A STUXNET FOR MAINFRAMES

Cheryl Biswas

• Security researcher/analyst Threat Intel

• APTs, Mainframes, ICS SCADA, Shadow IT, StarTrek

• BSidesLV, Circle City, BSidesT0, SecTor, Hackfest, TiaraCon

• https://whitehatcheryl.wordpress.com

• Twitter: @3ncr1pt3d

DISCLAIMER: The views represented here are solely her own and not those of her employers, past or present.

11/4/2016@3ncr1pt3d A Stuxnet For Mainframes

HEAD IN THE SAND DEFENCE

YOU SAY SCADA

WE SAY … MAINFRAMES

MOM!! THE INTERNET IS BROKEN

INTRO

In the beginning

There were mainframes

And it was good.

Then came Scada. And it was good too. https://www.google.ca/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwj85ODe-5HNAhVO3mMKHc8FAPoQjRwIBw&url=

http%3A%2F%2Ffossils-archeology.wikia.com%2Fwiki%2FAnkylosaurus&psig=AFQjCNGq6-7u8ZwwlVa8TYJrf2UIluqCyg&ust=1465253196880476

CONGRATULATIONS! IT’S A ... PLC

BUT THEN CAME ...

WHAT IS SCADA

I CAN’T LIVE ... IF LIVING IS WITHOUT YOU

DOES NOT PLAY WELL

WITH OTHERS

WHAT ARE MAINFRAMES?

MAINFRAMES … RIGHT?

THESE ARE NOT THE MAINFRAMES YOU’RE LOOKING FOR

THIS AIN’T YOUR GRANDMA’S MAINFRAME

MAINFRAMES - BUILT TO LAST• High Availability

• Longevity

• Virtualization

• The ability to offload to separate engines

• Backward compatibility with older software

• Massive Throughput

https://en.wikipedia.org/wiki/Mainframe_computer

@3ncr1pt3d A Stuxnet For Mainframes 11/4/2016

SCADA MAINFRAME❏ Culture❏ Security Approach❏ Perceptions❏ Built to Last❏ Closed off❏ Does not play well

with others

❏ Culture❏ Security Approach❏ Perceptions❏ Built to Last❏ Closed off❏ Does not play well

with others

Innovation

DisruptionWould you like some security

with that?

SECURITY BASICS WE KEEP GETTING WRONG❏ Passwords

❏ Encryption

❏ Access

❏ Patchinghttp://blog.senr.io/blog/unique-snowflakes-or-ubiquitous-tech-the-truth-behind-the-industrial-internet-of-things-iiot

ICS / SCADA - WHAT HAVE WE LEARNED?

"NONE OF OUR SCADA OR ICS

EQUIPMENT IS ACCESSIBLE FROM THE INTERNET."

O RLY?

PROJECT SHINE

1,000,000 SCADA ICS

DEVICES FOUND ONLINE

SCADA ATTACK VECTORS

SCADA ATTACKSMalicious Trojan

http://www.risidata.com/Database

SCADA ATTACKSStolen equipment

http://www.risidata.com/Database

SCADA ATTACKSSocial Engineering

http://www.risidata.com/Database

SCADA - JUMPING AIR GAPS• Designed for underwater communication

• Near ultrasonic frequency

• Remote key logging for multiple hops

http://www.jocm.us/index.php?m=content&c=index&a=show&catid=124&id=600

MAINFRAMES & SCADA - THE LINKS• Similar in Culture

• Lack of security

• Perceived as secure

• “Air Gapped”

• “See no evil” – cuz you don’t see it if you aren’t

looking

BUT IT’S AIR GAPPED“Mainframe modernization or exposing the classic

system of record data to new services means that the data is no longer isolated on the mainframe – the

world is now “unknown, unknown.” We have lost sight and control of where the data is going the minute we try to harness mainframe data for other purposes than

batch or transaction applications.”zOS Expert

http://www.symantec.com/connect/blogs/mind-gap-are-air-gapped-systems-safe-breaches

MAINFRAME - LACK OF ATTACK DATABecause … What you don’t see won’t hurt you

CULTURE

http://mainframed767.tumblr.com/post/79167015212/please-dont-post-on-mainframe-forums?is_related_post=1

MAINFRAME EXPLOIT RESEARCH

MAINFRAME - EXPLOIT RESEARCHBigendiansmalls

https://www.bigendiansmalls.com/category/security/exploit-development/

MAINFRAME - NMAP

Can now detect Mainframe portsMainframe banners are not staticMore accessible to others for hacking

http://mainframed767.tumblr.com/post/132669411918/mainframes-and-nmap-together-at-lasthttp://mainframed767.tumblr.com/post/47105571997/nmap-script-to-grab-mainframe-screens

MAINFRAMES - BIND SHELLCODEMainframe assemblerEBCDIC to ASCII converterConnect with NetCat

https://www.bigendiansmalls.com/mainframe-bind-shell-source-code/

ASCII TO EBCDIC

ASCII TOEBCDIC EBCDIC TO ASCII

LETS GET TECHNICAL

MAINFRAMES - STACK BUT DIFFERENT▪Mainframe prologue creates Dynamic Storage Area

▪Points to next free byte on the stack used

▪Does not subtract from ESP to allocate space

▪Register used as a stack pointer

▪Not forced to do so.

https://www.bigendiansmalls.com/smashing-the-zos-le-daisy-chain-for-fun-and-cease-and-desist-letters-guest-post-2/

ALLOCATION OF MEMORY - FUNCTION PROLOGUE

0x80123430x8012344Function Called0x8012345 - SFP

IP

EBP

MAIN()ESP

EBP

SFPESP +

ALLOCATION MEMORY - FUNCTION PROLOGUE

0x80123450x8012344Function Called

IP Allocated Memory

EBP

-28ESPMAIN() FUNCTION()

SFPESP +

ALLOCATION MEMORY - FUNCTION EPILOGUIE

IP

EBP

MAIN()ESP

EBP

SFPESP +

SFP

ALLOCATION MEMORY - DSA PROLOGUE

0x80123450x8012344Function “Called”

IPDynamic Storage Area

MAIN()

Pointer to original DS

DSA NOT STACK

Save Area

Not gonna happen

HOW TO EXPLOIT - STRING EXPLOITATION != WINAlways aware of length

StringStringStringStringString

Length

StringStringStringStri

Length

https://www.bigendiansmalls.com/smashing-the-zos-le-daisy-chain-for-fun-and-cease-and-desist-letters-guest-post-2/

AAAAAAAAAA

MAINFRAMES - UNIQUE TO EXPLOITS0C1 Exception

http://mainframed767.tumblr.com/post/136886215917/guest-post-jan-cannaerts-smashing-the-zos-le

AAAAAAAAAAAAAAAAAAAAA

Memory containing Data

OPCODESOPCODE does not exist

No size checking

AAAAAAAA

Overflow causes execution to branch to another memory location

MAINFRAMES - UNIQUE TO EXPLOITS0C1 Exception

http://mainframed767.tumblr.com/post/136886215917/guest-post-jan-cannaerts-smashing-the-zos-le

DSA Level 0 DSA 1

Returns to DS 0

DSA Level 0 DSA 2DSA

Level 1

Register 14 = RP

MAINFRAMES - UNIQUE TO EXPLOITGlobally addressed arraysS0C1 Exception

http://mainframed767.tumblr.com/post/136886215917/guest-post-jan-cannaerts-smashing-the-zos-le

DSA Level 0 DSA 2DSA Level 1

Register 14 = RP

DSA 2DSA 1 DSA 3

Procedure returns to Level 1

Actually executes code in DSA2

MAINFRAMES - INSECURITY OF MEMORYMemory not more secure than Windows or Unix.No “DEP”No strict ASLR

http://mainframed767.tumblr.com/post/136886215917/guest-post-jan-cannaerts-smashing-the-zos-le

ACCESSIBLE TO YOU!

FTP EXPLOIT

EXPLOIT/MAINFRAME/FTP/FTP_JCL_CREDS

MAINFRAME - FIRST METASPLOIT MODULEPoorly configured FTP server.FTP -> Shell

https://www.bigendiansmalls.com/a-logical-first-step/

FTP METASPLOIT MODULE

ARCH_CMD Executes a command, or uses a command to give a shell

Platform: Mainframe Uses the Mainframe payloads of metasploit

Target Automatic Only works with IBM FTP CS V.R.

Requires Credentials Credentials allow a file to be uploaded

Debugging enabled Can enable Verbose and FTPdebug

https://www.bigendiansmalls.com/a-logical-first-step/https://www.rapid7.com/db/modules/exploit/mainframe/ftp/ftp_jcl_creds

FTP METASPLOIT MODULEChecks BannerIf banner correct, logs in and uploads fileFile is uploaded as JOB & executes

https://www.bigendiansmalls.com/a-logical-first-step/@3ncr1pt3d A Stuxnet For Mainframes 11/4/2016

GENERIC JCL TEST FOR MAINFRAME EXPLOITSThis can be used as a template for other JCL based payloads

https://www.rapid7.com/db/modules/payload/cmd/mainframe/generic_jclhttps://www.bigendiansmalls.com/a-logical-first-step/

Z/OS (MVS) COMMAND SHELL, REVERSE TCPCreates a reverse shell.This implementation does not include ebcdic character

translation, so a client with translation capabilities is required. MSF handles this automatically.

https://www.rapid7.com/db/modules/exploit/mainframe/ftp/ftp_jcl_credshttps://www.bigendiansmalls.com/mainframe-bind-shell-source-code/

GENERIC COMMAND SHELLConnect back to attacker and spawn a command shell

HOW THE MIGHTY FALL

BIGENDIAN POC

11/4/2016@3ncr1pt3d A Stuxnet For Mainframes

STUXNET - SCADA

SCADA - STUXNET• Air Gap bypass

• APT

• C2

• Self erasing

• Specific to system it wants

• Nation State

SCADA -THE THREAT IS REAL• Dec 2015 Powergrid attack in

Ukraine

• March 2016 Ransomware hits US power company in Michigan

• June 2016 Irongate Targetted ICS malware in testing stage

CRYSTAL BALL GAZING

We’re here to say history doesn’t need to repeat itself. Especially not when we know how dire the outcome could be. Scada gives us the lessons we need to learn from and apply to mainframe security. The question now is - will we do it?

CONCLUSI

ON

CONCLUSION

THE KEYS TO THE KINGDOM▪ Obtain Domain admin level creds

▪ Gain a copy of NTDS.dit for Kerberos golden tickets to move freely

▪ Identify the back up and recovery systems, including DRP

▪ Identify the critical data and services. Mission critical

▪ Identify messaging servers

▪ Find and compromise application distribution platforms

CONCLUSI

ON

HOW TO GET YOUR FEET WET

Researchers to Research

• https://www.bigendiansmalls.com/

• http://mainframed767.tumblr.com/

• Mainframe Assembly

• locallyhttp://www.cbttape.org/ftp/asmbook/alnv200.pdf

HOW TO GET YOUR FEET WET• Virtualization software to play

• http://www.bsp-gmbh.com/turnkey/

• http://mvs380.sourceforge.net/

• https://www.tripwire.com/state-of-security/security-data-protection/cyber-secur

ity/mainframe-insecuritites-or-hack-the-gibson-no-really/