sense that more are coming, perhaps many more.
The researchers shared several techniques that could help to prevent penetration of IBM i systems by hackers. To harden the configuration, Varga-Perke recommended things like limiting profile swapping. Discovering which programs have adopted authority and reducing that number could also help to shrink the attack surface available to hackers.
Getting the operations team and the security team on the same page would also help to identify the areas of concern on IBM i and then take action to remediate the problem, he said.
“The IBM administrators and the security team don’t really talk to each other,” he said. “For example, the IBM i might be connected into a log management system but the blue team, the SoC, doesn’t really know how to interpret the log messages at all, because the system is just so different.”
Having exit programs in place is a definite plus, Varga-Perke said, particularly as they present “custom defenses that the attackers cannot prepare for.” IBM i shops could also get more information about how hackers are targeting IBM i by implementing honey pots, or canaries, that attract hacker and then track their movements.
We would love to see such deceptive technologies being deployed on IBM and catching actual bad guys, because my working theory personally is that the attackers are already on these systems,” he said. “We just don’t have the telemetry to tell where they are or whether they are on this system or this system.”
The most important thing is to have more integration among IBM i and IT communities, and better communication across them, Varga-Perke said.
“These bridges, I think, are the only way to make sure that this . . . great platform can operate securely in the decades to come,” he said.
You can watch the researchers’ presentation at www.youtube.com/watch?v=t4fUvfzgUbY.
RELATED STORIES
Serious New IBM i Vulns Exposed by Silent Signal – More On the Way