IBM i for Wintel Hackers

Download Slides

Video coming soon.

While IBM i has many names - OS/400, AS/400, i5/OS, iSeries, etc. - the underlying design of the system changed little since its first 1988 release. Such stability explains why the platform still plays a major role in the daily operations of critical infrastructure providers such as telecommunication companies and financial institutions. Despite its importance, IBM’s midrange platform received even less scrutiny from the hacking community, than its big brother, System z.

In our presentation we move beyond basic usage and common configuration problems (still remaining prevalent to date), and demonstrate how vulnerabilities of native IBM i applications can be exploited for local privilege escalation and remote code execution. We show that despite the design of the IBM i platform being radically different from common x86 (“Wintel”) and even PowerPC-based Unix systems, its vulnerabilities can be remarkably similar to those we are all familiar with. We show the analogies of vulnerability classes of IBM i - first presented here - to the ones of Windows and Linux, and demonstrate methods for discovering and exploiting new vulnerabilities. Our demos will cover software shipped with the OS, and widely used 3rd party applications as well. Finally, we present recommendations for defense, including ways to implement deceptive techniques to uncover threats lurking on this platform.

Presentation outline:

  • Introducing the Platform
    • An Object-Oriented Operating System
    • Single-Level Store
    • Machine Interface
  • Mapping Concepts
    • Security Levels
    • Files vs. Objects
    • ACLs vs. Authorities
    • PATH vs. Library List
    • SETUID vs. Adopted Authority
    • Db2 in your OS
  • Vulnerabilities
    • Dumb Fuzzing Still Works (at least on IBM i) - the discovery and exploitation of CVE-2023-30990 (demo)
    • PATH abuse on IBM i: Library List Exploitation - Demonstrating how variants of CVE-2020-30988 can be discovered and exploited (demo)
    • Command Injection - Exploitation on IBM i (demo: CVE-2023-40375)
    • SQL Injection, but Different - Limitations of IBM i stored procedures, demonstration of exploitation (demo)
    • Confused Deputies - SRVPGM exploitation (demo: CVE-2023-40377, CVE-2023-40378, CVE-2023-40685)
  • Why not Memory Corruption?
    • Summary of Hardware-Assisted Security Features
    • Insecurity by Design: Object Restoration
  • Defense
    • General Recommendations
    • Exit Programs - Benefits and limitations
    • Deception on IBM i

About the Speakers