On 31/1/22 4:09 am, Itschak Mugzach wrote:
Once they got root, they were able to unload racf DB that was not well
protected and run an (open source) password cracker. They had time to get
many user passwords.
Wrong! The "John the Ripper" cracking of RACF data bases was a separate
incident. Although, there could be a correlation.
No user SVC was involved, not needed.
I never claimed there was. You have incorrectly connected my comment
about "magic SVC's" to the Logica breach.
I don't know where David collects his information, but the breach is well
documented in many reports.
One of my colleagues was a member of the OMVS development team at the
time of the Logica breach and we have discussed it at length. He was
part of the investigation team
and to this day he is convinced Anakata was not working alone. He was
also surprised there was so much information about it in the public domain.
A large portion of the source code of the attack is in the public
domain. I know Tom is a more than capable C programmer so I suggest
taking a look at the meat of the hack. Elevation to root
exploited a NetView REXX exec called CNMEUNIX which enabled him to
invoke "setuid 0" to get root. Getting root gives you admin control in
z/OS UNIX but you're not running authorized and certainly
can't steal the RACF data base. The interesting code is DeFeeStRaTe.C
[1] which exploits an APF-authorized zFS module, IOELMD10. It's a
classic clobber the return address (R14) and run my shell code exploit,
similar to return-to-libc exploits on Linux systems where a hacker calls
code in kernel space and then overflows a buffer with malicious code
which gets control still in kernel space. Check out the "shellcode_full"
string which contains the code which is called from the APF authorized
code. That's where MODESET is called and the ACEEFLG3 bits are set. At
this point the attacker has the keys to the kingdom.
[1] https://github.com/mainframed/logica/blob/master/DeFeNeStRaTe.C
*
*
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN