Hacking AS/400
by Mantis King
The AS/400 is widely used in Argentina (South America). I do not know if they are used very much in the USA, but I hope this information will be useful to many 2600 readers all over the world.
OS/400 Release 1
This information is applicable to all the releases of the OS/400 operating systems. If there are changes, they are explained in each release's detailed description below.
AS/400 has a PC interface called PC Support/400. There is other third-party software supporting the interface. The PC Support/400 software allows file transfer, emulating a work station, print serving, file serving, messaging, and other user support.
I understand you will try to hack the system from other systems far away. If your remote jobs are not accepted, it may be that the machine has the job action parameter QRMTSIGN set to *REJECT (pass-through sessions are not allowed to start on the remote system). Other values of QRMTSIGN may be:
*FRCSIGNON: All pass-through sessions must go through the normal sign-on procedure. If your profile names are different, the pass-through will fail.
*SAMEPRF: Sign-on bypassing is only allowed for users whose user profile name on the remote and target system is the same. If the user profile names are different but a valid password was specified, the sign-on display is shown.
*VERIFY: Sign-on bypassing is allowed for all pass-through requests and no checking of passwords is done if QSECURITY value is 10. Passwords are mandatory for higher levels and are verified before automatic sign-on occurs. If the password is not valid, the pass-through attempt is rejected.
Program Name: The program specified will run at the start and end of every pass-through session. Pass-through programs can be located in QGPL, *LIBL or *CURLIB.
If your remote jobs are not accepted and it is not due to the QRMTSIGN, another possibility might be that the *PCSACC parameter (which allows personal computer access) is set to *REJECT that prevents all such access.
If your remote jobs are accepted, there is no restriction on the minimum length of passwords. So you could find passwords like A or AA for example.
This Operating System does not handle password expiry date, password lifetime, and password history features. All these bugs were corrected in Release 2 (more details below).
The system may have different security levels:
You can see the security level using DSPSYSVAL (QSECURITY) and you can change it with CHGSYSVAL. Although QSECURITY can be dynamically changed it requires an Initial Program Load (IPL) to become effective. This release has many bugs related to control the user's terminal.
For example: If you are a *ALLOBJ user you can use your authority from whatever terminal. You can have multiple sessions with a single user profile (two hackers in the system from different terminals with the same user profile, ha ha).
Dedicated Service Tools
If the Security Administrator has not restricted its use, you could have access to this very important software.
The Dedicated Service Tools (DST) is a utility that allows virtual storage to be modified. DST has a program debug facility which allows users to interfere with the program during execution and obtain control at microcode level to display or modify memory variables. It also allows the installation of the operating system and the modification of Program Temporary Fixes (PTFs) to the systems microcode.
The *SERVICE special authority is required to use DST, but remember that if you are in a system with security Level 10 you will have access to this software.
The default passwords for the DST utility is QSECOFR. For the full use of DST (including changing DST password) the default password is: 22222222
For basic use (does not allow password change) the default password is: 11111111
If you want to know if you have access to the CHGDSTPWD command, type: DSPOBJAUT OBJ (QSYS/CHGDSTPWD) OBJTYPE (*CMD)
That will list all the authorized users.
IBM Standard Profiles
- SECOFR: Security Officer
- QSYSOPR: System Operator
- PGMP: Programmer
- QUSER: User
- QSRV: IBM Service User
- SRVBAS: Basic Service User
Both the last two are used by the IBM engineers. All these profiles are supplied by IBM to all its AS/400 machines, so you will find these profiles in every machine (if the security officer has not changed them). The default passwords are the same as the user profile, for example:
Profile name: QSECOFR Password: QSECOFRYou should keep in mind that many system administrators do not change the default passwords. You should try these passwords!
The AS/400 has inherited security features from the System/36. The inherited features are:
- Authorization List Security
- Default/Mandatory Program Menu
- Current Library
- Levels of security (none, password, resource)
(I have written a detailed text about hacking System/36 available on underground BBSes in Buenos Aires, Argentina.)
AS/400 has also inherited some security features from the System/38. But AS/400 shows a new feature different from the System/38, if you have READ access at the user profile and UPDATE at the group profile level, then you will just get READ access.
If you find the hacked machine has security Level 10, it requires only a user name to sign on. All users can access objects after signing on. The system creates a user profile when a user name does not exist. You will not need to manage object authorities, there is no security active, so the menu and initial program security are not active. It's great, isn't it? IBM sends the machine in this condition (Level 10) to the buyers and some system administrators do not change the default values.
Getting Info About the System
Sometimes the AS/400 may be running as if it were a System/36. To check it you can run: QSPCENV
If you find *NONE the system is operating under an AS/400 environment. If you find System/36 the system is operating under a System/36 environment.
In AS/400 a maximum number of logon attempts can be set. If you perform a greater number of attempts than the ones established the system will generate an error register in the log file. You should always try to keep unnoticed your presence in the system. So, for example, if you have a password and are into the system and you've got a more powerful one, but it is not a sure password, you should check what the maximum number of logon attempts allowed is. If the maximum number is six, you can try your doubtful password five times and no error registers will be created in the log file.
The QMAXSIGN represents the maximum number of sign-on attempts allowed to the users. The IBM default is 15, *NOMAX means unlimited numbers of attempts. To know the maximum number of sign-on attempts, run the command: DSPSYSVAL SYSVAL (QMAXSIGN)
If you want to know all the authorized user and group profiles, use the command: DSPAUTUSR (*GRPPRF)
This will list all group profile names and the user profile names within each group. It will also list, at the end, any user profiles not within a group.
If you want to see a full listing of all user and group profiles run the command: DSPUSRPRF USRPFR (profile name) TYPE (*BASIC)
You can know which users have special authorities, for example:
- *ALLOBJ: System Security Officer
- *SAVSYS: Operators
- *SECAM: Administrator
- *SERVICE: IBM Engineer
- *SPLCTL: Operators
The Initial Program may have different values:
*MAIN: You have access to the command line.
*NONE: No program is called when the user signs on.
Program Name: Specify the name of the program called.
If you log onto a system and you get trapped in the Initial Program you can use the ATTN key to break out. Then using LMTCPB (Limited Capability) parameter you can look for the profiles with the values:
*PARTIAL: The initial program and current library values cannot be changed on the sign-on display. But you can change the menu value and you can run commands from the command line of a menu.
*NONE: You can change the program values in your own user profile with the CHGPRF command.
If you want to list all libraries on the system, run the command: DSPOBJD OBJ (QSYS/*ALL) OBJTYPE (*LIB) DETAIL (*FULL)
If you want to see the contents of any library use: DSPLIB (library name)
If you want to know the object authority for a library use: SPOBJAUT OBJ (QSYS/library name) OBJTYPE (*LIB)
If you want to know system and user library lists use: DSPSYSVAL (QSYSLIBL) and DSPSYSVAL (QUSRLBL)
If you want to know the object authorities of all the security related commands you can use: DSPOBJAUT (QSYS / command) (*CMD)
Some of the most important commands are:
If you do not find *EXCLUDE in your authority it is great!! You can use all those commands.
Some objects may be protected via authorization lists (as in the old System/36). If you want to know all the authorization lists use: DSPOBJD OBJ (QYS/*ALL) OBJTYPE (*AUTL)
And if you want to know the users on each authorization list use: DSPAUTL (name of list)
If you want to know the authorities of a specific file or program you should use: DSPOBJAUT (name of file) (*FILE) (for files) and DSPOBJAUT (name of program) (*PGM) (for programs)
Logs
Sometimes the machines are processing too much information and they are a little bit low on hard disk space. The first thing a System Administrator will do is to disable the logs. If you want to extract the history log records relating to security profile changes (to see if your unauthorized activities were logged), use the DSPLOG command:
- Message ID CPC2191 For deleting a user profile
- Message ID CPC2204 For user profile creators
- Message ID CPC2205 For changing a user profile
OS/400 Release 2
It keeps the security structure levels (10, 20, 30) as in Release 1 but there are other system values related to security. For example:
QAUTOVRT: Controls the automatic creation of virtual device descriptions.
QINACTIV: Controls the interval in minutes that a workstation is inactive before a message is sent to a message queue or that the job at the workstation is automatically ended. Possible values are:
- *NONE: No time-out validation
- 5-300: Specify the interval for time-out (in minutes)
I am sad to say that Release 2 has also introduced measures to control the user's terminal. For example, to prevent users from having multiple sessions with a single user profile, it is possible to restrict users with *ALLJOB to particular terminals and it enforces a time-out if the terminal is inactive for an extended period:
QLMTDEVSSN: controls concurrent device session. Possible values are:
- 0: A user can sign on at more than one terminal.
- 1: A user cannot sign on at more than one terminal.
But the worst of Release 2 is that it has enhanced the password politics. Let's see it in detail:
QPWDEXPITV: Controls the maximum number of days that a password is valid, that is to say the change frequency. Possible values are:
- *NOMAX: The system allows an unlimited number of days.
- 1-366: A value between 1 and 366 may be specified.
QPWDLMTAJC: Limits if digits can be next to each other in a new password. Possible values are:
- 0: Adjacent numeric digits are allowed in passwords.
- 1: Adjacent numeric digits are not allowed in passwords.
QPWDLMTCHR: Limits the characters that cannot be in a new password. Possible values are:
- *NONE: There are no restricted characters.
- [character string]: Up to 10 specific characters may be disallowed.
QPWDLMTREP: Limits repeating characters in a new password. Possible values are:
- 0: Characters can be repeated.
- 1: Characters cannot be repeated more than once.
QPWDMINLEN: Controls the minimum number of characters in a password. Possible values may be from 1 to 10.
QPWDMAXLEN: Controls the maximum number of characters in a password. Possible values may be from 1 to 10.
QPWDPOSDIF: Controls if each position in a new password must be different from the old password.
QPWDRQDDGT: Controls if a new password is required to have a digit. Possible values are:
- 0: Digits are not required in new passwords.
- 1: One or more digits are required in new passwords.
QPWDRQDDIF: Specifies if the password must be different than the 32 previous passwords. Possible values are:
- 0: Can be the same as the previous ones.
- 1: Password must not be the same as the previous 32.
QPWDVLDPGM: Specifies the name of the user-written password approval program. Possible values are:
- *NONE: No program is used.
- Program Name: Specify the name of the validation program.
Logs
If you want to look at the logs, use the command: DSPLOG LOG (QHST) PERIOD ((start-time start-date) (end-time end-date)) MSGID (message-identifier) OUTPUT (*PRINT)
Example of the time and date: ((0000 941229) (0000 941230))
The date format depends on the value of QDATFMT and it may be MMDDYY, DDMMYY or YYMMDD.
Messages
- Identification Explanation
- CPF2207 Not authorized to use object in library.
- CPF2216 Not authorized to use library.
- CPF2228 Not authorized to change profile.
- CPF2234 Password not correct.
- CPF2269 Special authority. *ALLOBJ required when granting *SECADM.
- CPF2294 Initial program value may not be changed.
- CPF2295 Initial menu value may not be changed.
- CPF2296 Attention program may not be changed.
- CPF2297 Current library value may not be changed.
- CPF22A6 User creating an authorization list must have *ADD authority to his user profile.
- CPF22B9 Not authorized to change authorities in authority list.
OS/400 Release 3
I really do not have experience with this release. This is all the information I was able to collect.
We have seen that the verification of the security on the AS/400 is built in at the microcode level. So, it could be bypassed by programs developed in assembler, C, or even Pascal or with the DST as we have seen. This loophole was removed with the introduction of Level 40 security in Release 3 of OS/400.
It has also introduced an audit log that contains information about security related events. I do not know more about this release yet.