Mainframe Surrogat Chains
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Subtitle |
| |
| Alternative Title |
| |
| Title of Series | ||
| Number of Parts | 374 | |
| Author | ||
| License | CC Attribution 3.0 Unported: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/49735 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
DEF CON Safe Mode152 / 374
11
35
63
70
74
86
90
98
102
103
104
105
106
107
109
110
113
114
117
119
121
122
123
124
126
127
128
130
136
137
138
142
146
151
152
153
154
159
160
161
163
165
166
167
168
169
171
177
189
214
226
231
232
239
240
246
247
250
255
256
265
267
268
269
270
271
272
274
279
280
283
289
290
336
337
344
360
362
363
364
365
367
00:00
Asynchronous Transfer ModeSet (mathematics)Mereology1 (number)RandomizationHydraulic jumpMainframe computerClosed setDatabaseCodePartition (number theory)SoftwareMultiplication signCausalityInformation securityFormal languageHacker (term)Scripting languageFrequencyFunctional (mathematics)Cross-correlationFlagLevel (video gaming)Proxy serverPlanningNormal (geometry)State of matterWeb 2.0Content (media)Client (computing)Type theoryQuicksortRight angleAddress spaceProcess (computing)Inheritance (object-oriented programming)Socket-SchnittstelleDifferent (Kate Ryan album)Software testingStapeldateiStreaming mediaFile systemInstance (computer science)Point (geometry)PlastikkarteLogicWorkstation <Musikinstrument>Online chatComputer programmingChainOnline helpPublic domainOpen sourceThomas BayesBitDisk read-and-write headPhysical systemCopyright infringementMassIBM MainframeTrailTraffic reportingInformationCurvatureAreaSystem callOperator (mathematics)Network topologySelf-organizationServer (computing)Graph (mathematics)Term (mathematics)Social classSoftware maintenanceLatent heatMedical imagingProduct (business)Integrated development environmentExpert systemExploit (computer security)Goodness of fitIP addressPresentation of a groupTouchscreenWebsiteRadio-frequency identificationGroup actionLink (knot theory)Installation artMultiplicationParameter (computer programming)Core dumpAuftragsspracheYouTubeFirewall (computing)Dot productRobot
Transcript: English(auto-generated)
00:15
And we are live. All right, we are here in another QA session
00:21
with Jake Labelle, talking about ZOS and Surrogate Chains. Jake, would you like to tell us a little bit about yourself and how you got into mainframe hacking? Hi, I'm Jake, that's, yeah.
00:40
So I guess how I got into it, my company does some jobs in it. I was looking at some of the reports they wrote and I went, that looks pretty cool. Looked at some pictures of mainframes and was like, yep, that looks like my type of thing. And yeah, just jumped right into it. It's, yeah, it's, I don't know, I think it looks cool.
01:04
And so just went for it. That's awesome. And I believe this is your first time presenting at DEFCON, correct? Yep, first time, yep. First time. So we have a tradition here at DEFCON. Whenever you do your first talk, we welcome you onto the big stage with a drink.
01:23
This is for contributing content back to the community and answer, taking the time to answer questions. So cheers to you, Jake. Welcome to DEFCON. Cheers. I may be jealous we're filling up my drink though, so.
01:46
All right. Cheers. Yeah. So we've already got a few questions that have been going through the chat. You kind of already mentioned like what got you into hacking mainframes.
02:01
So I'm gonna go onto the next one. Most high security systems, security plans will have periodic audits of rights to make sure that former super user accounts cannot be taken advantage of. Your talk sort of goes into how these permissions get changed between users and how they're just sort of left alone. Is there, did you encounter any of these like issues
02:22
in audits where like you're like, you have to remove these accounts or is it pretty much a no-go on touching things? I guess you'll have like within audit, you'll have like, for example, okay, well, we don't wanna make some users access this special user, which is basically root. But what about that user, which accesses that user?
02:43
What about that user, which has access to that user? Well, that's not really possible to audit. You don't really have the ability to, you don't really have the ability when you're, well, you probably could, but they probably should, but they don't. And this, can you use this technique that you had to,
03:03
like at one point you show like this massive graph is graph of nodes. Yeah. It looks like you were able to fully enumerate all of those chains. Could you extend that into some kind of like security auditing? Yeah, a hundred percent. So someone else who worked at the company,
03:23
he made like a tool, which, so this one is more of like a, not an exploitation tool, but like one that you would use if you didn't have full access. But if you had full access, what you could do is you're allowed to, you can do what's called unloading the RACF databases,
03:41
which is all the security. So you can just take that and then offline, you can use that to create all the tools. But this one's more for, because if you didn't have access, so from your user, what can you access? But from offline, someone else at the company was making a tool which takes the RACF database, puts it into any SQL database,
04:01
and then you can query it however you like. Well, that sounds handy. Someone else is asking, ZOS is tied to IBM. Do you think this could be applied to IBM I? Okay. I've never been on a IBM I. I need to be on an IBM I system just to see what it's like,
04:21
but I've never actually been on it. So I have no clue what the security is on there. Fair enough. So I've got to say that I, my knowledge of mainframes is fairly weak. When you were at the beginning of your talk, you mentioned a couple, you mentioned partition data sets versus normal ones
04:40
as if they were like significantly different. Could you explain what the differences are in those? Yeah, so there's no such thing as folders in ZOS, so I don't know why, but they like to have a flat file system. So instead of having that, you have data sets, and then there's just,
05:03
data sets can have multiple members in them. So it's kind of like, it acts like a folder, but they're all part of one single file, so it's- Okay. I don't know, it's how they do it. So we think of the partition data set as kind of like a file inside of a folder,
05:20
and the data sets the folder. Yeah. Yeah, close enough? Yeah, close enough. Okay, fair enough. When I was going through it, the first thing was like, okay, how do these correlate to like Unix things? And then it was like, wait a minute, nothing correlates, what am I doing?
05:40
That's kind of where I was gonna go with, but you did mention the OMVS subsystem, I believe it was, that is a Unix-like environment. How comfortable would someone that is like Linux-centric feel inside this OMVS environment? It's basically exactly the same. The only thing is that once you're in that system,
06:02
you can run anything on the mainframe as well. So you can just say, you can run a TSO, TSO, which is the normal mainframe part, and just go TSO, whatever script you were gonna run in the mainframe thing. So it's exactly the same as any sort of Linux system, like all the privileges are the same,
06:20
just, you can also, if you have it, you also have access to that user's mainframe stuff. Okay, got it, I think. So Jake, do you think your tool could work on ACF2 or TSS? Uh, again, never been on that.
06:40
I've only been on a couple of mainframe jobs, so. Okay, fair enough. But if it allows surrogate submission, then yeah, it would, yeah. So from my kind of understanding of what surrogates are is they are delegating, it's like a tree of delegated permissions, right? So you get this surrogate permission for another user
07:03
and then you are effectively gaining all the rights of them, right? You can, so depending on what type of surrogate you give, so the main one is you'll have user.star in class surrogate, and that means that you can submit a job as user.star,
07:20
but there's other type of ones you can have, but a lot of times, if you have surrogate in one person, you can do all the stuff from that, like for example, there's one that I had where you can, so surrogate, which allows you to write, to do Sue, but if you can do Sue, you can run any TSO command. So it basically means you have full privileges on there.
07:44
Got it. So is it something that you have to like, generally you have to specifically invoke to get the other user's permissions or do they all just like get wrapped up into? So that's one of the things that why it required the tool was that you couldn't just, so from, if user one had submit on user two,
08:03
you couldn't just run user two stuff, you have to run a job as user two, and that will get returned sometime later. So that's why the tool was required is that you can't just run the, you don't have the privileges, you can submit a job as that user, but yeah.
08:21
Okay, I actually think that I like literally have that in my head now. That's awesome, that was really well described. What are your thoughts on JCL? It's a great language. It's what am I?
08:42
Yeah, it's, it takes a while getting used to it because reading the IBM docs is it's a skill in itself. Like I think I've actually started to, it's really, I don't know if it's something I should be worried about, but I've actually started to be able to understand IBM documentation and that's worrying.
09:01
I'm like, wait, wait, I get it now. But yeah, so it's, yeah, so JCL is just, just a way to submit batch jobs and yeah. Is there any kind of like tooling that makes like interacting with that kind of like languages easier
09:20
or I know that like one of the current hot things is like building languages on top of languages. So yeah, the writing, like whenever I wrote my programs or any type of thing that I use, cause it's just easier, is the JCL, I don't really understand how, I don't really understand how you pass
09:41
like parameters to it. So I just put it all in like one little rec script and then it will just run itself. And then, so rec is like, it's just a scripting language, it's easy to use. So I just, yeah, that's. Yeah, there was an example. Yeah, JCL. Yeah, that's why, yeah, it's just, what is it?
10:01
JCLs, they just, there's lots of like programs that it can run, but I have no clue what it does. But I know, I know like, it feels like I now know like what the, like the most important ones do. So that's, that's fine. I mean, it's probably enough. Like if you know, if you know like 75% of most systems,
10:20
you are very comfortable in that system. Yeah. So Jake, have you made any other tools that kind of help to assist with mainframe hacking? Yeah, so I've got, I've got a couple which are varying in their usefulness. So I've got one which is,
10:41
so the database where all the security is held is just, it's just a database. So if you have access, if you have right access to that, you have access to anything. So I created a quick tool, which if you do have right access to it, it will just insert, it will look for your user, find the special flag and just turn it to one.
11:02
So that's a tool, which it's very unlikely that you'll have access to that. Like that is something that is audited, that it's like, make sure that no one has access to this file, because if they do, they have complete access to everything. What other tools? Oh, I made another, so a SOTS proxy in Rex.
11:22
So that allows you to, if there's any like, so for example, if there's any like internal ports you want to hit, or if there's any like, because everyone trusts the, everyone trusts the mainframe. So why wouldn't you accept all the firewall stuff from that? So if there's anything you want to like, hit from the mainframe, then there's a SOTS proxy,
11:41
which you can just run in Rex and then just pass on to any port that you can see from there. So Rex is like, it's not just like, like a scripting language, like bash, which just has like, consumes a bunch of tools. Like it is like a language, like it's like fully capable of doing like, hosting like network sockets and stuff like that.
12:03
Yeah, it can do, so Rex, you can do anything you want to do. And there's also a, I don't really understand what the functionality is, but I know how to use it. So that's like, so if you run, if you write something called address, so for example, so if you want to write a TSO command, you write address TSO. And that means that any command you run in quotes,
12:24
runs as TSO. So the way I describe it is that you can run a program as another program, but I don't even know if that's actually what's happening. I just know that you can be like address DB2, which is an SQL database in IBM. And so, and that will then run a command as DB2.
12:43
So it's a fairly useful language, especially you can just literally just be like, this program, I want to run this command. Yeah, it will do it. Mainframe is asking, could you talk a little bit more about TK4 and the difference between zeros?
13:04
So TK4 is, it's a beautiful thing. It's a open source mainframe from, well, for a public domain, I don't know what the actual term, like specific term is, but it's a, in 1980,
13:21
they made a mainframe operating system, which is now in the public domain. And so it made some tools they made from there, they've created TK4 and TK4 just allows you to just muck around with, I think I put it in my, a link in my presentation, but if you want just download that like TK4,
13:42
you can run it on anything. I found it off of Raspberry Pi. So it's kind of fun. Yeah, if you want to run like, do you like JCLs, you can install Rex on there, you can install Kix, but also not actually, this was actually one of the things in my presentation
14:01
that like, I didn't know how to say like, so there's something called Kix with a C and then something called Kix with a K. And I was trying to say that the difference between them, I was just like, so yeah, on my program, this has Kix, but this has Kix on here. And I was like, wait a minute. I've just said this twice. But yeah, so K-I-C-S is a open source.
14:24
If you want to muck around with Kix on a, which is one of the most like used thing on a mainframe, it's kind of like a web server ish type of thing. It's, I don't know, there's no like equivalent to it kind of, but yeah, if you,
14:41
yeah, TK4 is really good. If you want to just muck around with- Mainframe bits. Yeah, and it's, yeah, completely open source. So muck around with that and- Do you have, do you know of any like good resources for like learning how to use and operate a mainframe? Cause it's like coming into it cold, which is like booting up a raspberry PI image
15:01
seems like- So, yeah, yeah, the best place, well, the thing is, this is 1980s, my mainframe. So even the IBM docs doesn't tell you what to do, how to do on this. So the kind of two places where it's the most, so on, there's a Mattermost community
15:23
called mainframe.community, super helpful. If you have any like stuff asking questions on there, we'll get, we'll actually get questions answered instead of just being like, ask your SME how to do this. It's like, yeah, so mainframe.community,
15:40
very good place for just like stuff. But yeah, some other places you might find that your questions don't get answered, but that's good. One other place, I think, so on my YouTube, there's this person called Moshix on YouTube.
16:01
Very, very helpful on like TK4, like how to install these things, how to, yeah, how to do a lot of stuff on TK4. Excellent. Now, was there anything for your research or even in your presentation that you didn't get to or that you wanted to look further into
16:21
that you maybe will look more into in the future or you think it might be good if other people were to try to build upon what you've done? So on the surrogate chains, I've basically just done the, there's the start dot submit privileges and the ppx dot serve dot star privileges,
16:43
but like there's other surrogate classes. I don't really know how they work, but if they could all get, if they're like, I don't know how, and also how, if those surrogate classes, other classes can get you access to everything, then they should also be added to the program. Like if there's like a, yeah,
17:03
if there's another surrogate that I've missed, then yeah, that's definitely should be something that should be added. Have you like open source of tools that publicly available at this point? Yeah, on GitHub I've put my, I think I've, yeah, I've put my tool. It's let me just try.
17:20
Have you actually made it live, made it public? I'll fling it onto the. Into the track chat. Yeah. Oh, there's lots of chats. I'm very confused about where it is.
17:40
Yeah. I'm much of a Discord user. Good luck finding it. It is in the Def Con Talk Tracks group, and you can either put it in track one. I found it. There you go. That's one of the things that when you're on a client call and you can't work out how the tech works, it's like, sorry, I'm trying to work out
18:01
how to get Skype working with my audio. Please give me 10 minutes to work this out, please. Running out of questions. Is there anything in particular that you want to like talk about or advocate for or anything else you want to,
18:22
any other areas of interest in the infosec world, anything like that? Anything you want to share? I guess there's the thing about like, I think a lot of people are like mainframes. Why mainframes? What's the point of them? Yeah, it's,
18:45
so incredibly, incredibly efficiently. Like people are like, oh yeah, just go cloud. It's like, yeah, you don't, when you're trying to deal with like millions of like credit card transactions, it may not be the most cost-effective to do it on a,
19:03
on like a AWS instance. I might, that might be pretty expensive. And you also, the other thing where all the codes already in on a mainframe. So like it's going to be pretty difficult to convert your cable codes to, I don't know, whatever, whatever, whatever that you're trying to
19:21
convert it to. Yeah. I believe the popular language is, Hawkeye is asking about bricking the mainframe. I guess, are you with any of the things that you ever like play around with or do, do you, is that a concern?
19:41
Is that something that you have to like keep in your mind? The, there's the thing where like on, on client side, but so when a web app, when you're in a testing environment, you're like, okay, I'll just, I'll just keep throwing stuff out of it. Let's see what happens. Let's, let's see. Now let's, let's just keep throwing random,
20:01
like like scripts at it on a mainframe. You're like, hello, like person I'm testing this on, can I throw this at this before? I like, I don't want to break your, like, your massively expensive system. I'll, let's just make sure this is, this is okay first. Like a major backbone in your, your organization.
20:21
Can I just potentially screw it up right now? Yeah. So it's, there was also the, the, the fun, the fun thing is that like maybe on like a,
20:42
a mainframe, you might, the testing environment may be completely different to the, to the actual like production environment, which is great fun where you're like, oh, look, I found something. Is this a thing in your actual, like, no. Okay, cool. That was a good, like, that was a good, like, six hours looking at that.
21:01
Great, thanks. Cool. So it seems as though that what you're doing is coming probably even more into demand. I'm seeing where people are looking for, people that can program in COBOL and maintain mainframes. Is this something that you think might be an area
21:21
that would be good for people to get into? And if so, if somebody with experience wanted to make the jump over, what sorts of things could they look into? How could they even get started in being able to support or test or work with mainframes? So there is, so, so I guess like if you're on,
21:40
if you're in like a, like, like a, like a company, you could just shadow a job. That's probably like, there's also the, there is a ZOS 1.10 on Pirate Bay, which of course I would not be supporting, you know, piracy is bad and very illegal, never do that. But if you do have that, that might be useful.
22:03
But yeah. So who does use, still use mainframes today? Like what industries or major companies, if you can say any, still make use of mainframes? So basically every bank that's big still uses mainframes there.
22:22
Again, they're doing like massive batch like jobs and they already have all the infrastructure already. So they're not gonna, when they're like, okay, who do we need to go? Do we need to like, do we wanna move everything to the cloud or do we wanna continue on a mainframe? The answer to that question is, they're not gonna change their entire system to get,
22:41
to try and maybe, I don't even know if it would save money, but maybe, I don't know. And then I guess a lot of governments still use mainframes. Like for example, I think there was a freedom of information request to the UK government about what mainframes are still in use.
23:00
And one of the things that really got me was, so this was to the people who do like the treasury, I think. And so they were like, okay, here are the four mainframes that are out of date that we use. And they're like 10 years old. And they also say,
23:20
here are three other mainframes that are managed by Fujitsu that we use. So through some research, I'm pretty certain that these are like 20 year old mainframes that have like, probably never ever been looked at ever. Just running like, and I looked at them and I was like, okay, what are the ones that are running? It's like, oh, these do all the customs
23:41
in the UK. Huh? I bet they never want to ever change that shit ever. They're literally just like, we're never changing this 20 year old mainframe that we have. No one's ever looked at it. It's not even like, it's not even an IBM mainframe. It's a special UK mainframe that got bought out by Fujitsu
24:01
that is now running the customs in the UK. And I'm like, this has never been looked at. Like even if a mainframe specialist looked at it, they wouldn't be able to know anything. It's like, it's written in this weird language that I've never heard of. Maybe other people have heard of SCL. I don't know. Have you guys heard of that?
24:20
I think that I've come across that in another Def Con talk, maybe. I get exposed to a lot of things. We did have another talk related to past docs. K. Hole says, I've enjoyed various ZOS talks
24:41
at Def Con over the last few years. We'll never hear about mainframe security. Otherwise, are they a common attack target or do they tend to go overlooked because of the foreignness of the platform? What does the defense side look like outside of the kind of audits you mentioned? I don't actually know like the access that, so it feels like the only people
25:00
who would actually be able to access this are people who have like, who are fairly like sophisticated. You wouldn't have like just a random attacker going after a mainframe because it's normally like hidden in their internal network. So like, it'd probably be like a nation state attacker. So like, or like that type of like level.
25:22
So I feel like if it's an attack that they wouldn't be going after financial stuff. So you wouldn't really ever see that it was happening maybe, I don't know. I mean- Like, there was the- Oh, sorry, yeah. Oh, sorry, sorry. I mean, so like this might've been in us chatting
25:40
before the actual stream start, but you did mention that you've like, you found some mainframes that were just exposed online just by dropping something into a Shodan. So like, maybe not just a deep internal threat. Yeah, so the majority of the ones I saw on Shodan were like, there's actually a fun site
26:05
that mainframe sent me about all the internet. It's just a bot that you just, that people have sent mainframe IPs to it. And it just goes, scrapes the picture of the, like the initial screen of it. As I think it's a fairly fun-
26:22
Fairly awesome, yeah. Yeah, but yeah, so it's- There's a couple of the government ones, but a lot of them are just like emulated ones. But yeah, I think it's a, I think the other thing I was gonna say was that,
26:42
like if a nation state ever got a hold of something, it's unlikely they would ever like reveal, like reveal themselves in that way that like, that they had got access to that. Like, it's not like a criminal organization where they'd be trying to like go after like those type of things. So, I don't know if there was in the news recently,
27:04
the owner of Pirate Bay hacked a mainframe. It was a while ago, but there's the- I must've missed that one. Yeah, it was- But how secure are they from the inside? Would it be as simple as just being able to access
27:22
somebody's workstation from inside to be able to get to the mainframe? Mainframe's saying it's the logic of breach. Yeah, the logic of breach. And the fun thing about that one as well is that they released, well, I don't know if they released on purpose, but all of the like the court documents were released. It's on GitHub, by the way. So you can see what fun tools they used
27:42
to like to access all the, to do all the stuff. Yeah, mainframe says it's on WikiLeaks. So anyone out there that's looking for more information, apparently there's a lot more data out there. This sounds pretty fascinating.
28:01
Yeah, actually writing a tool, and I looked at a logic here and I was like, wait a minute, they did this already. I got beat out by the hackers. By a dump of random hacker activity. I love it. So you just had to one up them by presenting at Defcon?
28:23
Yeah. So we are approaching the end of the time of our QA session. Is there anything else you want to talk about while you still have the camera? Nah, I think I'm all tapped out.
28:40
Fair enough. Well, thank you very much for doing this Q&A session. Thank you for presenting to Defcon once again for your first time. Really hope you come back. This was great content. I need to get back to, I need to go to Vegas at least once. You gotta experience in-person Defcon as well. Well, thank you very much and we'll talk to you later.