On 31/1/22 10:52 am, Bob Bridges wrote:
I've been away a while; are we talking about Logica again? You may be thinking
of inet.conf, an OMVS file that I'm-not-an-OMVS-expert-but I'm sure is supposed
to be write-protected against non-admins.
They got access to root so can change any file in the system with impunity.
From a report:
/* Quote begins: */
One back door they installed once they were in is a program of their own design
that initiated contact with an internet server designated by the hackers,
using port 443. This routine port helped deflect attention, but even more
important is that the mainframe program was acting as a client; since the
traffic was outgoing, initiated by SY19, many of the firewall measures against
hacking would ignore it. The hackers would contact the outside server at their
convenience and communicate with the mainframe.
They also updated inet.conf, a Unix configuration file that must surely be
write-protected against unauthorized changes. It’s supplied by IBM, and a line
added to it can define a service, granting SUPERUSER status to (in this case)
an incoming port-443 stream....
There was also a description of a process by which an ordinary ID could gain be
switched to UID(0) GID(0), gaining root access. My copy of the Logica report
says “The actual content of ‘go.rx’ script can be seen in Figure 91 on page
156....The script takes two arguments, first the numerical UID to switch to,
then the numerical group ID for the group under which the new command
interpreter should be launched. If successful executed, this program would
switch the user to a new user, without logging out and in, thus effectively
getting the new user’s system-access permissions without having been prompted
for a password.” But the REXX code is redacted from my copy....
/* Quote ends */
The ID they stole initially, I gather, did have read access to the RACF
database, never a good idea; that's how they were able to get so many passwords
afterward, by downloaded it and applying John-the-Ripper to it at leisure.
---
Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313
/* Every movie has maybe one or two or three compelling reasons why it should
be made. One is that this is a beloved book and people are going to want to
see an adaptation. But you had better figure out the other two, because at the
end of the day, this is a motion picture. -Ron Howard */
-----Original Message-----
From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf Of Tom
Brennan
Sent: Sunday, January 30, 2022 18:18
Thanks, so the ASM program from the blog was never used, but the main problems
were:
1) Some way to get UID=0 access (I think Soldier of Fortan mentioned this years
ago, which I hope has been fixed).
2) RACF DB that was not read protected (not the brightest)
--- On 1/30/2022 12:09 PM, Itschak Mugzach wrote:
Ho Tom,
Once they got root, they were able to unload racf DB that was not well
protected and run an (open source) password cracker. They had time to
get many user passwords. No user SVC was involved, not needed. I don't
know where David collects his information, but the breach is well
documented in many reports.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
