Re: More of LOG4J

Sun, 30 Jan 2022 16:32:14 -0800 

On 31/1/22 4:09 am, Itschak Mugzach wrote:

Once they got root, they were able to unload racf DB that was not well
protected and run an (open source) password cracker. They had time to get
many user passwords.



Wrong! The "John the Ripper" cracking of RACF data bases was a separate 
incident. Although, there could be a correlation.




No user SVC was involved, not needed.



I never claimed there was. You have incorrectly connected my comment 
about "magic SVC's" to the Logica breach.




I don't know where David collects his information, but the breach is well 
documented in many reports.

One of my colleagues was a member of the OMVS development team at the 
time of the Logica breach and we have discussed it at length. He was 
part of the investigation team
and to this day he is convinced Anakata was not working alone. He was 
also surprised there was so much information about it in the public domain.



A large portion of the source code of the attack is in the public 
domain. I know Tom is a more than capable C programmer so I suggest 
taking a look at the meat of the hack. Elevation to root
exploited a NetView REXX exec called CNMEUNIX which enabled him to 
invoke "setuid 0" to get root. Getting root gives you admin control in 
z/OS UNIX but you're not running authorized and certainly
can't steal the RACF data base. The interesting code is DeFeeStRaTe.C 
[1] which exploits an APF-authorized zFS module, IOELMD10. It's a 
classic clobber the return address (R14) and run my shell code exploit,
similar to return-to-libc exploits on Linux systems where a hacker calls 
code in kernel space and then overflows a buffer with malicious code 
which gets control still in kernel space. Check out the "shellcode_full"
string which contains the code which is called from the APF authorized 
code. That's where MODESET is called and the ACEEFLG3 bits are set. At 
this point the attacker has the keys to the kingdom.


[1] https://github.com/mainframed/logica/blob/master/DeFeNeStRaTe.C


   *
   *




----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN





























					Reply via email to