of 38 /38

Vulnerabilities in TN3270 based Application

Embed Size (px)

Text of Vulnerabilities in TN3270 based Application

PowerPoint Presentation

__ __ .--.--.--.| |--.-----.|__|.-----.| | | || | _ || ||__ --||________||__|__|_____||__||_____|Dominic [email protected]

@[email protected]

__ .---.-.-----.-----.-----.--| |.---.-.| _ | _ | -__| | _ || _ ||___._|___ |_____|__|__|_____||___._| |_____| .. JustificationStructure & ReconnaissanceApplicationsApplication RegionsTN3270 protocol-level vulnsDisclosure NotesBootstrapping

__ .. | |.-----.-----.---.-.----.--.--.| || -__| _ | _ | __| | ||__||_____|___ |___._|____|___ | |_____| |_____|Context: IBM z/OS systems

Still in heavy production useOften underpin critical business processesActively maintained

Were talking IBM System Z systems and z/OS here.

Used all over the place. Finance, Retail, Aerospace, Insurance, EngineeringThey werent replaced, they became the centre that other systems were built aroundThese are not dead systems, they are actively maintained, IBM is releasing updates regularly6

__ .. | |.-----.-----.---.-.----.--.--.| || -__| _ | _ | __| | ||__||_____|___ |___._|____|___ | |_____| |_____|

Were talking IBM System Z systems and z/OS here.

Used all over the place. Finance, Retail, Aerospace, Insurance, EngineeringThey werent replaced, they became the centre that other systems were built aroundThese are not dead systems, they are actively maintained, IBM is releasing updates regularly7

__ __ .--.--.-----.----.| |--.-----.| |_.-----.-----.| | | -__| _|| _ | _ || _| -__| | \___/|_____|__| |_____|_____||____|_____|__|__|We fail for not pwning mainframesThey wont be around much longer!Theyre very secure!Concerns about downtime & failuresIts hard to learn & practiceIBMs legal frameworksMore forgotten than youll learn

They wont be around; theyve been around for year and will continue to be for many moreTheyre very secure; too much obscurity and complexity for assured security, limited testing, assumptions that have persisted for decadesDowntime; theyre more stable than you thinkHard to learn; difficult community, z/OS has little commonality every command must be learned, hard to get legal access to device for testingLegal frameworks; auditors are required to legally contract with IBM to test customer stuff, highly restrictive copyrightForgotten; many in the community are retired or retiring, some have died8

__ __ .--.--.-----.----.| |--.-----.| |_.-----.-----.| | | -__| _|| _ | _ || _| -__| | \___/|_____|__| |_____|_____||____|_____|__|__|

They wont be around; theyve been around for year and will continue to be for many moreTheyre very secure; too much obscurity and complexity for assured security, limited testing, assumptions that have persisted for decadesDowntime; theyre more stable than you thinkHard to learn; difficult community, z/OS has little commonality every command must be learned, hard to get legal access to device for testingLegal frameworks; auditors are required to legally contract with IBM to test customer stuff, highly restrictive copyrightForgotten; many in the community are retired or retiring, some have died9

Or, a very brief introduction into technology and terminology that I dont fully understand.10

__ __ ___ .. .-----.| |.---.-.| |_.' _|.-----.----.--------.| _ || || _ || _| _|| _ | _| || __||__||___._||____|__| |_____|__| |__|__|__||__| ..Mainframe/Host == Big hulking pieces of hardware running z/OS (or Z/VM)Partitioned into lots of partitions called LPARs (logical partition)Each LPAR can run different stuff e.g. IBM z/OS (mainframe) or with z/VM Linux (RedHat)1972 hypervisors baby!Lots of LPARs (across hardware too) is a Sysplex

__ __ ___ .. .-----.| |.---.-.| |_.' _|.-----.----.--------.| _ || || _ || _| _|| _ | _| || __||__||___._||____|__| |_____|__| |__|__|__||__| ..

__ ___ __ .--.--.--.|__|.----.-----. / /.--| || | | || || _| -__|,' ,' | _ ||________||__||__| |_____/__/ |_____|SNA Systems Network ArchitectureInter-mainframe or peripheral commsTN3270/E3270 terminal emulation over TelnetVTAM Virtual Telecommunications Access MethodSubsystem that implements SNAOften the first thing you connect to on a mainframeLU / PU Logical/Physical UnitConnections to VTAM (wired vs multiplexed)TN3270 to mainframe usually gives you a LU

.---.-.-----.-----.-----.| _ | _ | _ |__ --||___._| __| __|_____| |__| |__| ..TSO z/OS CLItraditional process accountingCLIST/REXX/JCL scriptingOMVS / USS UnixISPF Menu Screens (GUI)

Transaction ManagersCICS Modern bindingsIMS MQ styleEfficient high-volume processingApplications run within theseCOBOL / FORTRAN / Java

Lots of other stuff e.g.Databases: DB2 & IMSUnix: FTP, HTTP, WebSphereMQEtc.

SubsystemsRACFACF-2

There is a ton of info about TSO Im not sharing. Soldier of Fortrans work is a great primer. This talk is focused on the apps.TSO Time Sharing OptionCLIST Command listREXX Restructured Extended ExecutorJCL Job Control LanguageISPF - Interactive System Productivity FacilityOMVS Open MVS (Multiple Virtual Storage)CICS Customer Information Control SystemIMS Information Management System

IMS: includes a transaction manager and database14

__ __ .-----.-----.----.| |_.-----.----.---.-.-----.-----.|__|.-----.-----.| _ | _ | _|| _|__ --| __| _ | | || || | _ || __|_____|__| |____|_____|____|___._|__|__|__|__||__||__|__|___ ||__| |_____|Application ports == TN327023 default, often VTAM992 default SSL enabled1023-x0xx application environments (direct to CICS/IMS regions)2323, x023, x992 other ports to checkIgnore NMAPs OS/390 SNA bitFTPProvides access to both worlds (TSO & OMVS)Respects wildcards (*.RACF*.*)OtherDB2 (5023) & MQ (1415)HP/BMC/Tivoli monitoring WebSphereOne host can have lots of IPs : Order of 10-20

__ .----.----.-----.--| |.-----.| __| _| -__| _ ||__ --||____|__| |_____|_____||_____|Not much you can do without credsLegacy password policies8 char length restrictionsNo special charactersFTPFantastic traditional brute-pointTSOUser enumeration flawTSO-Brute / psiotik (mainframed)App credsUser enumeration flaws commonSometimes weaker password policies

TSO-Brute and psiotik are written by Phil Young (Soldier of Fortran / Mainframed)TSO-Brute provides a fantastic method for scripting interactions with mainframes, despite being slower.Highly recommended to use as a base to modify.17

___ __ __ __ __ . .' _|__|.-----.-----.-----.----.-----.----.|__|.-----.| |_|__|.-----.-----.| _| || | _ | -__| _| _ | _|| || || _| || | _ ||__| |__||__|__|___ |_____|__| | __|__| |__||__|__||____|__||__|__|___ | |_____| |__| |_____|Ports can connect directly to a app or regionThere can be multiple instances of an app across regions

Screenshotting toolsscreenshotter.py3270_screen_grab.nse (mainframed)

Both mainframe bruter and screenshotter are easily extendable for more advanced interactions. Start of a BURP intruder equivalent.Based on TSO-Brute by mainframedDemo screenshotter & mainframe_bruter18

___ __ __ __ __ . .' _|__|.-----.-----.-----.----.-----.----.|__|.-----.| |_|__|.-----.-----.| _| || | _ | -__| _| _ | _|| || || _| || | _ ||__| |__||__|__|___ |_____|__| | __|__| |__||__|__||____|__||__|__|___ | |_____| |__| |_____|

Screenshotting toolsscreenshotter.py3270_screen_grab.nse (mainframed)

Both mainframe bruter and screenshotter are easily extendable for more advanced interactions. Start of a BURP intruder equivalent.Based on TSO-Brute by mainframedDemo screenshotter & mainframe_bruter

Ports can connect directly to a app or regionThere can be multiple instances of an app across regions

Screenshotting toolsscreenshotter.py3270_screen_grab.nse (mainframed)

19

___ __ __ __ __ . .' _|__|.-----.-----.-----.----.-----.----.|__|.-----.| |_|__|.-----.-----.| _| || | _ | -__| _| _ | _|| || || _| || | _ ||__| |__||__|__|___ |_____|__| | __|__| |__||__|__||____|__||__|__|___ | |_____| |__| |_____|Dont stop at ports only!VTAM is a multiplexer of sortsLets you connect to different applicationCan connect you to other LPARs & sysplexsUses APPLIDs or macrosLOGON APPLID(TSO) vs TSOAPPLID brutingmainframe_bruter.py

github.com/sensepost/mainframe_brutePoor man parallelisation: xargs P

Both mainframe bruter and screenshotter are easily extendable for more advanced interactions. Start of a BURP intruder equivalent.Based on TSO-Brute by mainframedDemo screenshotter & mainframe_bruter20

__ __ __ .-----.-----.-----.| |.--.--.-----.| |--.|__|.-----.-----.|__ --| _ | -__|| || | | || < | || | _ ||_____| __|_____||__||_____|__|__||__|__||__||__|__|___ | |__| |_____|Dont take initial screens at face valuespider like a web appsIMSPA24 to leave screenAlternate transaction invocation/display tran & /display psbFuzz parameters and flowCICSLook for (brute) transaction codes (URL paths)mainframe_bruter.py againFuzz parametersScreenshotter useful for mapping output

___ .-----.--.--.----.' _|.---.-.----.-----.|__ --| | | _| _|| _ | __| -__||_____|_____|__| |__| |___._|____|_____|

Attack surface overview example. Grey callouts are ports.23

_______ _______ ______ ______ ______ ______ |_ _| | |__ |__ | | | | | | |__ | __|_ | -- | |___| |__|____|______|______| |____|______|Telnet-like protocol introduced in 1971Allowed green screen terminals to go over network TCP/IP rather than hardwireTransmits screens made up of fieldsResponse submits modified screen & fieldsSynchronous & StatefulAll apps presented in same wayi.e. TSO, CICS, IMS, REXX etc. all use it

_______ _______ ______ ______ ______ ______ |_ _| | |__ |__ | | | | | | |__ | __|_ | -- | |___| |__|____|______|______| |____|______|

Telnet-like protocol introduced in 1971Allowed green screen terminals to go over network TCP/IP rather than hardwireTransmits screens made up of fieldsResponse submits modified screen & fieldsSynchronous & StatefulAll apps presented in same wayi.e. TSO, CICS, IMS, REXX etc. all use it

25

___ __ __ __ .. .' _|__|.-----.| |.--| |.-----.| _| || -__|| || _ ||__ --||__| |__||_____||__||_____||_____|A screen is:n x

A field marker can be (bit mask):PRINTABLE 0xc0 # these make the character "printablePROTECT 0x20 # unprotected/protectedNUMERIC 0x10 # alphanumeric/numeric Skip?HIDDEN 0x0c # display/selector pen detectable:INT_NORM_NSEL 0x00 # normal, non-detectINT_NORM_SEL 0x04 # normal, detectableINT_HIGH_SEL 0x08 # intensified, detectableINT_ZERO_NSEL 0x0c # nondisplay, non-detect, same as hiddenRESERVED 0x02 # must be 0MODIFY 0x01 # modified

Theres also a display bit mask for colours

Useful to note that input fields are not protected rather than marked explicitly as such.26

Hack me Bank USERNAME ________ PASSWORD ________

Sample screen27

P1Hack me Bank USERNAME________ PASSWORD________

Hidden & Protected FieldNULL BytesUn-Protected FieldUn-Protected & HiddenField Marker

__ .--.--.--.--.| |.-----.-----.| | | | || || |__ --| \___/|_____||__||__|__|_____|This is all managed by the clientSo, hack our TN3270 emulator to:Allow editing of PROTECTED fieldsShow HIDDEN or non-display fieldsWorks gangbusters!Three patches for x3270Allow editing of protected fieldsShow hidden fieldsCombined patch

Demo against fandezhi.efglobe.com29

Hack me Bank Main Menu _ 1 Transfer Funds _ 2 Close Account

P2Hack me Bank Main Menu _1 Transfer Funds _2 Close Account 3 Free MoneyLUSER

Auth BypassAccess other accounts Invoke restricted function

___ __ __ .. .' _|.---.-.--------.|__| |.--.--.| _|| _ | || | || | ||__| |___._|__|__|__||__|__||___ | |_____|Eerily similar to web applicationHidden fieldsModifying un-modifiable inputsBut, markup & protocol not separated hereBypass developer assumptionsVuln exists everywhere developer made bad assumptionNew family of mainframe application vulnerabilities

___ __ __ .. .' _|.---.-.--------.|__| |.--.--.| _|| _ | || | || | ||__| |___._|__|__|__||__|__||___ | |_____|

Eerily similar to web applicationHidden fieldsModifying un-modifiable inputsBut, markup & protocol not separated hereBypass developer assumptionsVuln exists everywhere developer made bad assumptionNew family of mainframe application vulnerabilities

35

______ _______ ______ ______ .| __ \_ _| __ \ __ \| __