Update: The PR was accepted. Update your Metasploit installation and have a look!
Version 1 of an APF privilege escalation (Requires Creds) of a metasploit module has been submitted for inclusion. This version has no bells or whistles.
You can view it here:
PR# 8228 z/OS Privesc via authorized APF library write access
Next week at SHARE – San Jose, I’m giving a talk on ransomware on z/OS. I’ve been asked multiple times if I thought ransomware could happen on Z, is it possible: Unequivocally yes. Come see this talk and watch a live demonstration of how this might work. If you are responsible for mainframe security, work for a company with a mainframe, or just want to better understand the landscape of this particularly insidious threat, don’t miss this talk.
Ransomware is a combination of 3 basic moving parts:
We will also look at how to attempt to mitigate this catastrophic event, as well as ideas about how to recover from it. Items such as two-factor authentication, proper ICSF / RACF security controls, egress filtering and intrusion detection.
I was asked a week or so ago whether or not I thought z/OS would be susceptible to the types of Java deserialization attacks we’ve seen (a great primer from Fox Glove Security). Of course!, I replied. However, I don’t like unsubstantiated claims – so I built this POC:
It uses the basic ysoserial payload generator found on Github. The SerialTestPlain.java file I use to test is from a blog here:
The source is simple:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
import java.io.ObjectInputStream; import java.io.ByteArrayInputStream; import java.nio.file.Files; import java.nio.file.Path; import java.nio.file.Paths; import java.io.InputStream; import org.apache.commons.collections.*; public class SerialTestPlain{ public static void main(String args[]) throws Exception{ Bag bag = new HashBag(); Path path = Paths.get(args[0]); byte[] data = Files.readAllBytes(path); InputStream d = new ByteArrayInputStream(data); ObjectInputStream ois = new ObjectInputStream(d); ois.readObject(); } } |
Simple enough right? Java on the mainframe is basically Java anywhere. The only major gotcha (which should come as no surprise to anyone) are with issues of character translation EBCDIC<->ASCII. In this case, the ysoserial jarfile I built on x86 and just binary copied it to OMVS and that worked out of the box.
Other times I’ve had to use an a2e / e2a custom decoder – just depends on the implementation. Currently working to test the JBoss exploits and modify them, if need be, in MSF for z/OS. More as that unfolds!
NOTES:
While testing this POC first on x86, I kept running into an error like this:
|
1 2 |
Exception in thread "main" java.lang.annotation.IncompleteAnnotationException: java.lang.Override missing element entrySet at sun.reflect.annotation.AnnotationInvocationHandler.invoke(AnnotationInvocationHandler.java:81) |
The above mentioned blog helped – Basically Java 1.8u72 (since last December) needs to have the most current version of ysoserial, and use the CommonsCollections5 in order to work (and it does). Prior versions of Java work just fine with the Release Version (0.04) of ysoserial.
Also, aside from fixes that are library based (like the Adobe Commons Collections one used here), most fixes to this bug have to happen in customized code, often written by organizations. That makes this vulnerability particularly ugly and potentially difficult to mitigate.
The first z/OS exploit module in the Metasploit Framework, landed last Friday.
This is an exploit which takes advantage of a default or poorly configured FTP server. And, it requires valid credentials. However, given this (and it’s a very common configuration), you will be presented with a very nice Unix shell – allowing for deeper testing of the system.
This is how it begins: attackers look for low hanging fruit. The evolution of pentesting tools for the mainframe has to start somewhere, and this is the first concrete milestone in what has been an ongoing journey. Many x86 exploits are simply taking advantage of default configurations or poorly written code. z/OS is no different – it can suffer from neglected configurations and defaults like all other OS’s. So, that’s where I started. From here, we’ll build on default configuration exploits and work up and on through binary / code exploitation. Baby steps.
At any rate – I’m very proud of how this turned out. Thanks to those who helped in the prototyping phases (SoF & others noted within the exploit) – and as always, the super helpful folks on the MSF teams. For those of you testing mainframe systems – hopefully it’ll help red teamers with an easy win and start the conversation on securing the big iron.
There are more goodies in the queue, so stay tuned!
Had a great interview with Patrick on the Risky Business podcast. Listen here:
# update 3/31 – added Reverse Shell JCL – this can be used by any direct-to-JES2 delivery method (e.g. FTP, NJE, etc)
In continuation of adding more mainframe functionality to Metasploit, I’ve built (and am in the process of incorporating) JCL (job control language)-based payloads (and exploits which use them) within the framework.
Once these updates are complete, Metasploit users with credentials (or some other type of vulnerability exploit), will be able to submit jobs directly to JES2 via ftp(/s) or NJE (hats off to Soldier of Fortran, for the python prototype of NJE).
I’ll keep a running tally of the Pull Requests here, along with demonstrations and updates.
The first PR is simply a basic JCL cmd payload, that does nothing but submit a job which always returns a code 0 (success).
Here’s a screenshot of one of the finished exploit modules that will be submitted for inclusion soon:
More to come!
One item that has eluded me in my continuing quest to dive deeply into z Systems architecture is finding a native (IBM-supplied) assembler debugger/disassembler** on the platform that is fully functional, user-friendly and versatile.
Quickly I gave up on user-friendly and versatile and settled on trying to find one that was fully functional; simply stated – can execute and sustain integrity through any command in the POP manual. Of the 4 debuggers on the system, or as part of an add-on package, all have major out-of-the box ‘features’ that prevent them from being a worthwhile tool to anyone who has used a modern debugger (Like Immunity, Olly, or even GNU’s gdb).*
For this platform, my criteria for fully functional was this:
The first 3 are functions unique to the z/Architecture platform, and I would expect at least the 3 z/OS based debuggers to handle (and possibly the one OMVS/USS based one also). None do. At least out of the box. A quick list of the debuggers tried, and their limitations is at the end of this post.
