InfoSec News

When I see TCP Port 992 open, I always get a warm feeling Im taken back to my first IT job, as a night operator on MVS and VM systems at IBM in the early 80s. And yes, we had Virtual Machines (thats what the V stands for) back in in 1980s, just on much bigger hardware!

When I see port 992 these days, that typically indicates the telnets service (telnet over SSL), which often means its an iSeries (previously AS/400), or a mainframe system (OS/390 or z/OS). Oddly enough, after 30-plus years todays z/OS mainframe class machines still have current versions of z/VM and MVS. As with most common ports, traffic statistics for port 992 can be found in our database, at https://isc.sans.edu/port.html?port=992

This all seems like kind of a back in the day thing, you might think. Didnt we migrate all the mainframes and AS/400s over to Windows and *nix back in the late 90s? Only old coots like um me should care about that stuff, right? Think again migrating mainframe apps written in COBOL and the like, written in the 70s, 80s and even 90s is a bear of a task it costs big money and carries a ton of risk, and LOTS of companies have just let those sleeping dogs lie (aside from patching and upgrading that is). And the iSeries platform just never went away if you drive past a factory or a big-box hardware or department store, chances are pretty good theres an iSeries datacenter running the show.

So just how common are these platforms on the internet? In a simple scan of 2 class Bs I picked at random (Ok, I knew that they were both at colos), I found 2 iSeries hosts and 1 z/OS telnets host. If youre using nmap, be sure to use sV to get a better handle on the host offering up the service:

Nmap p 23,992,1023,2323 sV open x.x.x.x

iSeries hosts almost always are well identified by NMAP (even a version-intensity=1 will find them):


23/tcp open telnet IBM OS/400 telnetd

992/tcp open ssl/telnet IBM OS/400 telnetd

Service Info: OS: OS/400

Mainframes (z/OS) hosts are also well fingerprinted by NMAP (though OS/390 is long gone, it should be labeled as z/OS):


23/tcp open telnet IBM OS/390 or SNA telnetd

992/tcp open ssl/telnet IBM OS/390 or SNA telnetd

1023/tcp open telnet BSD-derived telnetd

Weve mentioned a few common ports - besides port 992, what other ports might you typically see open on an iSeries host?



Port (Plaintext)

Port (SSL)

Telnet (PC5250 Emulation)





netbios (yes, really!)



















Server Mapper





REXEC (just as good as netbios most days!)



HTTP Administration




Service Tools Server








License Management




Database Access




Data Queues




Network Drives




Network Printers




Remote Command




Signon Verification




Ultimedia Services




IBM AnyNet


397 (TCP and UDP)


Management Central


5555 and 5544


Note that ports 23 and 992 on these platforms generally serve up TN5250 (iSeries) or TN3270 (z/OS) terminal servers over telnet or telnets. Youll also find (thanks to suggestions in IBMs Redbook Series of books) that its common to see the unencrypted telnet running on ports 1023 or 2323 as an added security measure. We can have a whole nother debate about how effective that is, especially if its in the vendor documentation.

OK so now that weve found a target host, what might we look for if you are in a pentest or a security assessment engagement? The same thing as youd look for in any *nix SSH or telnet server problems with encryption (and the phishing opportunity that comes with it), mismanaged ssl keys (isc story https://isc.sans.edu/diary.html?storyid=14770 ) and well known accounts with easily guessable passwords are all good places to start. If the easy stuff works (every time for me so far), theres no reason to try complicated attacks right?

For starters, lets take a look at a typical certificate hosted on an iSeries host (organization specifics are elided):

C:openssl s_client -connect x.x.x.x:992 21

Loading screen into random state - done


depth=1 /C=CA/ST=Ontario/L=Some City/O=Organization Name/OU=ORGNAME/CN=ORGCOM

verify error:num=19:self signed certificate in certificate chain

verify return:0


Certificate chain

0 s:/C=Ca/ST=Ontario/L=Some City/O=Organization Name/OU=ORGNAME/CN=ISERIES.ORGNAME.COM

i:/C=CA/ST=Ontario/L=Some City/O=Organization Name/OU=ORGNAME/CN=ORGCOM

1 s:/C=CA/ST=Ontario/L=Some City/O=Organization Name/OU=ORGNAME/CN=ORGCOM

i:/C=CA/ST=Ontario/L=Some City/O=Organization Name/OU=ORGNAME/CN=ORGCOM


Server certificate



Raw certificate material removed




subject=/C=Ca/ST=Ontario/L=Some City/O=Organization Name/OU=ORGNAME/CN=ISERIES.ORGNAME.COM

issuer=/C=CA/ST=Ontario/L=Some City/O=Organization Name/OU=ORGNAME/CN=ORGCOM


No client certificate CA names sent


SSL handshake has read 1401 bytes and written 322 bytes


New, TLSv1/SSLv3, Cipher is AES128-SHA

Server public key is 1024 bit

Compression: NONE

Expansion: NONE


Protocol : TLSv1

Cipher : AES128-SHA

Session-ID: 975A05E1077C10000000000000000178


Master-Key: CB948E0C6F005C654B2208ECAD1DFD1E5CC692256BE8615C74F403ABB22B2B8A97910A305EB4D4B2C4209C55C1146D9F

Key-Arg : None

Start Time: 1357423010

Timeout : 300 (sec)

Verify return code: 19 (self signed certificate in certificate chain)

At this point, you might be asking Wait, did I see that right? And Id reply Yes, you did! while most TN5250 and TN3270 terminal emulation programs support SSL (on port 992), many do NOT ACTUALLY CHECK the host certificate for validity! If the terminal application is capable of checking, normally that check is OFF by default. This means that if you are assessing larger hosts like this, youre very likely to run into self-signed certificates.

How might you take advantage of this? Attack the weakest link the users of the target host, with their first initial last name userid and 8 digit RACF (or OS/400 in this case) password. For a target host iseries.domain.com, go register a similar domain and a host name, say iseries.doma1n.com, then mount a phishing run. Send emails to internal users at domain.com from the fake domain, asking them to login to the host mainframe.doma1n.com to reset their password, check a critical report status or whatever. As they say, it only takes one person to fall for it, and youll have an interactive login account! If your client asks you to narrow the attack, target the most senior people in the organization that you are permitted to. Or target their helpdesk or operator staff. Sadly, the helpdesk and senior execs - the two groups you never want to get phished in - almost always fall for the phish.

Note that the TN5250/TN3270 uses EBCDIC, so while you can use Ettercap for the MITM attack, youll need to decode back to ASCII when you read the final captured file in Wireshark. Or in a pinch you can use dd to move back and forth between ASCII and EBCDIC, though Wireshark does a *fine* job!

What else might you try? How about lets do something with the (well documented) list of default userids on the iSeries:








































































Ive had some good luck in engagements involving iSeries hosts, taking advantage of QSECOFR (the Security Officer) or QSYSOPR (the System Operator), both of which have elevated privileges on the system. Try these with either QSYSOPR/QSECOFR as the password, or the company name, or sometimes a word scraped off the company website. Or, if you phish was successful, youve already won.

Soldier of Fortran describes TSOBRUTE (https://github.com/mainframed/TSO-Brute ), which you can use to brute force TN3270 passwords, with a list of known accounts plus the ones you can glean with a domain name and a bit of google-fu, it works like a charm! Hes also written a password sniffer - MFSniffer, which you can find at https://github.com/mainframed/MFSniffer. I still use ettercap and wireshark for my MITM setups, but a password snarfer like this can make things much simpler, if all you are looking for is credentials.

Is there an easy fix for these two simple issues? Well, yes sort of. And no not really.

Protecting an internet host with a packet filter firewall, SSL with a self signed certificate, SSL clients that dont check the cert, plus a user-selected password is not much protection at all. Its not materially different than using straight-up telnet. When I see a direct login to a target host of any kind that is not as hardened (or as able to be hardened) as you might like, Id normally suggest putting it behind a VPN gateway, or possibly behind an https gateway.

There are a ton of HTTPS gateway products that will sit in front of an SNA host, either commercial or open-source (though mostly youll see commercial products in this space). In many cases theyll even web-ify an application by screen scraping and presenting the app in a gui. SNA Gateways are a mature technology, in common use since the late 80s (though back then we were front-ending native QLLC/SNA with TCP). Using an HTTPS front-end can allow you to filter out the use of sensitive accounts, and also makes enforcing the use of trusted certificates much easier. Also, it means that your end-users dont need to install a terminal client.

Using a VPN solution hides the host completely, but isnt as useful if you expect customers or partners to use the system forcing multiple logins on end users never won System Admins any friends.

Neither of these approaches is a silver bullet protecting anything with a simple password these days is less than stellar idea. At the end of the day, the host being discussed has likely been internet connected for 10-15 years, so making any changes, especially changes that make life more difficult for end users, is going to be met with a lot of resistance. Youll likely get more traction on an HTTPS front end, mostly because itll make the green-screen application prettier and mouse-friendly. But youll be replacing a userid and a password with, well, a userid and a password, just with better encryption.

Where can I go next for more information?

Well, for starters, IBM has a Security Reference Document for the iSeries, located at:


The folks at Tenable have conveniently integrated the contents of this doc into Nessus:


Soldier of Fortran has a site dedicated to mainframe security issues: http://mainframed767.tumblr.com/, his tool repository is on github: https://github.com/mainframed/ . A great site if youre trying to keep up with the attack side of things (since vendor docs and audit resources will generally be about defense).

A couple of other useful IBM documents:



A couple of GIAC papers on AS/400 Auditing (both are a bit dated, but are mostly directly applicable to the newer iSeries platforms):



ISACA also has a decent document on auditing OS/400:


If youve got suggestions, stories on internet-attached mainframe or iSeries hosts (good or bad), or comments, please post to our comment form!


Rob VandenBrink

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Thanks to our reader James for letting us know about some current (but temporary) system issues at Hotmail - details at https://status.live.com/detail/Hotmail
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
T-Mobile USA has announced its unlimited nationwide 4G data plan will be available for $70 a month with no annual contract, starting on Wednesday.

A SQL Injection Flaw (CVE-2012-5664) was announced last week (Jan 2) in Ruby on Rails, but I think we missed reporting on it (thanks to one of our readers for pointing this out). Updates that resolve this are: 3.2.10, 3.1.9, and 3.0.18

Because of the security profile of Ruby on Rails (the largest Ruby project around is one you should be familiar with - Metaspolit), any security issues should be taken seriously. However, the hype and hoopla that any site with RoR code on it is vulnerable is just that - the vulnerability being discussed is very specific in nature, but folks hear sql injection and (mistakenly as far as I can see) send it to the headline page.

A very complete explanation of the scenarios that are at issue are outlined in this here:


and here:


Additional issues (CVE-2013-0155 and CVE-2013-0156) are resolved in these new releases also.


Rob VandenBrink


(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Dish Network has offered to buy Clearwire for US$3.30 per share, throwing a wrench in Sprint Nextel's deal to buy its mobile broadband partner for $2.97 per share.
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
The Wi-Fi Alliance demonstrated the emerging Miracast wireless display technology at International CES here Tuesday by sending live computer game animation from a smartphone to a 27-in. television.
Enterprises can disrupt cybercriminals and deter future attacks, explained Dmitri Alperovitch, CTO of CrowdStrike Inc. The approach has its critics.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Nagios Core 'get_history()' Function Stack Based Buffer Overflow Vulnerability
The Wireless Power Consortium displayed a wide array or wireless charging technology, from desktops and car armrests to pads that accept one or more devices.
Attackers can trigger buffer overflows and inject code at several points in the open source telephone system software. Both open source and commercial versions are vulnerable

Mozilla Firefox/Thunderbird/SeaMonkey MFSA 2013-01 through -20 Multiple Vulnerabilities
Mozilla on Tuesday shipped its newest browser, Firefox 18, which sports a revamped JavaScript engine and support for Macs with Apple's higher-resolution Retina displays.
Microsoft has sold more than 60 million [m] Windows 8 licenses so far, a number that is "roughly" in line with the performance of Windows 7 at the same stage of its release three years ago, according to Tami Reller, CFO and CMO of the Windows Division.
Users will some day soon toss aside their keyboard and command their computers with hand gestures and even the look on their face.
Television at four times the resolution of today's high-def images is turning out to be one of the most popular bets among consumer electronics makers in Las Vegas at this year's CES.
Mozilla Firefox/Thunderbird/SeaMonkey CVE-2012-5829 Heap Buffer Overflow Vulnerability
RETIRED: IBM Tivoli Directory Server Web Admin Tool Unspecified Cross Site Scripting Vulnerability
IBM Tivoli Directory Server Web Admin Tool Cross Site Scripting Vulnerability
Communicating with light may soon get a lot easier, hints recent research* from the National Institute of Standards and Technology (NIST) and the University of Marylands Joint Quantum Institute (JQI), where scientists have potentially ...
Microsoft today patched 12 vulnerabilities in Windows, Office and several server and development products, but did not come up with a fix for the IE bug that cyber criminals have been exploiting for at least a month.
Panasonic on Tuesday showed off a 20-inch tablet with a 4K screen that can display images at a resolution of 3840-by-2160 pixels and is designed to improve multimedia tasks such as photo editing.
In a neighborly gesture, Google, with the help of a local development association, is rolling out free public Wi-Fi to the area surrounding its New York City offices.
Adobe Acrobat and Reader APSB13-02 Multiple Security Vulnerabilities
[SECURITY] [DSA 2602-1] zendframework security update

Richard Porter --- ISC Handler on Duty
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Richard Porter --- ISC Handler on Duty
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Raising the bar for image quality on television sets, Panasonic unveiled a 56-inch OLED TV that shows images at 4K resolution, four times the overall resolution of current 1080p high-definition TVs.
Vint Cerf, known as the father of the Internet, says technology has not only changed the way we communicate but it's changing the way we live our lives.
RETIRED: Microsoft January 2013 Advance Notification Multiple Vulnerabilities
As TV makers show off UltraHD TVs at CES, communications chip maker Broadcom is introducing the guts of future gateways that will be able to bring video for those sets into viewers' homes.
X11 and XFree86 CVE-2012-1699 Local Information Disclosure and Denial of Service Vulnerability

Overview of the January 2013 Microsoft patches and their status.



Contra Indications - KB

Known Exploits

Microsoft rating(**)

ISC rating(*)




Print Spooler Remote Code Execution

(Replaces )

Print Spooler


KB 2769369



Exploitability: 1




Microsoft XML Core Services Remote Code Execution Vulnerability

(ReplacesMS12-043 )

XML Core Services



KB 2756145



Exploitability: 1




System Center Operations Manager XSS Vulnerability

(Replaces )

System Center Operations Manager


KB 2748552



Exploitability: 1




.Net Elevation of Privileges

(ReplacesMS12-074 MS12-035 MS12-025 MS12-016 MS10-041 MS10-077 MS12-038 )

.Net Framework





KB 2769324



Exploitability: 1




Kernel-Mode Driver Elevation of Privilege

(ReplacesMS12-078 )

win32k.sys Kernel Mode Driver


KB 2778930



Exploitability: 1




SSL 3.0/TLS Security Feature Bypass

(Replaces )

Windows SSL

KB 2785220



Exploitability: 1




Open Data Protocol Denial of Service Vulnerability

(Replaces )

.Net Framework and IIS


KB 2769327



Exploitability: 1



We will update issues on this page for about a week or so as they evolve.

We appreciate updates

US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY

(*): ISC rating

We use 4 levels:

PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.

Critical: Anything that needs little to become interesting for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.

Important: Things where more testing and other measures can help.

Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.

The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.

The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.

Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.

All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.

(**): The exploitability rating we show is the worst of them all due to the too large number of ratings Microsoft assigns to some of the patches.


Post suggestions or comments in the section below or send us any questions or comments in the contact form


Richard Porter

richard /at/ pedantictheory.com

For Hire, LinkedIn Profile. Posted with Permission (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

What Is It You Would Say That You Do Here?
Dark Reading (blog)
Then you get the three Es of infosec: The dev team escalates to its executive and plays the age-old game of "my development VP beats your security VP." Then the security team issues the exception to go ahead. What value was created here? The dev team ...

Hardcore tech enthusiasts know Asus for its inspired--some may zany--reinterpretations of common computer formfactors. Next in the list of Asus flights of fancy: An all-in-one desktop/tablet combo that doesn't make you choose between Team Windows and Team Android.
Recent back-end upgrades by Microsoft to Office 365's SharePoint Online are causing problems for some users and developers whose workflows and applications have been disrupted by a variety of bugs.
Zoho continues to flesh out the feature set of its cloud-based CRM (customer relationship management) application, adding a new document library, advanced email filtering and location-aware mobile applications.
A Chinese man has pleaded guilty in a U.S. court to selling pirated software used in defense, space and other industries with a retail value of more than US$100 million.
New 802.11ac routers launching at International CES promise users gigabit-speeds and better performance when streaming video.
Apple CEO Tim Cook is visiting China and met with a government official on Tuesday, about 10 months after his last visit to the country.
A critical security vulnerability in the open source MoinMoin wiki software that allowed the Debian wiki to be compromised has now been fixed. The developers advise all users of the MoinMoin 1.9.x branch to update

Mozilla Firefox/Thunderbird/SeaMonkey CVE-2012-4190 Memory Corruption Vulnerability
Mozilla Firefox/Thunderbird/SeaMonkey CVE-2012-4191 Memory Corruption Vulnerability
Mozilla Firefox/Thunderbird/SeaMonkey CVE-2012-3995 Remote Code Execution Vulnerability

ABC is running a piece on how theives are stealing barcode data from images that are posted on Social Media web sites [1]. We have covered information disclosure before on the ISC [2] [3] however this could serve as a reminder to be careful what you post! Most importanlty teach your kids. If you want to know more about Securing the Kids, please check out our sister site Securing the Human [4].

I teach my kids, once its digital treat it like its public. There is no such thing as a private email





Richard Porter

--- ISC Handler on Duty

::: For Hire :::
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Many companies use "pop-up banners" to help remind employees of the rules and policies governing their systems. These banners are also intended to add a degree of legal protection by noting that the employee has limited rights to privacy when using company computers and networks.
Digital rights and privacy advocates have welcomed Yahoo's decision to provide its users with an option to enable HTTPS (HTTP Secure) for their entire webmail sessions.
A Facebook page for users who believed their accounts had been compromised and needed better security was found to allow an account hijacker to change the password without needing the old password

Mozilla Firefox/SeaMonkey/Thunderbird CVE-2012-3989 Denial of Service Vulnerability
Mozilla Firefox/Thunderbird/SeaMonkey CVE-2012-3985 Security Bypass Vulnerability
[security bulletin] HPSBUX02829 SSRT100883 rev.1 - HP-UX Running X Font Server (xfs) Software, Local Denial of Service (DoS), Unauthorized Access
ESA-2013-001: EMC NetWorker Buffer Overflow vulnerability
Western Digital entered the networking market in 2012 with an 802.11n router. The company has now delivered not only its first 802.11ac Draft 2.0 router--the My Net AC1300--but also its first 802.11ac bridge, the My Net AC Bridge (which we'll review separately). So what does a company that builds storage devices know about designing wireless networking hardware? Enough to deliver a light spanking to the best Wi-Fi router we've tested, the Asus RT-AC66U--at least on the 5GHz band.
Watch movies in the shower, capture HDR video, or just use it to make phone calls. Sony says it has something for everyone in its new Xperia Z smartphone, the company's flagship handset for 2013.
As TVs get higher resolution and bigger displays, while getting cheaper over time, cable operators may be able to cover an entire wall of your home with a screen that includes two full-size TV shows plus weather, upcoming show information, a social media feed and other elements, according to Cisco Systems.
Ten years ago Monday, Apple co-founder and then-CEO Steve Jobs introduced Apple's first, and so far only, browser for OS X.
Microsoft told the U.S. International Trade Commission that it expects Motorola Mobility to withdraw claims relating to two patents it says are essential to the H.264 standard in its complaint against the Xbox, in view of a settlement last week between the Federal Trade Commission and Google.
The Library of Congress is storing 500 million tweets per day as part of its efforts to build a Twitter archive, and has added a total of about 170 billion tweets to its collection.
Kingston Technology will soon launch the world's first 1TB flash drive, a USB 3.0 device that is likely to cost more than most computers do.
Yahoo has quietly begun to enable HTTPS support for Yahoo Mail, but it's still only an opt-in option for users who wish to protect their privacy

Mozilla Firefox CVE-2012-1965 Cross Site Scripting Vulnerability
Ford Motor Co. is looking to integrate drivers' favorite apps into their cars, giving them someone to read them the morning newspaper, along with an app to find them the site of their next great date.
A developer has found a way of bypassing a key security feature in Windows RT (the ARM version of Windows 8). This makes it theoretically possible to run unsigned desktop applications on tablets running RT

HP Systems Insight Manager Unspecified Multiple Remote Security Vulnerabilities
PostgreSQL Multiple Privilege Escalation and Denial of Service Vulnerabilities
Qualcomm's keynote at the International CES was packed with big names and even a Big Bird, but CEO Paul Jacobs' focus was on something much smaller -- a new family of processors aimed at high-end smartphones and tablets.
Qualcomm called on some big names Monday to ensure its opening-night keynote at the International CES wasn't a dud. Steve Ballmer, Big Bird, the pop group Maroon5, and even former Archbishop Desmond Tutu all made appearances to keep things rolling along.
Havalite CMS 'comment' Parameter HTML Injection Vulnerability
Linux DiskQuota 'hosts_ctl()' Security Bypass Vulnerability
Internet Storm Center Infocon Status