Yes, it's probably just me still interested in the details of the hack.
So bear with me and I promise to be quiet soon.
So if they had a non-admin id, they certainly could have setup 443 as a
client to dump an unprotected RACF DB to a remote server. None of that
would need root access and could easily go undetected. Then once
cracked, they could look for an admin id that had
SPECIAL/OPERATIONS/UID=0 or whatever they wanted, and simply logon using
the hacked password. That makes sense so far.
What doesn't make sense is the references to getting ACEE bits or UID=0
by various means. So maybe those references (like the ASM code snip
that calls SVC 242) were never really used and this hack was as simple as:
1) Get network TCPIP access to a mainframe, either because the ports are
publicly available, via a compromised VPN company PC, etc.
2) Get a non-admin userid that can be logged onto via TSO, SSH, or
whatever, perhaps also from a compromised company PC.
3) Run some code under that id to dump the RACF DB to a remote server
4) Look for admin userids in the DB and crack a password
5) Logon to an admin userid through the same TCPIP method as #1
6) Do more bad stuff as root or SPECIAL, trying not to leave tracks.
Come to think of it, I seem to remember maybe 10 years ago or more,
wasn't it Thierry Falisard (sp.) who came up with a dictionary ripper
program that caused everyone (including me) to go check their RACF DB
read protection?
On 1/30/2022 6:52 PM, Bob Bridges wrote:
I've been away a while; are we talking about Logica again? You may be thinking
of inet.conf, an OMVS file that I'm-not-an-OMVS-expert-but I'm sure is supposed
to be write-protected against non-admins. From a report:
/* Quote begins: */
One back door they installed once they were in is a program of their own design
that initiated contact with an internet server designated by the hackers,
using port 443. This routine port helped deflect attention, but even more
important is that the mainframe program was acting as a client; since the
traffic was outgoing, initiated by SY19, many of the firewall measures against
hacking would ignore it. The hackers would contact the outside server at their
convenience and communicate with the mainframe.
They also updated inet.conf, a Unix configuration file that must surely be
write-protected against unauthorized changes. It’s supplied by IBM, and a line
added to it can define a service, granting SUPERUSER status to (in this case)
an incoming port-443 stream....
There was also a description of a process by which an ordinary ID could gain be
switched to UID(0) GID(0), gaining root access. My copy of the Logica report
says “The actual content of ‘go.rx’ script can be seen in Figure 91 on page
156....The script takes two arguments, first the numerical UID to switch to,
then the numerical group ID for the group under which the new command
interpreter should be launched. If successful executed, this program would
switch the user to a new user, without logging out and in, thus effectively
getting the new user’s system-access permissions without having been prompted
for a password.” But the REXX code is redacted from my copy....
/* Quote ends */
The ID they stole initially, I gather, did have read access to the RACF
database, never a good idea; that's how they were able to get so many passwords
afterward, by downloaded it and applying John-the-Ripper to it at leisure.
---
Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313
/* Every movie has maybe one or two or three compelling reasons why it should
be made. One is that this is a beloved book and people are going to want to
see an adaptation. But you had better figure out the other two, because at the
end of the day, this is a motion picture. -Ron Howard */
-----Original Message-----
From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf Of Tom
Brennan
Sent: Sunday, January 30, 2022 18:18
Thanks, so the ASM program from the blog was never used, but the main problems
were:
1) Some way to get UID=0 access (I think Soldier of Fortan mentioned this years
ago, which I hope has been fixed).
2) RACF DB that was not read protected (not the brightest)
--- On 1/30/2022 12:09 PM, Itschak Mugzach wrote:
Ho Tom,
Once they got root, they were able to unload racf DB that was not well
protected and run an (open source) password cracker. They had time to
get many user passwords. No user SVC was involved, not needed. I don't
know where David collects his information, but the breach is well
documented in many reports.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
