Ho Tom, Once they got root, they were able to unload racf DB that was not well protected and run an (open source) password cracker. They had time to get many user passwords. No user SVC was involved, not needed. I don't know where David collects his information, but the breach is well documented in many reports.
Best, ITschak *| **Itschak Mugzach | Director | SecuriTeam Software **|** IronSphere Platform* *|* *Information Security Continuous Monitoring for Z/OS, zLinux and IBM I **| * *|* *Email**: i_mugz...@securiteam.co.il **|* *Mob**: +972 522 986404 **|* *Skype**: ItschakMugzach **|* *Web**: www.Securiteam.co.il **|* On Sun, Jan 30, 2022 at 9:39 PM Tom Brennan <t...@tombrennansoftware.com> wrote: > Hi Itschak, > > Yes, like you I've written SVC's, although I never came across one of > these "magic" ones. I've also written code to mess with the ACEE bits > similar to that hack sample. But this was under control of APF, with > auditor and management approval. > > My question is how the user got that far, and I haven't yet figured that > out from the blog page. For example, how did they get an address space > going where they could even run the code to set the ACEE bits. And did > they implement the SVC 242 or was it there already. I just don't have > enough information to lay blame, or don't fully understand the blog. > > On 1/30/2022 12:07 AM, Itschak Mugzach wrote: > > Tom, > > > > This is an old trick that allows a program to call SVC to switch to > > supervisor mode and key zero. Once you are there, you can do almost > > everything. for example, login to another user without specifying a > > password, use the bypass userid, and so on. > > > > However, David only mentions a facility that is quite common, but hasn't > > proved it was used in an illegal operation. > > > > Best, > > ITschak > > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
