A STUXNET FOR MAINFRAMES
Cheryl Biswas
• Security researcher/analyst Threat Intel
• APTs, Mainframes, ICS SCADA, Shadow IT, StarTrek
• BSidesLV, Circle City, BSidesT0, SecTor, Hackfest, TiaraCon
• https://whitehatcheryl.wordpress.com
• Twitter: @3ncr1pt3d
DISCLAIMER: The views represented here are solely her own and not those of her employers, past or present.
11/4/2016@3ncr1pt3d A Stuxnet For Mainframes
HEAD IN THE SAND DEFENCE
YOU SAY SCADA
WE SAY … MAINFRAMES
MOM!! THE INTERNET IS BROKEN
INTRO
In the beginning
There were mainframes
And it was good.
Then came Scada. And it was good too. https://www.google.ca/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwj85ODe-5HNAhVO3mMKHc8FAPoQjRwIBw&url=
http%3A%2F%2Ffossils-archeology.wikia.com%2Fwiki%2FAnkylosaurus&psig=AFQjCNGq6-7u8ZwwlVa8TYJrf2UIluqCyg&ust=1465253196880476
CONGRATULATIONS! IT’S A ... PLC
BUT THEN CAME ...
WHAT IS SCADA
I CAN’T LIVE ... IF LIVING IS WITHOUT YOU
DOES NOT PLAY WELL
WITH OTHERS
WHAT ARE MAINFRAMES?
MAINFRAMES … RIGHT?
THESE ARE NOT THE MAINFRAMES YOU’RE LOOKING FOR
THIS AIN’T YOUR GRANDMA’S MAINFRAME
MAINFRAMES - BUILT TO LAST• High Availability
• Longevity
• Virtualization
• The ability to offload to separate engines
• Backward compatibility with older software
• Massive Throughput
https://en.wikipedia.org/wiki/Mainframe_computer
@3ncr1pt3d A Stuxnet For Mainframes 11/4/2016
SCADA MAINFRAME❏ Culture❏ Security Approach❏ Perceptions❏ Built to Last❏ Closed off❏ Does not play well
with others
❏ Culture❏ Security Approach❏ Perceptions❏ Built to Last❏ Closed off❏ Does not play well
with others
Innovation
DisruptionWould you like some security
with that?
SECURITY BASICS WE KEEP GETTING WRONG❏ Passwords
❏ Encryption
❏ Access
❏ Patchinghttp://blog.senr.io/blog/unique-snowflakes-or-ubiquitous-tech-the-truth-behind-the-industrial-internet-of-things-iiot
ICS / SCADA - WHAT HAVE WE LEARNED?
"NONE OF OUR SCADA OR ICS
EQUIPMENT IS ACCESSIBLE FROM THE INTERNET."
O RLY?
PROJECT SHINE
1,000,000 SCADA ICS
DEVICES FOUND ONLINE
SCADA ATTACK VECTORS
SCADA ATTACKSMalicious Trojan
http://www.risidata.com/Database
SCADA ATTACKSStolen equipment
http://www.risidata.com/Database
SCADA ATTACKSSocial Engineering
http://www.risidata.com/Database
SCADA - JUMPING AIR GAPS• Designed for underwater communication
• Near ultrasonic frequency
• Remote key logging for multiple hops
http://www.jocm.us/index.php?m=content&c=index&a=show&catid=124&id=600
MAINFRAMES & SCADA - THE LINKS• Similar in Culture
• Lack of security
• Perceived as secure
• “Air Gapped”
• “See no evil” – cuz you don’t see it if you aren’t
looking
BUT IT’S AIR GAPPED“Mainframe modernization or exposing the classic
system of record data to new services means that the data is no longer isolated on the mainframe – the
world is now “unknown, unknown.” We have lost sight and control of where the data is going the minute we try to harness mainframe data for other purposes than
batch or transaction applications.”zOS Expert
http://www.symantec.com/connect/blogs/mind-gap-are-air-gapped-systems-safe-breaches
MAINFRAME - LACK OF ATTACK DATABecause … What you don’t see won’t hurt you
CULTURE
http://mainframed767.tumblr.com/post/79167015212/please-dont-post-on-mainframe-forums?is_related_post=1
MAINFRAME EXPLOIT RESEARCH
MAINFRAME - EXPLOIT RESEARCHBigendiansmalls
https://www.bigendiansmalls.com/category/security/exploit-development/
MAINFRAME - NMAP
Can now detect Mainframe portsMainframe banners are not staticMore accessible to others for hacking
http://mainframed767.tumblr.com/post/132669411918/mainframes-and-nmap-together-at-lasthttp://mainframed767.tumblr.com/post/47105571997/nmap-script-to-grab-mainframe-screens
MAINFRAMES - BIND SHELLCODEMainframe assemblerEBCDIC to ASCII converterConnect with NetCat
https://www.bigendiansmalls.com/mainframe-bind-shell-source-code/
ASCII TO EBCDIC
ASCII TOEBCDIC EBCDIC TO ASCII
LETS GET TECHNICAL
MAINFRAMES - STACK BUT DIFFERENT▪Mainframe prologue creates Dynamic Storage Area
▪Points to next free byte on the stack used
▪Does not subtract from ESP to allocate space
▪Register used as a stack pointer
▪Not forced to do so.
https://www.bigendiansmalls.com/smashing-the-zos-le-daisy-chain-for-fun-and-cease-and-desist-letters-guest-post-2/
ALLOCATION OF MEMORY - FUNCTION PROLOGUE
0x80123430x8012344Function Called0x8012345 - SFP
IP
EBP
MAIN()ESP
EBP
SFPESP +
ALLOCATION MEMORY - FUNCTION PROLOGUE
0x80123450x8012344Function Called
IP Allocated Memory
EBP
-28ESPMAIN() FUNCTION()
SFPESP +
ALLOCATION MEMORY - FUNCTION EPILOGUIE
IP
EBP
MAIN()ESP
EBP
SFPESP +
SFP
ALLOCATION MEMORY - DSA PROLOGUE
0x80123450x8012344Function “Called”
IPDynamic Storage Area
MAIN()
Pointer to original DS
DSA NOT STACK
Save Area
Not gonna happen
HOW TO EXPLOIT - STRING EXPLOITATION != WINAlways aware of length
StringStringStringStringString
Length
StringStringStringStri
Length
https://www.bigendiansmalls.com/smashing-the-zos-le-daisy-chain-for-fun-and-cease-and-desist-letters-guest-post-2/
AAAAAAAAAA
MAINFRAMES - UNIQUE TO EXPLOITS0C1 Exception
http://mainframed767.tumblr.com/post/136886215917/guest-post-jan-cannaerts-smashing-the-zos-le
AAAAAAAAAAAAAAAAAAAAA
Memory containing Data
OPCODESOPCODE does not exist
No size checking
AAAAAAAA
Overflow causes execution to branch to another memory location
MAINFRAMES - UNIQUE TO EXPLOITS0C1 Exception
http://mainframed767.tumblr.com/post/136886215917/guest-post-jan-cannaerts-smashing-the-zos-le
DSA Level 0 DSA 1
Returns to DS 0
DSA Level 0 DSA 2DSA
Level 1
Register 14 = RP
MAINFRAMES - UNIQUE TO EXPLOITGlobally addressed arraysS0C1 Exception
http://mainframed767.tumblr.com/post/136886215917/guest-post-jan-cannaerts-smashing-the-zos-le
DSA Level 0 DSA 2DSA Level 1
Register 14 = RP
DSA 2DSA 1 DSA 3
Procedure returns to Level 1
Actually executes code in DSA2
MAINFRAMES - INSECURITY OF MEMORYMemory not more secure than Windows or Unix.No “DEP”No strict ASLR
http://mainframed767.tumblr.com/post/136886215917/guest-post-jan-cannaerts-smashing-the-zos-le
ACCESSIBLE TO YOU!
FTP EXPLOIT
EXPLOIT/MAINFRAME/FTP/FTP_JCL_CREDS
MAINFRAME - FIRST METASPLOIT MODULEPoorly configured FTP server.FTP -> Shell
https://www.bigendiansmalls.com/a-logical-first-step/
FTP METASPLOIT MODULE
ARCH_CMD Executes a command, or uses a command to give a shell
Platform: Mainframe Uses the Mainframe payloads of metasploit
Target Automatic Only works with IBM FTP CS V.R.
Requires Credentials Credentials allow a file to be uploaded
Debugging enabled Can enable Verbose and FTPdebug
https://www.bigendiansmalls.com/a-logical-first-step/https://www.rapid7.com/db/modules/exploit/mainframe/ftp/ftp_jcl_creds
FTP METASPLOIT MODULEChecks BannerIf banner correct, logs in and uploads fileFile is uploaded as JOB & executes
https://www.bigendiansmalls.com/a-logical-first-step/@3ncr1pt3d A Stuxnet For Mainframes 11/4/2016
GENERIC JCL TEST FOR MAINFRAME EXPLOITSThis can be used as a template for other JCL based payloads
https://www.rapid7.com/db/modules/payload/cmd/mainframe/generic_jclhttps://www.bigendiansmalls.com/a-logical-first-step/
Z/OS (MVS) COMMAND SHELL, REVERSE TCPCreates a reverse shell.This implementation does not include ebcdic character
translation, so a client with translation capabilities is required. MSF handles this automatically.
https://www.rapid7.com/db/modules/exploit/mainframe/ftp/ftp_jcl_credshttps://www.bigendiansmalls.com/mainframe-bind-shell-source-code/
GENERIC COMMAND SHELLConnect back to attacker and spawn a command shell
HOW THE MIGHTY FALL
BIGENDIAN POC
11/4/2016@3ncr1pt3d A Stuxnet For Mainframes
STUXNET - SCADA
SCADA - STUXNET• Air Gap bypass
• APT
• C2
• Self erasing
• Specific to system it wants
• Nation State
SCADA -THE THREAT IS REAL• Dec 2015 Powergrid attack in
Ukraine
• March 2016 Ransomware hits US power company in Michigan
• June 2016 Irongate Targetted ICS malware in testing stage
CRYSTAL BALL GAZING
We’re here to say history doesn’t need to repeat itself. Especially not when we know how dire the outcome could be. Scada gives us the lessons we need to learn from and apply to mainframe security. The question now is - will we do it?
CONCLUSI
ON
CONCLUSION
THE KEYS TO THE KINGDOM▪ Obtain Domain admin level creds
▪ Gain a copy of NTDS.dit for Kerberos golden tickets to move freely
▪ Identify the back up and recovery systems, including DRP
▪ Identify the critical data and services. Mission critical
▪ Identify messaging servers
▪ Find and compromise application distribution platforms
CONCLUSI
ON
HOW TO GET YOUR FEET WET
Researchers to Research
• https://www.bigendiansmalls.com/
• http://mainframed767.tumblr.com/
• Mainframe Assembly
• locallyhttp://www.cbttape.org/ftp/asmbook/alnv200.pdf
HOW TO GET YOUR FEET WET• Virtualization software to play
• http://www.bsp-gmbh.com/turnkey/
• http://mvs380.sourceforge.net/
• https://www.tripwire.com/state-of-security/security-data-protection/cyber-secur
ity/mainframe-insecuritites-or-hack-the-gibson-no-really/