I agree with Binyamin. If you can submit a job (via ftp in this example), you can run something which can listen on an unprotected TCPIP port. What's the big deal? If you can't upload a compiled program, you can use REXX socket support to write your code in REXX, copy it from "sysin" to a member of a temporary PDS, then run a TSO step which executes the REXX code by putting your temp PDS on the SYSPROC or SYSEXEC DD concatenation. What's the big deal? It doesn't give you UNIX root or RACF SPECIAL or any other special powers, other than perhaps an interactive environment which you wouldn't normally have if you had an "ftp only" RACF id. If I thought it were a hole, it is an easy one to close by making your ftp only users RESTRICTED so that they can only access files to which they are explicitly allowed. Then put in a PROGRAM ** backstop. This will stop the majority of programs from being runnable by the user.
On Mon, Dec 9, 2013 at 2:15 PM, Binyamin Dissen <[email protected]>wrote: > On Mon, 9 Dec 2013 10:55:29 -0800 Phil Smith <[email protected]> wrote: > > :>One of our folks sent me this YouTube video of a presentation from > BayThreat. Metasploit allegedly used to compromise a z/OS machine. Looks > like it uses ftp and a legit user credential to maybe escalate privileges, > but not clear. No sound on the video (~ 3 mins). > > :>http://www.youtube.com/watch?v=hTfgFSbvkHU > > :>Thoughts? I suspect this is either BS or is based on a vanilla system > with no ESM. > > Don't see the exploit. > > He has a userid/password, and submits a job that listens. No big deal. > > -- > Binyamin Dissen <[email protected]> > http://www.dissensoftware.com > > Director, Dissen Software, Bar & Grill - Israel > > > Should you use the mailblocks package and expect a response from me, > you should preauthorize the dissensoftware.com domain. > > I very rarely bother responding to challenge/response systems, > especially those from irresponsible companies. > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > -- This is clearly another case of too many mad scientists, and not enough hunchbacks. Maranatha! <>< John McKown ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
