On 31/1/22 2:28 pm, Tom Brennan wrote:
Yes, it's probably just me still interested in the details of the
hack. So bear with me and I promise to be quiet soon.
So if they had a non-admin id, they certainly could have setup 443 as
a client to dump an unprotected RACF DB to a remote server. None
Yes, it's probably just me still interested in the details of the hack.
So bear with me and I promise to be quiet soon.
So if they had a non-admin id, they certainly could have setup 443 as a
client to dump an unprotected RACF DB to a remote server. None of that
would need root access and
Hello
Below is my IEASYMxx
SYMDEF(='')
I have created a alternate res pack with the name OSRESB and the currently
running is OSRESA.
Already RES volume dataset are indirectly cataloged.
With new RES I have done all the cloning plus IPLtext and getting root
volumes copied.
Is there is any
On 31/1/22 10:52 am, Bob Bridges wrote:
I've been away a while; are we talking about Logica again? You may be thinking
of inet.conf, an OMVS file that I'm-not-an-OMVS-expert-but I'm sure is supposed
to be write-protected against non-admins.
They got access to root so can change any file in
I've been away a while; are we talking about Logica again? You may be thinking
of inet.conf, an OMVS file that I'm-not-an-OMVS-expert-but I'm sure is supposed
to be write-protected against non-admins. From a report:
/* Quote begins: */
One back door they installed once they were in is a
On 31/1/22 4:09 am, Itschak Mugzach wrote:
Once they got root, they were able to unload racf DB that was not well
protected and run an (open source) password cracker. They had time to get
many user passwords.
Wrong! The "John the Ripper" cracking of RACF data bases was a separate
incident.
AFAIK, UID(0) (via CNMEUNIX) has nothing to do with reading
(downloading) the unprotected RACF Database.
There is another factor ... the uneducated/inexperienced administrators
did not protect a multi-session product (IIRC, it was TPX).
As well, the hackers found a bug in NVAS ... changing a
Thanks, so the ASM program from the blog was never used, but the main
problems were:
1) Some way to get UID=0 access (I think Soldier of Fortan mentioned
this years ago, which I hope has been fixed).
2) RACF DB that was not read protected (not the brightest)
On 1/30/2022 12:09 PM, Itschak
Ho Tom,
Once they got root, they were able to unload racf DB that was not well
protected and run an (open source) password cracker. They had time to get
many user passwords. No user SVC was involved, not needed. I don't know
where David collects his information, but the breach is well documented
Hi Itschak,
Yes, like you I've written SVC's, although I never came across one of
these "magic" ones. I've also written code to mess with the ACEE bits
similar to that hack sample. But this was under control of APF, with
auditor and management approval.
My question is how the user got
On Sun, 30 Jan 2022 10:24:39 -0600, Marna WALLE wrote:
>Another suggestion, if you don't have Shopz access... We provide a dummy FMID
>that has been pre-installed and is in a z/OSMF portable software instance
>format here
I was plodding along, restarting after network glitches. But, I think there's
now a server issue?
DATE 01/30/22 TIME 08:20:03 SMP/E GIMJVCLT OUTPUT SMP/E 36.108
httpGet
Another suggestion, if you don't have Shopz access... We provide a dummy FMID
that has been pre-installed and is in a z/OSMF portable software instance
format here
https://www.ibm.com/support/z-content-solutions/serverpac-install-zosmf/ (under
Try It). And, it has some dummy PTFs with it too,
+1
*| **Itschak Mugzach | Director | SecuriTeam Software **|** IronSphere
Platform* *|* *Information Security Continuous Monitoring for Z/OS, zLinux
and IBM I **| *
*|* *Email**: i_mugz...@securiteam.co.il **|* *Mob**: +972 522 986404 **|*
*Skype**: ItschakMugzach **|* *Web**:
SMP (without the E) used flaky member names. You couldn't specify them in your
JCL, but then there was no reason to. Also, some RYO utilities that Gerhard
(ז״ל) and I used quite heavily used a hyphen in a member name as a wildcard; I
was quite unhappy when IBM made that illegal.
--
Shmuel
An SVC runs in supervisor mode; that's a much stronger privilege than UID(0).
It's trivial to write such an SVC, but any competent auditor would shoot you
down if you suggested it.
--
Shmuel (Seymour J.) Metz
http://mason.gmu.edu/~smetz3
From: IBM
That only works if there is such an SVC. A competent auditor would red flag it
immediately. Alas, not every auditor is competent :-(
--
Shmuel (Seymour J.) Metz
http://mason.gmu.edu/~smetz3
From: IBM Mainframe Discussion List [IBM-MAIN@LISTSERV.UA.EDU]
That's how I do it:
//ADRDSSU EXEC PGM=ADRDSSU,REGION=0M,TIME=1439
//SYSPRINT DD SYSOUT=*
//LOOKHERE DD DSN=hlq.HFS.BACKUP.ZOS23.SERVICE.ROOT,
// DISP=(NEW,CATLG),
// SPACE=(TRK,(50858,1000),RLSE),UNIT=3390,VOL=SER=ZFSBK1
Hello Group
I am trying to move maintenance root zfs which is 5000 cylinder in size.
The environment what we have is two monoplex. I tried doing dump the root
into a shared DASD(MOD-27) but it fails with D37.
What's the best way to clone a zfs from one monoplex environment to another
? Our DASD
Tom,
This is an old trick that allows a program to call SVC to switch to
supervisor mode and key zero. Once you are there, you can do almost
everything. for example, login to another user without specifying a
password, use the bypass userid, and so on.
However, David only mentions a facility
20 matches
Mail list logo