Getting Shells on z/OS with Surrogat Chains
Conference: Defcon 28
2020-08-01
Summary
The presentation discusses the use of REX scripts and resource access control facility (RACF) in mainframe cybersecurity and DevOps.
- REX scripts are used to embed JCLs and pass arguments easily for more dynamic JCLs
- Resource access control facility (RACF) manages security for different types of resources, including data sets, surrogates, and OMVS resources
- Surrogate chains occur due to the large number of users and lack of knowledge about their access, and can be listed using the 'rlist surrogate' command
- Reverse shells can be used to run JCLs as surrogates on different users
- Mainframe cybersecurity and DevOps can be learned using TK4- and Hercules emulators, as well as KICKS and BREX
Abstract
z/OS allows a user to submit a job as another user without a password with the surrogat class. However, z/OS systems often have hundreds of thousands of users and have been running for decades. This means that it is very likely that from a low priv user there is a surrogat chain that will give you special (z/OS' root).
RACF (z/OS' Security), does not allow users to view the security of resources to which they do not have access. This means that manually enumerating a chain required you to submit a reverse shell each time you wanted to move up the chain. This will take a long time with 200k users.
Gator (my tool), submits a batch job that will call a REXX program which will output the user's privs and the current surrogat chain of that user. It will then list all of that user’s surrogat privs, and call the same batch job as before, but running as those users.
Gator also provides a macro that will generate a CATSO (similar to a meterpreter shell), for any of the users in the surrogat chain.
Gator can also be exported to a GraphVis python program, which will display the users information and chain as a network of nodes.
Materials:
Tags: