Sometimes you hear of certain types of hacks on PCs (personal
computers), where they insert some code that allows them to control the
machine but most of the time lies there silently and un-noticed. That
is what this is on z/OS. If a person can get this code into a system
unnoticed and untraced, at some later time they or an accomplice can
invoke it to do anything they know how to do, as others have pointed
out. If they plan well, they can be sure that backups are corrupted for
a period of time before actually interfering with the running system,
making recovery a challenge.
Determining that this code is installed in the system is not rocket
science (not casting any aspersions here on Rocket Software). Z OS
hackers talk about looking for an SVC that would put a problem state
program into supervisor state. This is just an updated version of the
same technique.
On 2021-10-30 1:06 p.m., Keven Hall wrote:
Hi Paul
Yes, anybody can call this PC and it will branch to the address in R1 with Psw
Key 0.
The target code probably is expected to issue a PR to return to the instruction
following the PC .
The System is basically compromised and unsecured
Regards,
Keven Hall
On Oct 30, 2021, at 09:31,[email protected] wrote:
.
Hello
.
I discovered this program and found it interesting.
When invoked from a Non Authorized program it will switch the
calling routine into supervisor state.
.
This is the complete PC Service Routine.
*********************************************************************
LCLC &CSECT DEFINE LOCAL CSECT VARIABLE
&CSECT SETC 'XMS@SVC' INITIALIZE CSECT SYMBOL
&CSECT AMODE 31 ADDRESSING MODE
&CSECT RMODE ANY RESIDENCY MODE
&CSECT CSECT
J ZGO Jump Around Module Identifier
*
JMODID ID=&CSECT
*
ZGO CNOP 2,4
LM 1,2,0(1) Load passed parameters
SPKA 0(2) Set PSW key
EREG 2,13 Get caller's registers off stack
BSM 0,1 Branch back to User Code
LTORG Local Litteral Pool
*
XMS@SVCP
END &CSECT
.
The above module resides in LPA and runs as a Non Space Switching Stacking
PC Routine. The ETDEF for this module specifies a System LX.
.
A non APF program can call this PC routine and switch into Supervisor State.
The BSM 0,1 Branches back into user code, which will now be running in
supervisor state.
The User Code would eventually issue a PR instruction to remove the Linkage
Stack Entry.
.
1st
It is my assessment the above code circumvents MVS integrity protocol.
Is My assessment correct ?
.
.
2nd For curiosity -
Once this PC routine Branches back to the users code (BSM 0,1),
the user code is running in supervisor state and would issue a PR
instruction to remove the entry from the linkage stack. I find this code very
messy.
How would the user code return to an instruction following the BSM so the PC
Service
Routine would issue the PR instruction ?
.
Paul D'Angelo
*
Gary Weinhold
Senior Application Architect
DATAKINETICS | Data Performance & Optimization
Phone:+1.613.523.5500 x216
Email: [email protected]
Visit us online at www.DKL.com
E-mail Notification: The information contained in this email and any
attachments is confidential and may be subject to copyright or other
intellectual property protection. If you are not the intended recipient, you
are not authorized to use or disclose this information, and we request that you
notify us by reply mail or telephone and delete the original message from your
mail system.
