How to break into a Tandem System… …and how to prevent it! · Ignorance doesn’t solve the...
Transcript of How to break into a Tandem System… …and how to prevent it! · Ignorance doesn’t solve the...
1234
Carl WeberGreenHouse Software & Consulting
Security SIG of ETUG, 25. September 2012
How to break into aTandem System…
…and how to prevent it!
1234
This is what you have to secure
1234
The security advice (PCI)
1234
The security mechanism
1234
… nad this is how it looks like - BUT…
1234
… this is your environment!
1234
And you still believe you are secure?
1234
Currently…
The government of Nordrhein-Westfalen bought and still buys tax related data, stolen from Swiss banks.
All these banks for sure successfully passed a PCI audit!
What does this mean in terms of being PCI compliant?
1234
What you really need!
1234
Brief intro Carl Weber
Started with Tandem(*) Germany in October 1978.
‘In security’ since 1985, when SAFEGUARD was introduced in Cupertino by Tim Chou.
Leading the German system evaluation at GISA andparticipating in the NCSC evaluation (1989-1993).
Started GreenHouse 1994 as a Tandem Alliance Partner. www.GreenHouse.de
Specialized in security consulting and security reviews, security product and tool development, PRIV system code, and code specialties.
(*) to me it still is Tandem …
1234
Session overview
How secure is a Tandem system?
Can be broken in? Easily?
Is there an easy way to detect and prevent it?
Solutions!
This presentation is related to the GUARDIAN side only:There is OSS and the network (LAN) as well!
1234
Ignorance doesn’t solve the problem
… it just lets you sleep better…
Once you lost your integrity
… the rest is easy …
Good judgment comes from experience.Experience comes from bad judgment.
Well known truths
1234
Everybody has his price
… trust me …
In theory,there is no difference between theory and practice;
in practice, there is.Chuck Reid
Well known truths
1234
Security people do have a good heart
… but a sick mind …
What you possibly think about me …
1234
Hackers do have a sick heart
AND a sick mind!
… but …
1234
SAFEGUARD does not introduce a better security, but a better granularity as well as auditing.(an error 48 in GUARDIAN is as solid as in SAFEGUARD)
Automated security checks are nice to watch – but it is better to understand, what they do, and what they do NOT do!
Train yourself , and/or hire a trustworthy expert.
Test your system before intruders or POIEs(*) do.
Have OSS and LAN on your radar as well!
(*) POIE = pissed off internal expert [not politically correct, but precise]
Keep in Mind
1234
NonStop Systems are considered to be FailSafe – but what about their security?
Does/can GUARDIAN and SAFEGUARD protect all system assets?
OK - GUARDIAN/SAFEGUARD does have two (outdated) certificates:- NCSC (C2) and- GISA (F2 @Q3 and F7 @Q3)
So what … ???
Questions
1234
Can be broken into the system, or an application?
Is it possible to gain access to ID’s without the knowledge of the password?
In case there are real threats - are there effective countermeasures?
Questions
1234
General
All my attacks start from a NON PRIV logged on TACL with the ID of SA.CARL = 100,5- NO SUPER.SUPER (255,255)- NO SUPER group (255,n)- NO group Manager (n,255)and available system I have access to, e.g.:- PATHCOM, SQLCI, SCF etc.
Sounds like a first hurdle – but all your administrators, operators, developers, and system users do have interactive access to your system!
1234
General
Demos run on \GINKGO of GreenHouse.(NS1002, H06.24.01)
Connection by VPN through the Internet.
1234
General
Used system software:- MyLogin
(single sign on TO the system)
- SECOM(single sign on ON the system; command level security, ID hopping)
- GreenHouse tools- Special demo programs (TAL/native TAL)- TACL macros- GreenHouse developed hack code using well
documented GUARDIAN procedure calls
… and here we go …
1234
PATHWAY-Threat
Getting access to the application ID.
Getting access to application data.
Worst case:Getting interactive access to SUPER.SUPER.
This is my classic way to break into a system!
1234
PATHWAY-Threat
Weak point is insufficient default security of PATHWAY monitor.
Unknown security mechanism.
System applications are often started from SUPER.SUPER(do you use SUPER.SUPER in the day-to-day business?).
Requirement to succeed an attack:Interactive access to the system with possibly ANY ID!
1234
PATHWAY-Threat
PATHWAY system (PATHMON)
- PAID Is the ID of the starting user.- Owner By default the starting user;
can be configured differently!- Security By default “N”;
can be configured differently!This has changed with TS/MP 2.3 fromN to O. It is available starting H06.14, butcan be installed on any system beginning H06.06 or later(*).*** BUT NOT IN PATHWAY ****
18. December 2008, Evans, Keith B (NonStop) [[email protected]],
HP Product manager for PATHWAY
1234
PATHWAY-Threat
PAID (Process Access ID)
- Derived from the starting user - Propagated to all programs
(= Servers), started from PATHMON- A PRIV ID even gives management users access
rights they should not get to
1234
PATHWAY-Threat
Owner
- Set to PAID by default.- Can easily be changed to any other user ID.- Is used to manage the system via PATHMON.
1234
PATHWAY-Threat
Security
- Set to “N” by default – still!- Allows ALL system users to manage this
PATHWAY system (e.g. to stop it!)- Can easily be changed to any other (more secure)
GUARDIAN security vector- Related to PATHWAY “Owner”
1234
PATHWAY-Attack
Search for PATHMON’s, running SUPER.SUPER,or any other interesting application owner ID
$GHS1 ARROW 23> status *,user super.super,prog $system.sys*.pathmonProcess Pri PFR %WT Userid Program file Hometerm$GHS 0,46 167 005 255,255 $SYSTEM.SYSTEM.PATHMON $ZHOME$S600 0,54 180 005 255,255 $SYSTEM.SYSTEM.PATHMON $ZHOME$GHS B 1,58 167 001 255,255 $SYSTEM.SYSTEM.PATHMON $ZHOME$S600 B 1,74 180 001 255,255 $SYSTEM.SYSTEM.PATHMON $ZHOME$GHS1 ARROW 24>
1234
PATHWAY-Attack
Check PATHMON security setting
$GHS1 ARROW 24>pathcom $ghs;info pathway
PATHWAYMAXASSIGNS 100 [CURRENTLY 63]MAXDEFINES 0 [CURRENTLY 0]..MAXTERMS 60 [CURRENTLY 0]MAXTMFRESTARTS 5OWNER \GINKGO.255,255SECURITY “N"
$GHS1 ARROW 25>
1234
PATHWAY-Attack
… and how does it work?
Introduce a new server, such asSQLCI, FUP, BACKUP etc.
SUPER.SUPER even gives access to ANY other system ID WITHOUT the need to know a password, AND: This break in is NOT audited in SAFEGUARD!
1234
PATHWAY-Showtime
Showtime … (\GINKGO.$GHS1.ETUG)
- starting an insecure SUPER.SUPER PATHMON- demonstrating interactive access to SUPER.SUPER
- starting a correct secured SUPER.SUPER PATHMON- demonstrating its robustness
1234
PATHWAY - Solution
Prevent starting a PATHWAY application from a privileged system ID such as:- SUPER.SUPER- SUPER.xxx- xxx.MANAGER
Set PATHWAY management security to “O”.
Define a real user as PATHMON manager; can be different from the PATHMON PAID!
1234
PATHWAY - Solution
Optionally put an ACL on the PATHMON process name(know the consequences!).
Activate the PATHWAY log, and check it on a regular basis (does not really help …).
Make sure only authorized users can change the configuration files.This is true for ALL configuration files!
1234
PATHWAY - Solution
Use the FreeWare tool GetPWSS to check all your pathway applications within seconds.
Use command level security products (such as SECOM) to give management access rights on (sub)command level.(who is allowed to restart which server at what time from which IP address …)
1234
PATHWAY - Advanced Solution
Run all PATHWAY-applications in ONE user group:This allows pretty stringent security settings for the PATHWAY environments as well as for the data base!
Using non existing IDs to run the applications enforces the best security and access control possible.
1234
SPOOLER-Threat
My second classic way to break into a system.
Same problem as with PATHWAY.
1234
SPOOLER-Threat
SPOOLERs are often started from SUPER.SUPER at cold load time.
Weak point is unknown security mechanism.
Requirement: Interactive access to the system with ANY SUPER-Group ID.
1234
SPOOLER-Threat
Management access is granted to:- the starting ID- all SUPER-group members- SUPER.SUPER- optional to group managers
1234
SPOOLER-Attack
Search for SPOOL, running SUPER.SUPER
$GHS1 ARROW 27> status *,prog $system.sys*.spoolProcess Pri PFR %WT Userid Program file Hometerm$SPLS B 0,43 150 001 255,255 $SYSTEM.SYSTEM.SPOOL $ZTNP0.#PTPAAAA$SPLS 1,38 150 001 255,255 $SYSTEM.SYSTEM.SPOOL $ZTNP0.#PTPAAAA$GHS1 ARROW 28>
1234
SPOOLER-Attack
… how does it work?
Introduce a new print process, which is a normal GUARDIAN program, such as FUP, SCF, SQLCI etc.… yes – it works!
A SUPER.SUPER running SPOOL allows even interactive access to SUPER.SUPER!(same procedure as with PATHWAY: Introduce a print process[= SPOOLER server])
1234
SPOOLER - Solution
Do NOT start a SPOOLER from SUPER.SUPER!
Consider running different SPOOLER systems, where the starting ID is the owner/manager.
Consider using ACLs on supervisor and collector processes.
Use command level security products to control access to SPOOLER systems.
1234
USERID/LUSERID-Threat
Wrong security setting on USERID as well as SAFEGUARD files.
Unknown additional alternate file(s).
Requirement: Interactive access to the system with ANY ID and READ access to USERID/LUSERID.
1234
USERID/LUSERID-Threat
READ access allows a FUP COPY which discloses unencrypted passwords.
READ/WRITE access allows the injection of a new password for EVERY user, or the modification of password cryptograms (DoS)
Additional alternate key copies each entry into a separate file, which can be used for a brute force attack.
1234
USERID/LUSERID-Solution
All mentioned files have to be secured to: “----”, where the owner has to be: SUPER.SUPER.
Check withFUP INFO<fileset>,DETAIL
for alternate file entries.
Use the FreeWare tool FileTree to display all alternate key files of a given file.
1234
USERID/LUSERID-Solution
Make use of the PWCONFIG product to configure the password attributes when SAFEGUARD is not used
or
Use appropriate SAFEGUARD settings.
1234
Alias Users - Threat
Do you know all SUPER.SUPER related Alias users?
Tandem engineers often place(d) a SUPER.SUPER Alias onto the system, that makes life easier for them…
Insufficient knowledge of SAFEGUARD.
Incomplete SAFEGUARD setup.
1234
Alias Users - Threat
Unexpected access to SUPER.SUPER, where SUPER.SUPER is not used to logon, but an Alias.
Requirement: Access to SAFECOM and insufficient OBJECTTYPE USER setup.
SUPER.SUPER used by a ‘wrong’ person(just once is enough! Give me your system and SUPER.SUPER for a minute – and it is mine!).
1234
Alias Users - Solution
Check all Alias users.
Use the FreeWare tool MyUser to list all GUARDIAN/Alias user relations.
Delete/Expire those users, not introduced/known by you.
Have OBJECTTYPE USER defined.OK – have SAFEGUARD set-up correctly (next topic)!
1234
SAFEGUARD - Threat
Undefined OBJECTTYPEs.
Wrong understanding of ACL evaluation.
Wrong object ACLs.
Orphaned ACL owners or Access users.
1234
SAFEGUARD - Threat
Each user can introduce a SUBVOL ACL, when OBJECTTYPE SUBVOL is not defined.
My classic way: Introduce a non existing ACL for subvol $SYSTEM.SYSTEM or any other interesting collection of files, do a file copy, and delete the ACL …
Check ACL evaluation, and find a hole…(SAFECOM INFO SAFEGUARD)
1234
SAFEGUARD - Attack
Add an ACL e.g. on SUBVOL level.
Access the required data.
Re-set the ACL.
OK – this ends up in the audit trails; BUT I am sure, that the owner of this system does not check these files at all!
1234
SAFEGUARD - Solution
Understand SAFEGUARD.
Understand what you do.
Introduce ***ALL*** OBJECTTYPEs.
Set up the evaluation rules for an easy understanding, e.g.:- FILE FIRST- FIRST ACL- PATTERN LAST- CHECK VOLUME OFF- CHECK SUBVOL ON- CHECK DISKFILE ON
1234
SAFEGUARD - Solution
Check ACL evaluation with tools like:- CRYSTAL- SECINFO- ACLClean
1234
xxxCSTM - Threat
Insufficient user default security, which is propagated to CSTM-files, especially the files of SUPER.SUPER’s- FUPCSTM- TACLCSTM
This is true for TACL Macros (e.g. MYMACS etc.) as well!
1234
xxxCSTM - Attack
Insert data into FUPCSTM, such as:LICENSE <mycode>
Then visit SUPER.SUPER and ask him, to do ‘something’ that activates the CSTM-file you changed, e.g. to execute FUP.
Remove the code from FUPCSTM.
Insert data into TACLCSTM.What about a LOGOFF as first statement?
1234
xxxCSTM - Solution
Secure all CSTM files to “OOOO”.
No shared default locations.
No shared USER IDs.
Default security has to be “OOOO”, optionally “UUOO”.
Individualize all users.
Differentiate between functional and individual users.
1234
TACL Macro - Threat
Same as CSTM-threat.
Hard coded passwords in TACL Macros.
1234
TACL Macro - Attack
Search for MYMAC files and check for passwords.
1234
TACL Macro - Solution
All users TACL Macros should be secured to: “OOOO”.
Do NOT have passwords hard coded anywhere;use products which support this, e.g. our Secure FTP client which is based on a repository, where passwords are stored in encoded form.
1234
Library - Threat
Classic Trojan Horse.
Not that easy to develop, but
Easy to install and
Difficult to find.
… do you know what I’m talking about???
… I love this method …
1234
Library - Threat
Adds code to an executable.
Can easily spoof passwords.
Can change the behavior of a program by- copying data- changing data- skipping code- etc. etc. etc.
Requirement:- write & execution access on program file (just once)- execution access on library file
1234
Library - Attack
Add a LIB to- TACL/FTPSERV to intercept USER_AUTHENTICATE_ :
You get all passwords in the clear- any Tandem utility, and change the command behavior- … be creative (or is it subversive?)!
1234
Library-Showtime
Showtime … ($GHS1.ETUG)
- logging on to a TACL that has a library attached:The classic Trojan Horse!
1234
Library - Solution
Check all executables on your system.Use the FreeWare tool: SHOWLIB
Remove suspect libraries.Use the FreeWare tool: BINDLIB
Set the security of all executables to: “xOxO” to prevent any LIB binding by non file owners.Use the FreeWare Tool SECURE.
1234
Library - Solution
In general:- Secure all executables to: “OOxO”- Secure all system EDIT files to: “xOOO”- Secure all system files to: “OOOO”- Secure all application files to: “OOOO”- make SUPER.SUPER the owner of all system files
1234
Portconf - Threat
PORTCONF causes LISTNER to start malicious code.
1234
Portconf - Attack
Check security of PORTCONF and add an entry.
Because LISTNER normally runs SUPER.SUPER, the defined resource runs SUPER.SUPER!
1234
Portconf - Solution
Check PORTCONF for suspicious entries.
Secure PORTCONF that only the system administrator can change it.
Do not start LISTNER from SUPER.SUPER – there is no need!
1234
Search Path - Threat
Before a resource is executed, TACL tries to find it in the search path.
A typo causes an error, but a program, named like a typo, may cause a disaster…
Requirement: Create access in a search path.
1234
Search Path - Attack
Write a small program, that purges all files of the user, executing it.
Place this program in the search path and name it like a typo, e.g. EDOT instead of EDIT.
… lean back, relax, and wait …
1234
Search Path - Solution
Introduce SAFEGUARD ACLs for all system wide search path locations: Deny CREATE for unauthorized users.
Inform your users to check their search path settings, and add an ACL as well.
1234
Alternate Key File - Threat
Alternate key files hold ‘real’ data, up to 256 bytes.
They are not displayed by the FUP INFO command, but require FUP INFO,DETAIL!
Are easily overlooked.
This is true for SQL tables as well!
1234
Alternate Key File - Attack
Add an alternate key file to a sensitive file, where the record contains the interesting part!
1234
Alternate Key File - Solution
Use FUP and check all your sensitive data files for unknown alternate key file entries.
Use FreeWare program FILETREE to display all alternate key files.
1234
Accessing Purged Data on Disk - Threat
A PURGE does not WIPE the data, it updates the Disks Free List Table.
Data is still available, and can be retrieved by ANY user who is allowed to create a file.
1234
Accessing Purged Data on Disk - Attack
Create a big file.
Allocate all extents(e.g. FUP ALLOCATE <file>, 900)
Position the EOF to the last byte.(by a small program, or FUP RECLAIMDATA <file>)
Perform a READ/COPY in the file.
1234
Accessing Purged Data on Disk - Solution
Use CLEAR-ON-PURGE option.Know what you do: This as well might be a performance problem for large files.
May be there is a solution in the future: The file to be cleaned will be renamed to a temp file, and then cleaned.
1234
Denial of Service - Threat
Exhaustive use of system resources:- CPU cycles- internal tables- disk and disk directory space
Causes unavailable system and services.
Causes the operating people to panic!
May even cause a system HALT.
1234
Denial of Service - Attack
By Intention
Corrupting a CPU?Nolist?Source $system.system.extdecs0 (alter_priority_)?ListProc Test Main;Begin
While 1 do begin alter_priority_(199);End;
1234
Denial of Service - Attack
By Intention
Corrupting a volume
?Nolist?Source $system.system.extdecs0 (file_create_)?ListProc Test Main;Begin
String .system[0:35] := „$system“;Int Len := 7;While 1 do begin File_Create_(SYSTEM:36,Len);
End;
1234
Denial of Service - Attack
By Intention
Corrupting a CPU by flooding LISTNER with incomplete FTP calls.
1234
Denial of Service - Attack
By error
Wrong and/or no error handling in the error handling.
1234
Denial of Service - Attack
By Tandem utilities
- DIVER- TANDUMP
1234
Denial of Service - Solution
Code reading.
Exhaustive logic and error debugging.(Kindergarten test)
Check error handling in error handling!
No compilers on production systems.
Test/development isolated from production – not even EXPAND.
Check existing objet files with FreeWare tool EProcs.
1234
Denial of Service - Solution
Make use of the Authorization SEEP.(PRCOSEEP)
Use ListnerLib to harden LISTNER.
Use PURGETMP FreeWare to keep track of ‘orphaned’ temporary disk files.
Revoke LICENSE flag from DIVER and TANDUMP, at least set a tight security vector.
1234
Purge - Threat
Purge a file’s data WITHOUT having purge access.
Really deletes a files content.
Requires only WRITE access: PURGE can be set to e.g. SUPER.SUPER!
… and how?Perform a PURGEDATA followed by a DEALLOCATE!
1234
Covert Channel - Threat
Information leakage to listener.
Hidden data channel.
1234
Covert Channel - Attack
Changing the priority.(ticker channel)
Checking CPU buys values.
Relating date, time and events.
Checking EOF, files, process creates etc.
1234
Covert Channel - Solution
Code reading.
Procedure call check against a negative list(why calling AlterPriority in a server?)
Exhaustive logic (20%) as well as error tests (80%).
No production data for tests!
1234
Ghost Processes
Started from a temporary file.
Very difficult to track down.
At least you should know about it.
When we have time: Showtime!
1234
SCF Thread – just discovered
Logon to ANY SUPER-Group user.
Get SCF-Access to $ZZKRN.
Allow all errors.
Add a small program to $ZZKRN and define SUPER.SUPER as the PAID.
The program introduced to $ZZKRN sets the ‘already logged on’ flag, and creates a TACL.
This TACL then is started logged on with the SUPER.SUPER ID.
Solution: Get rid of individual SUPER-Group users!
Fixed at least in H06.24.01
1234
LINKMON Thread – just discovered
Start a PATHMON under user A.B.
Add a associative server class C with security “N" and with the process name $ZNET.
Then send the SPI-command to add a process $ZZKRN to this server class; you can still do this as user A.B.
Now the LINKMON (which runs under SUPER.SUPER) is able to open $ZNET.
$ZNET thinks that a SUPER.SUPER user is the user.Add a process to $ZZKRN and since SUPER.SUPER is the boss .....:
Voila
1234
LINKMON Thread – just discovered
The real problem here is that LINKMON's run under SUPER.SUPER.
According to Wendy Bartlett, these two problems are fixed in: T1084H01^AAV and T1085H01^ABB
1234
Social Engineering
Works on ANY platform at any site.
Misuse of helpfulness.
Use of unthoughtfulness.(do not think about what you do…)
Most efficient non technical method.
Cheap!
1234
Best practice
No code licensing - except you know what you license.
No PROGID – use ID hopping products instead.
No orphaned files and orphaned IDs in ACLs.
No shared IDs.
Tight user default security (OOOO).
Tight system file security.
Control of functional users by e.g. session I/O tracing(GUARDIAN as well as OSS).
Management support for system operators.
1234
Tools
All mentioned tools areFree- or ShareWare from GreenHouse
and can be found at:www.GreenHouse.de
For GreenHouse products please contact:[email protected]
1234
Third Parties*
Bowden Systems CAIL comForte21 Crystal Point CSP GreenHouse Insession Technologies Unlimited Software Associates XYPRO
*This list might be incomplete.
1234
Questions
1234
Thank you for listening!