SlideShare una empresa de Scribd logo

Vulnerabilities in TN3270 based Application

Descargar como PPTX, PDF
SensePost
SensePost

A talk given at Hack in the Box Amsterdam and later DerbyCon in 2014 about a new class of vulnerabilities in TN3270 exposed applications by @singe (Dominic White). A video of the talk is available at https://www.youtube.com/watch?v=3HFiv7NvWrM and code can be found at https://github.com/sensepost

Tecnología
1 de 38
__ __ .--.--.--.| |--.-----.|__|.-----. | | | || | _ || ||__ --| |________||__|__|_____||__||_____| Dominic White @sensepost @singe dominic@sensepost.com
__ ………………………………………………………………………….. | |.-----.-----.---.-.----.--.--. | || -__| _ | _ | __| | | |__||_____|___ |___._|____|___ | |_____| |_____| • Context: IBM z/OS systems • Still in heavy production use • Often underpin critical business processes • Actively maintained
__ __ .--.--.-----.----.| |--.-----.| |_.-----.-----. | | | -__| _|| _ | _ || _| -__| | ___/|_____|__| |_____|_____||____|_____|__|__| • We fail for not pwning mainframes • They won’t be around much longer! • They’re very secure! • Concerns about downtime & failures • It’s hard to learn & practice • IBM’s legal frameworks • More forgotten than you’ll learn
__ __ ___ …………………………….. .-----.| |.---.-.| |_.' _|.-----.----.--------. | _ || || _ || _| _|| _ | _| | | __||__||___._||____|__| |_____|__| |__|__|__| |__| ………………………………………………………………………………………………………………….. • Mainframe/Host == Big hulking pieces of hardware running z/OS (or Z/VM) • Partitioned into lots of partitions called LPARs (logical partition) – Each LPAR can run different stuff e.g. IBM z/OS (mainframe) or with z/VM Linux (RedHat) – 1972 hypervisors baby! • Lots of LPARs (across hardware too) is a Sysplex
__ __ ___ …………………………….. .-----.| |.---.-.| |_.' _|.-----.----.--------. | _ || || _ || _| _|| _ | _| | | __||__||___._||____|__| |_____|__| |__|__|__| |__| …………………………………………………………………………………………………………………..
__ ___ __ .--.--.--.|__|.----.-----. / /.--| | | | | || || _| -__|,' ,' | _ | |________||__||__| |_____/__/ |_____| • SNA – Systems Network Architecture – Inter-mainframe or peripheral comms • TN3270/E – 3270 terminal emulation over Telnet • VTAM – Virtual Telecommunications Access Method – Subsystem that implements SNA – Often the first thing you connect to on a mainframe • LU / PU – Logical/Physical Unit – Connections to VTAM (wired vs multiplexed) – TN3270 to mainframe usually gives you a LU
.---.-.-----.-----.-----. | _ | _ | _ |__ --| |___._| __| __|_____| |__| |__| ……………….. • TSO – z/OS CLI – “traditional” process accounting – CLIST/REXX/JCL scripting – OMVS / USS – Unix – ISPF – Menu Screens (GUI) • Transaction Managers – CICS – Modern bindings – IMS – MQ style – Efficient high-volume processing • Applications run within these – COBOL / FORTRAN / Java • Lots of other stuff e.g. – Databases: DB2 & IMS – Unix: FTP, HTTP, WebSphere – MQ – Etc. • Subsystems – RACF – ACF-2
__ __ .-----.-----.----.| |_.-----.----.---.-.-----.-----.|__|.-----.-----. | _ | _ | _|| _|__ --| __| _ | | || || | _ | | __|_____|__| |____|_____|____|___._|__|__|__|__||__||__|__|___ | |__| |_____| • Application ports == TN3270 – 23 – default, often VTAM – 992 – default SSL enabled – 1023-x0xx – application environments (direct to CICS/IMS regions) – 2323, x023, x992 – other ports to check – Ignore NMAP’s OS/390 SNA bit • FTP – Provides access to both worlds (TSO & OMVS) – Respects wildcards (*.RACF*.*) • Other – DB2 (5023) & MQ (1415) – HP/BMC/Tivoli monitoring – WebSphere • One host can have lots of IPs : Order of 10-20
__ .----.----.-----.--| |.-----. | __| _| -__| _ ||__ --| |____|__| |_____|_____||_____| • Not much you can do without creds • Legacy password policies – 8 char length restrictions – No special characters • FTP – Fantastic “traditional” brute-point • TSO – User enumeration flaw – TSO-Brute / psiotik (mainframed) • App creds – User enumeration flaws common – Sometimes weaker password policies
___ __ __ __ __ ………………………. .' _|__|.-----.-----.-----.----.-----.----.|__|.-----.| |_|__|.-----.-----. | _| || | _ | -__| _| _ | _|| || || _| || | _ | |__| |__||__|__|___ |_____|__| | __|__| |__||__|__||____|__||__|__|___ | |_____| |__| |_____| • Ports can connect directly to a app or region • There can be multiple instances of an app across regions • Screenshotting tools – screenshotter.py – 3270_screen_grab.nse (mainframed)
___ __ __ __ __ ………………………. .' _|__|.-----.-----.-----.----.-----.----.|__|.-----.| |_|__|.-----.-----. | _| || | _ | -__| _| _ | _|| || || _| || | _ | |__| |__||__|__|___ |_____|__| | __|__| |__||__|__||____|__||__|__|___ | |_____| |__| |_____| • Don’t stop at ports only! • VTAM is a multiplexer of sorts – Lets you connect to different application – Can connect you to other LPARs & sysplex’s – Uses APPLIDs or “macros” • LOGON APPLID(TSO) vs TSO • APPLID bruting – mainframe_bruter.py • github.com/sensepost/mainframe_brute – Poor man parallelisation: xargs –P
__ __ __ .-----.-----.-----.| |.--.--.-----.| |--.|__|.-----.-----. |__ --| _ | -__|| || | | || < | || | _ | |_____| __|_____||__||_____|__|__||__|__||__||__|__|___ | |__| |_____| • Don’t take initial screens at face value – “spider” like a web apps • IMS – PA24 to “leave screen” – Alternate transaction invocation • /display tran & /display psb – “Fuzz” parameters and flow • CICS – Look for (brute) transaction codes (URL paths) • mainframe_bruter.py again – Fuzz parameters – Screenshotter useful for mapping output
___ .-----.--.--.----.' _|.---.-.----.-----. |__ --| | | _| _|| _ | __| -__| |_____|_____|__| |__| |___._|____|_____|
_______ _______ ______ ______ ______ ______ |_ _| | |__ |__ | | | | | | |__ | __|_ | -- | |___| |__|____|______|______| |____|______| • Telnet-like protocol introduced in 1971 • Allowed “green screen” terminals to go over network TCP/IP rather than hardwire • Transmits “screens” made up of fields • Response submits modified screen & fields • Synchronous & Stateful • All apps presented in same way – i.e. TSO, CICS, IMS, REXX etc. all use it
___ __ __ __ ……….. .' _|__|.-----.| |.--| |.-----. | _| || -__|| || _ ||__ --| |__| |__||_____||__||_____||_____| • A screen is: – n x <Field Marker><Field> • A field marker can be (bit mask): PRINTABLE 0xc0 # these make the character "printable” PROTECT 0x20 # unprotected/protected NUMERIC 0x10 # alphanumeric/numeric Skip? HIDDEN 0x0c # display/selector pen detectable: INT_NORM_NSEL 0x00 # normal, non-detect INT_NORM_SEL 0x04 # normal, detectable INT_HIGH_SEL 0x08 # intensified, detectable INT_ZERO_NSEL 0x0c # nondisplay, non-detect, same as hidden RESERVED 0x02 # must be 0 MODIFY 0x01 # modified • There’s also a display bit mask for colours
Hack me Bank USERNAME ________ PASSWORD ________
∙P1∙Hack me Bank ␀␀␀␀␀␀␀␀␀␀␀␀␀␀␀␀␀␀␀␀␀␀␀␀␀␀␀␀␀␀␀ ∙USERNAME∙________∙ ∙PASSWORD∙________∙ Hidden & Protected Field NULL Bytes Un-Protected Field Un-Protected & Hidden Field Marker
__ .--.--.--.--.| |.-----.-----. | | | | || || |__ --| ___/|_____||__||__|__|_____| • This is all managed by the client • So, hack our TN3270 emulator to: – Allow editing of PROTECTED fields – Show HIDDEN or “non-display” fields • Works gangbusters! • Three patches for x3270 – Allow editing of protected fields – Show hidden fields – Combined patch
Hack me Bank Main Menu _ 1 Transfer Funds _ 2 Close Account
∙P2∙Hack me Bank ∙Main Menu ∙_∙1 Transfer Funds ∙_∙2 Close Account ∙ ∙3 Free Money ∙LUSER Auth Bypass Access other accounts Invoke restricted function
___ __ __ .. .' _|.---.-.--------.|__| |.--.--. | _|| _ | || | || | | |__| |___._|__|__|__||__|__||___ | |_____| • Eerily similar to web application – Hidden fields – Modifying un-modifiable inputs – But, markup & protocol not separated here • Bypass developer assumptions • Vuln exists everywhere developer made bad assumption • New family of mainframe application vulnerabilities
______ _______ ______ ______ . | __ _ _| __ __ | __ <_| |_| < __/ |______/_______|___|__|___| .. • Vulns are similar to webapps, perhaps the tool should be too • Introducing Big Iron Recon & Pwnage github.com/sensepost/birp • Provides a “companion/hacker view” to your emulator • Records transactions for later analysis
___ __ …………………………………………….. .' _|.-----.---.-.| |_.--.--.----.-----.-----. | _|| -__| _ || _| | | _| -__|__ --| |__| |_____|___._||____|_____|__| |_____|_____| • Interactive mode • Transaction recording • Transaction analysis • Save/Load history • Playback • Finding transactions • Cool python objects
__ __ __ …………………………………………………………. .--| |__|.-----.----.| |.-----.-----.--.--.----.-----. | _ | ||__ --| __|| || _ |__ --| | | _| -__| |_____|__||_____|____||__||_____|_____|_____|__| |_____| • IBM contacted me in Jan after seeing the HITB abstract (proactive) • Detailed info about vulnerability in NVAS given • Patched/Fixed (?) in February • No public disclosure or acknowledgment by IBM • Not even sure if it’s disclosed privately or fix only • If you’re a customer, check your NVAS APARs on Security Zone or open a PMR • As for wider issue …
__ __ __ …………………………………………………………. .--| |__|.-----.----.| |.-----.-----.--.--.----.-----. | _ | ||__ --| __|| || _ |__ --| | | _| -__| |_____|__||_____|____||__||_____|_____|_____|__| |_____| • Obscurity discourages people looking, but doesn’t prevent the finding – Handful of days and as a tourist I found a critical vuln across all apps • IBM chooses not to disclose (need to know) to prevent attacks from being made public – Some merit in this (publish == inc in attack) – World has gone the other way – bug bounties • I found this in a handful of days, initial hack was 45mins of work, as a n00b – Highly likely others have discovered this in 30+ years, not disclosing != no exploits
__ __ ……………….. | |--.-----.--.--.--. | |_.-----. | | _ | | | | | _| _ | |__|__|_____|________| |____|_____| • Run your own mainframe – http://pastebin.com/PHiT8jmE – Piracy  • Online DeZhi instance – http://zos.efglobe.com • Soldier of Fortran/Mainframed/Phil Young – http://mainframed767.tumblr.com – @mainframed767 – YouTube • IBM “Master the Mainframe” course • BIRP – https://github.com/sensepost/birp – https://vimeo.com/96718889
__ __ __ ……………….. | |_| |--.---.-.-----.| |--.-----. | _| | _ | || <|__ --| |____|__|__|___._|__|__||__|__|_____| • Phil Young++ • Unnamed customers • IBM • DerbyCon
__ __ __ .-----.-----| |_ |__| |_ | _ | -__| _| | | _| |___ |_____|____| |__|____| |_____| • Code https://github.com/sensepost /birp /mainframe_brute • Contact @singe dominic@sensepost.com

Recomendados

Philip young current state of mainframe hacking - vanguard - 101016
Philip young current state of mainframe hacking - vanguard - 101016Philip young current state of mainframe hacking - vanguard - 101016
Philip young current state of mainframe hacking - vanguard - 101016
Philip Young
 
Advanced mainframe hacking
Advanced mainframe hackingAdvanced mainframe hacking
Advanced mainframe hacking
Philip Young
 
Keycloak SSO basics
Keycloak SSO basicsKeycloak SSO basics
Keycloak SSO basics
Juan Vicente Herrera Ruiz de Alejo
 
Using cgroups in docker container
Using cgroups in docker containerUsing cgroups in docker container
Using cgroups in docker container
Vinay Jindal
 
OpenStackを使用したGPU仮想化IaaS環境 事例紹介
OpenStackを使用したGPU仮想化IaaS環境 事例紹介OpenStackを使用したGPU仮想化IaaS環境 事例紹介
OpenStackを使用したGPU仮想化IaaS環境 事例紹介
VirtualTech Japan Inc.
 
0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity
Nikhil Mittal
 
Proxmox ve-datasheet
Proxmox ve-datasheetProxmox ve-datasheet
Proxmox ve-datasheet
Miguel Angel
 
Linux Performance Analysis: New Tools and Old Secrets
Linux Performance Analysis: New Tools and Old SecretsLinux Performance Analysis: New Tools and Old Secrets
Linux Performance Analysis: New Tools and Old Secrets
Brendan Gregg
 

Recomendados

Philip young current state of mainframe hacking - vanguard - 101016
Philip young current state of mainframe hacking - vanguard - 101016Philip young current state of mainframe hacking - vanguard - 101016
Philip young current state of mainframe hacking - vanguard - 101016
Philip Young
 
Advanced mainframe hacking
Advanced mainframe hackingAdvanced mainframe hacking
Advanced mainframe hacking
Philip Young
 
Keycloak SSO basics
Keycloak SSO basicsKeycloak SSO basics
Keycloak SSO basics
Juan Vicente Herrera Ruiz de Alejo
 
Using cgroups in docker container
Using cgroups in docker containerUsing cgroups in docker container
Using cgroups in docker container
Vinay Jindal
 
OpenStackを使用したGPU仮想化IaaS環境 事例紹介
OpenStackを使用したGPU仮想化IaaS環境 事例紹介OpenStackを使用したGPU仮想化IaaS環境 事例紹介
OpenStackを使用したGPU仮想化IaaS環境 事例紹介
VirtualTech Japan Inc.
 
0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity
Nikhil Mittal
 
Proxmox ve-datasheet
Proxmox ve-datasheetProxmox ve-datasheet
Proxmox ve-datasheet
Miguel Angel
 
Linux Performance Analysis: New Tools and Old Secrets
Linux Performance Analysis: New Tools and Old SecretsLinux Performance Analysis: New Tools and Old Secrets
Linux Performance Analysis: New Tools and Old Secrets
Brendan Gregg
 
Interrupts on xv6
Interrupts on xv6Interrupts on xv6
Interrupts on xv6
Takuya ASADA
 
Docker infiniband
Docker infinibandDocker infiniband
Docker infiniband
Syoyo Fujita
 
Load Balancing MySQL with HAProxy - Slides
Load Balancing MySQL with HAProxy - SlidesLoad Balancing MySQL with HAProxy - Slides
Load Balancing MySQL with HAProxy - Slides
Severalnines
 
Docker Security Overview
Docker Security OverviewDocker Security Overview
Docker Security Overview
Sreenivas Makam
 
Threat Hunting Workshop
Threat Hunting WorkshopThreat Hunting Workshop
Threat Hunting Workshop
Splunk
 
Thick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxThick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptx
Anurag Srivastava
 
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxConAnatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Jérôme Petazzoni
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016
Matthew Dunwoody
 
Kubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbaiKubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbai
n|u - The Open Security Community
 
Debugging linux kernel tools and techniques
Debugging linux kernel tools and techniquesDebugging linux kernel tools and techniques
Debugging linux kernel tools and techniques
Satpal Parmar
 
Btrfs + Snapper + Samba で作る「以前のバージョン」に戻せるファイルサーバー
Btrfs + Snapper + Samba で作る「以前のバージョン」に戻せるファイルサーバーBtrfs + Snapper + Samba で作る「以前のバージョン」に戻せるファイルサーバー
Btrfs + Snapper + Samba で作る「以前のバージョン」に戻せるファイルサーバー
Fuminobu Takeyama
 
Introduction and Deep Dive Into Containerd
Introduction and Deep Dive Into ContainerdIntroduction and Deep Dive Into Containerd
Introduction and Deep Dive Into Containerd
Kohei Tokunaga
 
IntelON 2021 Processor Benchmarking
IntelON 2021 Processor BenchmarkingIntelON 2021 Processor Benchmarking
IntelON 2021 Processor Benchmarking
Brendan Gregg
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
Ross Wolf
 
Red Hat Satellite 6 - Automation with Puppet
Red Hat Satellite 6 - Automation with PuppetRed Hat Satellite 6 - Automation with Puppet
Red Hat Satellite 6 - Automation with Puppet
Michael Lessard
 
Routed Fabrics For Ceph
Routed Fabrics For CephRouted Fabrics For Ceph
Routed Fabrics For Ceph
ShapeBlue
 
Linux Preempt-RT Internals
Linux Preempt-RT InternalsLinux Preempt-RT Internals
Linux Preempt-RT Internals
哲豪 康哲豪
 
Bypassing nac solutions and mitigations
Bypassing nac solutions and mitigationsBypassing nac solutions and mitigations
Bypassing nac solutions and mitigations
Suraj Khetani
 
WASM! WASI! WAGI! WAT?
WASM! WASI! WAGI! WAT?WASM! WASI! WAGI! WAT?
WASM! WASI! WAGI! WAT?
Stefan Baumgartner
 
Bypass_AV-EDR.pdf
Bypass_AV-EDR.pdfBypass_AV-EDR.pdf
Bypass_AV-EDR.pdf
Farouk2nd
 
HTML5 Web forms & microdata - Akiva Levi
HTML5 Web forms & microdata - Akiva LeviHTML5 Web forms & microdata - Akiva Levi
HTML5 Web forms & microdata - Akiva Levi
Israeli Internet Association technology committee
 
NAME's Drafted Appendix - J
NAME's Drafted Appendix - JNAME's Drafted Appendix - J
NAME's Drafted Appendix - J
A-Square Technology Group/Nascent Applied Methods and Endeavors
 

Más contenido relacionado

La actualidad más candente

Btrfs + Snapper + Samba で作る「以前のバージョン」に戻せるファイルサーバー
Btrfs + Snapper + Samba で作る「以前のバージョン」に戻せるファイルサーバーBtrfs + Snapper + Samba で作る「以前のバージョン」に戻せるファイルサーバー
Btrfs + Snapper + Samba で作る「以前のバージョン」に戻せるファイルサーバー
Fuminobu Takeyama
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
Ross Wolf
 

La actualidad más candente (20)

Interrupts on xv6
Interrupts on xv6Interrupts on xv6
Interrupts on xv6
 
Docker infiniband
Docker infinibandDocker infiniband
Docker infiniband
 
Load Balancing MySQL with HAProxy - Slides
Load Balancing MySQL with HAProxy - SlidesLoad Balancing MySQL with HAProxy - Slides
Load Balancing MySQL with HAProxy - Slides
 
Docker Security Overview
Docker Security OverviewDocker Security Overview
Docker Security Overview
 
Threat Hunting Workshop
Threat Hunting WorkshopThreat Hunting Workshop
Threat Hunting Workshop
 
Thick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxThick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptx
 
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxConAnatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016
 
Kubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbaiKubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbai
 
Debugging linux kernel tools and techniques
Debugging linux kernel tools and techniquesDebugging linux kernel tools and techniques
Debugging linux kernel tools and techniques
 
Btrfs + Snapper + Samba で作る「以前のバージョン」に戻せるファイルサーバー
Btrfs + Snapper + Samba で作る「以前のバージョン」に戻せるファイルサーバーBtrfs + Snapper + Samba で作る「以前のバージョン」に戻せるファイルサーバー
Btrfs + Snapper + Samba で作る「以前のバージョン」に戻せるファイルサーバー
 
Introduction and Deep Dive Into Containerd
Introduction and Deep Dive Into ContainerdIntroduction and Deep Dive Into Containerd
Introduction and Deep Dive Into Containerd
 
IntelON 2021 Processor Benchmarking
IntelON 2021 Processor BenchmarkingIntelON 2021 Processor Benchmarking
IntelON 2021 Processor Benchmarking
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
 
Red Hat Satellite 6 - Automation with Puppet
Red Hat Satellite 6 - Automation with PuppetRed Hat Satellite 6 - Automation with Puppet
Red Hat Satellite 6 - Automation with Puppet
 
Routed Fabrics For Ceph
Routed Fabrics For CephRouted Fabrics For Ceph
Routed Fabrics For Ceph
 
Linux Preempt-RT Internals
Linux Preempt-RT InternalsLinux Preempt-RT Internals
Linux Preempt-RT Internals
 
Bypassing nac solutions and mitigations
Bypassing nac solutions and mitigationsBypassing nac solutions and mitigations
Bypassing nac solutions and mitigations
 
WASM! WASI! WAGI! WAT?
WASM! WASI! WAGI! WAT?WASM! WASI! WAGI! WAT?
WASM! WASI! WAGI! WAT?
 
Bypass_AV-EDR.pdf
Bypass_AV-EDR.pdfBypass_AV-EDR.pdf
Bypass_AV-EDR.pdf
 

Similar a Vulnerabilities in TN3270 based Application

My sql 5.7-upcoming-changes-v2
My sql 5.7-upcoming-changes-v2My sql 5.7-upcoming-changes-v2
My sql 5.7-upcoming-changes-v2
Morgan Tocker
 
Curricullum Vitae_Rahul Kumar
Curricullum Vitae_Rahul KumarCurricullum Vitae_Rahul Kumar
Curricullum Vitae_Rahul Kumar
Rahul Kumar
 
Managing Passwords for Mobile Users
Managing Passwords for Mobile Users Managing Passwords for Mobile Users
Managing Passwords for Mobile Users
Hitachi ID Systems, Inc.
 
Managing Passwords for Mobile Users
Managing Passwords for Mobile UsersManaging Passwords for Mobile Users
Managing Passwords for Mobile Users
Hitachi ID Systems, Inc.
 

Similar a Vulnerabilities in TN3270 based Application (20)

HTML5 Web forms & microdata - Akiva Levi
HTML5 Web forms & microdata - Akiva LeviHTML5 Web forms & microdata - Akiva Levi
HTML5 Web forms & microdata - Akiva Levi
 
NAME's Drafted Appendix - J
NAME's Drafted Appendix - JNAME's Drafted Appendix - J
NAME's Drafted Appendix - J
 
My sql 5.7-upcoming-changes-v2
My sql 5.7-upcoming-changes-v2My sql 5.7-upcoming-changes-v2
My sql 5.7-upcoming-changes-v2
 
NetIQ Event in a Box - a quick glance at collateral for marketing
NetIQ Event in a Box - a quick glance at collateral for marketingNetIQ Event in a Box - a quick glance at collateral for marketing
NetIQ Event in a Box - a quick glance at collateral for marketing
 
Technical Writing presentation updated.ppt
Technical Writing presentation updated.pptTechnical Writing presentation updated.ppt
Technical Writing presentation updated.ppt
 
Jay Castronova Resume 2016
Jay Castronova Resume 2016Jay Castronova Resume 2016
Jay Castronova Resume 2016
 
MySQL performance webinar
MySQL performance webinarMySQL performance webinar
MySQL performance webinar
 
Curricullum Vitae_Rahul Kumar
Curricullum Vitae_Rahul KumarCurricullum Vitae_Rahul Kumar
Curricullum Vitae_Rahul Kumar
 
Himanshu 2018
Himanshu 2018Himanshu 2018
Himanshu 2018
 
MS-07 Jan June 2017
MS-07 Jan June 2017MS-07 Jan June 2017
MS-07 Jan June 2017
 
Managing Passwords for Mobile Users
Managing Passwords for Mobile Users Managing Passwords for Mobile Users
Managing Passwords for Mobile Users
 
Managing Passwords for Mobile Users
Managing Passwords for Mobile UsersManaging Passwords for Mobile Users
Managing Passwords for Mobile Users
 
Extending the .NET CLI
Extending the .NET CLIExtending the .NET CLI
Extending the .NET CLI
 
Sql Adv
Sql AdvSql Adv
Sql Adv
 
Quiz game documentary
Quiz game documentaryQuiz game documentary
Quiz game documentary
 
Development Tools - Maven
Development Tools - MavenDevelopment Tools - Maven
Development Tools - Maven
 
Shops and establishment
Shops and establishmentShops and establishment
Shops and establishment
 
Tqm3 ppt
Tqm3 pptTqm3 ppt
Tqm3 ppt
 
Sap security - How to.pdf
Sap security - How to.pdfSap security - How to.pdf
Sap security - How to.pdf
 
User Manual - FIMS
User Manual - FIMSUser Manual - FIMS
User Manual - FIMS
 

Más de SensePost

Hacking Z-Wave Home Automation Systems
Hacking Z-Wave Home Automation SystemsHacking Z-Wave Home Automation Systems
Hacking Z-Wave Home Automation Systems
SensePost
 

Más de SensePost (20)

objection - runtime mobile exploration
objection - runtime mobile explorationobjection - runtime mobile exploration
objection - runtime mobile exploration
 
Ruler and Liniaal @ Troopers 17
Ruler and Liniaal @ Troopers 17Ruler and Liniaal @ Troopers 17
Ruler and Liniaal @ Troopers 17
 
Introducing (DET) the Data Exfiltration Toolkit
Introducing (DET) the Data Exfiltration ToolkitIntroducing (DET) the Data Exfiltration Toolkit
Introducing (DET) the Data Exfiltration Toolkit
 
ZaCon 2015 - Zombie Mana Attacks
ZaCon 2015 - Zombie Mana AttacksZaCon 2015 - Zombie Mana Attacks
ZaCon 2015 - Zombie Mana Attacks
 
Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22
 
Heartbleed Overview
Heartbleed OverviewHeartbleed Overview
Heartbleed Overview
 
Botconf 2013 - DNS-based Botnet C2 Server Detection
Botconf 2013 - DNS-based Botnet C2 Server DetectionBotconf 2013 - DNS-based Botnet C2 Server Detection
Botconf 2013 - DNS-based Botnet C2 Server Detection
 
Rat a-tat-tat
Rat a-tat-tatRat a-tat-tat
Rat a-tat-tat
 
Hacking Z-Wave Home Automation Systems
Hacking Z-Wave Home Automation SystemsHacking Z-Wave Home Automation Systems
Hacking Z-Wave Home Automation Systems
 
Offence oriented Defence
Offence oriented DefenceOffence oriented Defence
Offence oriented Defence
 
Threats to machine clouds
Threats to machine cloudsThreats to machine clouds
Threats to machine clouds
 
Inside .NET Smart Card Operating System
Inside .NET Smart Card Operating SystemInside .NET Smart Card Operating System
Inside .NET Smart Card Operating System
 
SNMP : Simple Network Mediated (Cisco) Pwnage
SNMP : Simple Network Mediated (Cisco) PwnageSNMP : Simple Network Mediated (Cisco) Pwnage
SNMP : Simple Network Mediated (Cisco) Pwnage
 
Its Ok To Get Hacked
Its Ok To Get HackedIts Ok To Get Hacked
Its Ok To Get Hacked
 
Web Application Hacking
Web Application HackingWeb Application Hacking
Web Application Hacking
 
Putting the tea back into cyber terrorism
Putting the tea back into cyber terrorismPutting the tea back into cyber terrorism
Putting the tea back into cyber terrorism
 
Major global information security trends - a summary
Major global information security trends - a summaryMajor global information security trends - a summary
Major global information security trends - a summary
 
Attacks and Defences
Attacks and DefencesAttacks and Defences
Attacks and Defences
 
Corporate Threat Modeling v2
Corporate Threat Modeling v2Corporate Threat Modeling v2
Corporate Threat Modeling v2
 
State of the information security nation
State of the information security nationState of the information security nation
State of the information security nation
 

Último

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 

Último (20)

Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 

Vulnerabilities in TN3270 based Application

  • 1.
  • 2. __ __ .--.--.--.| |--.-----.|__|.-----. | | | || | _ || ||__ --| |________||__|__|_____||__||_____| Dominic White @sensepost @singe dominic@sensepost.com
  • 3.
  • 4. __ ………………………………………………………………………….. | |.-----.-----.---.-.----.--.--. | || -__| _ | _ | __| | | |__||_____|___ |___._|____|___ | |_____| |_____| • Context: IBM z/OS systems • Still in heavy production use • Often underpin critical business processes • Actively maintained
  • 5. __ __ .--.--.-----.----.| |--.-----.| |_.-----.-----. | | | -__| _|| _ | _ || _| -__| | ___/|_____|__| |_____|_____||____|_____|__|__| • We fail for not pwning mainframes • They won’t be around much longer! • They’re very secure! • Concerns about downtime & failures • It’s hard to learn & practice • IBM’s legal frameworks • More forgotten than you’ll learn
  • 6.
  • 7. __ __ ___ …………………………….. .-----.| |.---.-.| |_.' _|.-----.----.--------. | _ || || _ || _| _|| _ | _| | | __||__||___._||____|__| |_____|__| |__|__|__| |__| ………………………………………………………………………………………………………………….. • Mainframe/Host == Big hulking pieces of hardware running z/OS (or Z/VM) • Partitioned into lots of partitions called LPARs (logical partition) – Each LPAR can run different stuff e.g. IBM z/OS (mainframe) or with z/VM Linux (RedHat) – 1972 hypervisors baby! • Lots of LPARs (across hardware too) is a Sysplex
  • 8. __ __ ___ …………………………….. .-----.| |.---.-.| |_.' _|.-----.----.--------. | _ || || _ || _| _|| _ | _| | | __||__||___._||____|__| |_____|__| |__|__|__| |__| …………………………………………………………………………………………………………………..
  • 9. __ ___ __ .--.--.--.|__|.----.-----. / /.--| | | | | || || _| -__|,' ,' | _ | |________||__||__| |_____/__/ |_____| • SNA – Systems Network Architecture – Inter-mainframe or peripheral comms • TN3270/E – 3270 terminal emulation over Telnet • VTAM – Virtual Telecommunications Access Method – Subsystem that implements SNA – Often the first thing you connect to on a mainframe • LU / PU – Logical/Physical Unit – Connections to VTAM (wired vs multiplexed) – TN3270 to mainframe usually gives you a LU
  • 10. .---.-.-----.-----.-----. | _ | _ | _ |__ --| |___._| __| __|_____| |__| |__| ……………….. • TSO – z/OS CLI – “traditional” process accounting – CLIST/REXX/JCL scripting – OMVS / USS – Unix – ISPF – Menu Screens (GUI) • Transaction Managers – CICS – Modern bindings – IMS – MQ style – Efficient high-volume processing • Applications run within these – COBOL / FORTRAN / Java • Lots of other stuff e.g. – Databases: DB2 & IMS – Unix: FTP, HTTP, WebSphere – MQ – Etc. • Subsystems – RACF – ACF-2
  • 11.
  • 12. __ __ .-----.-----.----.| |_.-----.----.---.-.-----.-----.|__|.-----.-----. | _ | _ | _|| _|__ --| __| _ | | || || | _ | | __|_____|__| |____|_____|____|___._|__|__|__|__||__||__|__|___ | |__| |_____| • Application ports == TN3270 – 23 – default, often VTAM – 992 – default SSL enabled – 1023-x0xx – application environments (direct to CICS/IMS regions) – 2323, x023, x992 – other ports to check – Ignore NMAP’s OS/390 SNA bit • FTP – Provides access to both worlds (TSO & OMVS) – Respects wildcards (*.RACF*.*) • Other – DB2 (5023) & MQ (1415) – HP/BMC/Tivoli monitoring – WebSphere • One host can have lots of IPs : Order of 10-20
  • 13. __ .----.----.-----.--| |.-----. | __| _| -__| _ ||__ --| |____|__| |_____|_____||_____| • Not much you can do without creds • Legacy password policies – 8 char length restrictions – No special characters • FTP – Fantastic “traditional” brute-point • TSO – User enumeration flaw – TSO-Brute / psiotik (mainframed) • App creds – User enumeration flaws common – Sometimes weaker password policies
  • 14. ___ __ __ __ __ ………………………. .' _|__|.-----.-----.-----.----.-----.----.|__|.-----.| |_|__|.-----.-----. | _| || | _ | -__| _| _ | _|| || || _| || | _ | |__| |__||__|__|___ |_____|__| | __|__| |__||__|__||____|__||__|__|___ | |_____| |__| |_____| • Ports can connect directly to a app or region • There can be multiple instances of an app across regions • Screenshotting tools – screenshotter.py – 3270_screen_grab.nse (mainframed)
  • 15. ___ __ __ __ __ ………………………. .' _|__|.-----.-----.-----.----.-----.----.|__|.-----.| |_|__|.-----.-----. | _| || | _ | -__| _| _ | _|| || || _| || | _ | |__| |__||__|__|___ |_____|__| | __|__| |__||__|__||____|__||__|__|___ | |_____| |__| |_____| • Don’t stop at ports only! • VTAM is a multiplexer of sorts – Lets you connect to different application – Can connect you to other LPARs & sysplex’s – Uses APPLIDs or “macros” • LOGON APPLID(TSO) vs TSO • APPLID bruting – mainframe_bruter.py • github.com/sensepost/mainframe_brute – Poor man parallelisation: xargs –P
  • 16. __ __ __ .-----.-----.-----.| |.--.--.-----.| |--.|__|.-----.-----. |__ --| _ | -__|| || | | || < | || | _ | |_____| __|_____||__||_____|__|__||__|__||__||__|__|___ | |__| |_____| • Don’t take initial screens at face value – “spider” like a web apps • IMS – PA24 to “leave screen” – Alternate transaction invocation • /display tran & /display psb – “Fuzz” parameters and flow • CICS – Look for (brute) transaction codes (URL paths) • mainframe_bruter.py again – Fuzz parameters – Screenshotter useful for mapping output
  • 17. ___ .-----.--.--.----.' _|.---.-.----.-----. |__ --| | | _| _|| _ | __| -__| |_____|_____|__| |__| |___._|____|_____|
  • 18. _______ _______ ______ ______ ______ ______ |_ _| | |__ |__ | | | | | | |__ | __|_ | -- | |___| |__|____|______|______| |____|______| • Telnet-like protocol introduced in 1971 • Allowed “green screen” terminals to go over network TCP/IP rather than hardwire • Transmits “screens” made up of fields • Response submits modified screen & fields • Synchronous & Stateful • All apps presented in same way – i.e. TSO, CICS, IMS, REXX etc. all use it
  • 19. ___ __ __ __ ……….. .' _|__|.-----.| |.--| |.-----. | _| || -__|| || _ ||__ --| |__| |__||_____||__||_____||_____| • A screen is: – n x <Field Marker><Field> • A field marker can be (bit mask): PRINTABLE 0xc0 # these make the character "printable” PROTECT 0x20 # unprotected/protected NUMERIC 0x10 # alphanumeric/numeric Skip? HIDDEN 0x0c # display/selector pen detectable: INT_NORM_NSEL 0x00 # normal, non-detect INT_NORM_SEL 0x04 # normal, detectable INT_HIGH_SEL 0x08 # intensified, detectable INT_ZERO_NSEL 0x0c # nondisplay, non-detect, same as hidden RESERVED 0x02 # must be 0 MODIFY 0x01 # modified • There’s also a display bit mask for colours
  • 20. Hack me Bank USERNAME ________ PASSWORD ________
  • 22. __ .--.--.--.--.| |.-----.-----. | | | | || || |__ --| ___/|_____||__||__|__|_____| • This is all managed by the client • So, hack our TN3270 emulator to: – Allow editing of PROTECTED fields – Show HIDDEN or “non-display” fields • Works gangbusters! • Three patches for x3270 – Allow editing of protected fields – Show hidden fields – Combined patch
  • 23.
  • 24.
  • 25. Hack me Bank Main Menu _ 1 Transfer Funds _ 2 Close Account
  • 26. ∙P2∙Hack me Bank ∙Main Menu ∙_∙1 Transfer Funds ∙_∙2 Close Account ∙ ∙3 Free Money ∙LUSER Auth Bypass Access other accounts Invoke restricted function
  • 27. ___ __ __ .. .' _|.---.-.--------.|__| |.--.--. | _|| _ | || | || | | |__| |___._|__|__|__||__|__||___ | |_____| • Eerily similar to web application – Hidden fields – Modifying un-modifiable inputs – But, markup & protocol not separated here • Bypass developer assumptions • Vuln exists everywhere developer made bad assumption • New family of mainframe application vulnerabilities
  • 28. ______ _______ ______ ______ . | __ _ _| __ __ | __ <_| |_| < __/ |______/_______|___|__|___| .. • Vulns are similar to webapps, perhaps the tool should be too • Introducing Big Iron Recon & Pwnage github.com/sensepost/birp • Provides a “companion/hacker view” to your emulator • Records transactions for later analysis
  • 29.
  • 30.
  • 31. ___ __ …………………………………………….. .' _|.-----.---.-.| |_.--.--.----.-----.-----. | _|| -__| _ || _| | | _| -__|__ --| |__| |_____|___._||____|_____|__| |_____|_____| • Interactive mode • Transaction recording • Transaction analysis • Save/Load history • Playback • Finding transactions • Cool python objects
  • 32.
  • 33. __ __ __ …………………………………………………………. .--| |__|.-----.----.| |.-----.-----.--.--.----.-----. | _ | ||__ --| __|| || _ |__ --| | | _| -__| |_____|__||_____|____||__||_____|_____|_____|__| |_____| • IBM contacted me in Jan after seeing the HITB abstract (proactive) • Detailed info about vulnerability in NVAS given • Patched/Fixed (?) in February • No public disclosure or acknowledgment by IBM • Not even sure if it’s disclosed privately or fix only • If you’re a customer, check your NVAS APARs on Security Zone or open a PMR • As for wider issue …
  • 34. __ __ __ …………………………………………………………. .--| |__|.-----.----.| |.-----.-----.--.--.----.-----. | _ | ||__ --| __|| || _ |__ --| | | _| -__| |_____|__||_____|____||__||_____|_____|_____|__| |_____| • Obscurity discourages people looking, but doesn’t prevent the finding – Handful of days and as a tourist I found a critical vuln across all apps • IBM chooses not to disclose (need to know) to prevent attacks from being made public – Some merit in this (publish == inc in attack) – World has gone the other way – bug bounties • I found this in a handful of days, initial hack was 45mins of work, as a n00b – Highly likely others have discovered this in 30+ years, not disclosing != no exploits
  • 35.
  • 36. __ __ ……………….. | |--.-----.--.--.--. | |_.-----. | | _ | | | | | _| _ | |__|__|_____|________| |____|_____| • Run your own mainframe – http://pastebin.com/PHiT8jmE – Piracy  • Online DeZhi instance – http://zos.efglobe.com • Soldier of Fortran/Mainframed/Phil Young – http://mainframed767.tumblr.com – @mainframed767 – YouTube • IBM “Master the Mainframe” course • BIRP – https://github.com/sensepost/birp – https://vimeo.com/96718889
  • 37. __ __ __ ……………….. | |_| |--.---.-.-----.| |--.-----. | _| | _ | || <|__ --| |____|__|__|___._|__|__||__|__|_____| • Phil Young++ • Unnamed customers • IBM • DerbyCon
  • 38. __ __ __ .-----.-----| |_ |__| |_ | _ | -__| _| | | _| |___ |_____|____| |__|____| |_____| • Code https://github.com/sensepost /birp /mainframe_brute • Contact @singe dominic@sensepost.com

Notas del editor

  1. We’re talking IBM System Z systems and z/OS here. Used all over the place. Finance, Retail, Aerospace, Insurance, Engineering They weren’t replaced, they became the centre that other systems were built around These are not dead systems, they are actively maintained, IBM is releasing updates regularly
  2. We’re talking IBM System Z systems and z/OS here. Used all over the place. Finance, Retail, Aerospace, Insurance, Engineering They weren’t replaced, they became the centre that other systems were built around These are not dead systems, they are actively maintained, IBM is releasing updates regularly
  3. They won’t be around; they’ve been around for year and will continue to be for many more They’re very secure; too much obscurity and complexity for assured security, limited testing, assumptions that have persisted for decades Downtime; they’re more stable than you think Hard to learn; difficult community, z/OS has little commonality every command must be learned, hard to get legal access to device for testing Legal frameworks; auditors are required to legally contract with IBM to test customer stuff, highly restrictive copyright Forgotten; many in the community are retired or retiring, some have died
  4. They won’t be around; they’ve been around for year and will continue to be for many more They’re very secure; too much obscurity and complexity for assured security, limited testing, assumptions that have persisted for decades Downtime; they’re more stable than you think Hard to learn; difficult community, z/OS has little commonality every command must be learned, hard to get legal access to device for testing Legal frameworks; auditors are required to legally contract with IBM to test customer stuff, highly restrictive copyright Forgotten; many in the community are retired or retiring, some have died
  5. Or, a very brief introduction into technology and terminology that I don’t fully understand.
  6. There is a ton of info about TSO I’m not sharing. Soldier of Fortran’s work is a great primer. This talk is focused on the apps. TSO – Time Sharing Option CLIST – Command list REXX – Restructured Extended Executor JCL – Job Control Language ISPF - Interactive System Productivity Facility OMVS – Open MVS (Multiple Virtual Storage) CICS – Customer Information Control System IMS – Information Management System IMS: includes a transaction manager and database
  7. TSO-Brute and psiotik are written by Phil Young (Soldier of Fortran / Mainframed) TSO-Brute provides a fantastic method for scripting interactions with mainframes, despite being slower. Highly recommended to use as a base to modify.
  8. Both mainframe bruter and screenshotter are easily extendable for more advanced interactions. Start of a BURP intruder equivalent. Based on TSO-Brute by mainframed Demo screenshotter & mainframe_bruter
  9. Both mainframe bruter and screenshotter are easily extendable for more advanced interactions. Start of a BURP intruder equivalent. Based on TSO-Brute by mainframed Demo screenshotter & mainframe_bruter Ports can connect directly to a app or region There can be multiple instances of an app across regions Screenshotting tools screenshotter.py 3270_screen_grab.nse (mainframed)
  10. Both mainframe bruter and screenshotter are easily extendable for more advanced interactions. Start of a BURP intruder equivalent. Based on TSO-Brute by mainframed Demo screenshotter & mainframe_bruter
  11. Attack surface overview example. Grey callouts are ports.
  12. Telnet-like protocol introduced in 1971 Allowed “green screen” terminals to go over network TCP/IP rather than hardwire Transmits “screens” made up of fields Response submits modified screen & fields Synchronous & Stateful All apps presented in same way i.e. TSO, CICS, IMS, REXX etc. all use it
  13. Useful to note that input fields are “not protected” rather than marked explicitly as such.
  14. Sample screen
  15. Demo against fandezhi.efglobe.com
  16. Eerily similar to web application Hidden fields Modifying un-modifiable inputs But, markup & protocol not separated here Bypass developer assumptions Vuln exists everywhere developer made bad assumption New family of mainframe application vulnerabilities
  17. Obscurity discourages people looking, but doesn’t prevent the finding Handful of days and as a tourist I found a critical vuln across all apps IBM chooses not to disclose (need to know) to prevent attacks from being made public Some merit in this (publish == inc in attack) World has gone the other way – bug bounties I found this in a handful of days, initial hack was 45mins of work, as a n00b Highly likely others have discovered this in 30+ years, not disclosing != no exploits