On 31/1/22 2:28 pm, Tom Brennan wrote:
Yes, it's probably just me still interested in the details of the
hack. So bear with me and I promise to be quiet soon.
So if they had a non-admin id, they certainly could have setup 443 as
a client to dump an unprotected RACF DB to a remote server. None of
that would need root access and could easily go undetected. Then once
cracked, they could look for an admin id that had
SPECIAL/OPERATIONS/UID=0 or whatever they wanted, and simply logon
using the hacked password. That makes sense so far.
What doesn't make sense is the references to getting ACEE bits or
UID=0 by various means. So maybe those references (like the ASM code
snip that calls SVC 242) were never really used and this hack was as
simple as:
See my other post for details and links to the exploit source code which
sets the ACEE bits.
1) Get network TCPIP access to a mainframe, either because the ports
are publicly available, via a compromised VPN company PC, etc.
2) Get a non-admin userid that can be logged onto via TSO, SSH, or
whatever, perhaps also from a compromised company PC.
It's my understanding that Logica stupidly used default accounts and
passwords for FTP which is how Anakata first gained access. After that
he had control of several user accounts. Nobody knows how this happened.
It could have been social engineering
or an insider threat. He learned and z/OS and tested the exploit using
Hercules and a pirated copy of the AD/CD.
3) Run some code under that id to dump the RACF DB to a remote server
4) Look for admin userids in the DB and crack a password
5) Logon to an admin userid through the same TCPIP method as #1
6) Do more bad stuff as root or SPECIAL, trying not to leave tracks.
Come to think of it, I seem to remember maybe 10 years ago or more,
wasn't it Thierry Falisard (sp.) who came up with a dictionary ripper
program that caused everyone (including me) to go check their RACF DB
read protection?
On 1/30/2022 6:52 PM, Bob Bridges wrote:
I've been away a while; are we talking about Logica again? You may
be thinking of inet.conf, an OMVS file that
I'm-not-an-OMVS-expert-but I'm sure is supposed to be write-protected
against non-admins. From a report:
/* Quote begins: */
One back door they installed once they were in is a program of their
own design that initiated contact with an internet server designated
by the hackers, using port 443. This routine port helped deflect
attention, but even more important is that the mainframe program was
acting as a client; since the traffic was outgoing, initiated by
SY19, many of the firewall measures against hacking would ignore it.
The hackers would contact the outside server at their convenience and
communicate with the mainframe.
They also updated inet.conf, a Unix configuration file that must
surely be write-protected against unauthorized changes. It’s
supplied by IBM, and a line added to it can define a service,
granting SUPERUSER status to (in this case) an incoming port-443
stream....
There was also a description of a process by which an ordinary ID
could gain be switched to UID(0) GID(0), gaining root access. My
copy of the Logica report says “The actual content of ‘go.rx’ script
can be seen in Figure 91 on page 156....The script takes two
arguments, first the numerical UID to switch to, then the numerical
group ID for the group under which the new command interpreter should
be launched. If successful executed, this program would switch the
user to a new user, without logging out and in, thus effectively
getting the new user’s system-access permissions without having been
prompted for a password.” But the REXX code is redacted from my
copy....
/* Quote ends */
The ID they stole initially, I gather, did have read access to the
RACF database, never a good idea; that's how they were able to get so
many passwords afterward, by downloaded it and applying
John-the-Ripper to it at leisure.
---
Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313
/* Every movie has maybe one or two or three compelling reasons why
it should be made. One is that this is a beloved book and people are
going to want to see an adaptation. But you had better figure out
the other two, because at the end of the day, this is a motion
picture. -Ron Howard */
-----Original Message-----
From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On
Behalf Of Tom Brennan
Sent: Sunday, January 30, 2022 18:18
Thanks, so the ASM program from the blog was never used, but the main
problems were:
1) Some way to get UID=0 access (I think Soldier of Fortan mentioned
this years ago, which I hope has been fixed).
2) RACF DB that was not read protected (not the brightest)
--- On 1/30/2022 12:09 PM, Itschak Mugzach wrote:
Ho Tom,
Once they got root, they were able to unload racf DB that was not well
protected and run an (open source) password cracker. They had time to
get many user passwords. No user SVC was involved, not needed. I don't
know where David collects his information, but the breach is well
documented in many reports.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
