How to break into a Tandem System… …and how to prevent it! 1

1234
How to break into a
Tandem System…
…and how to prevent it!
Carl Weber
GreenHouse Software & Consulting
Security SIG of ETUG, 25. September 2012
1234
This is what you have to secure
1234
The security advice (PCI)
1234
The security mechanism
1234
… nad this is how it looks like - BUT…
1234
… this is your environment!
1234
And you still believe you are secure?
1234
Currently…
The government of Nordrhein-Westfalen bought and still
buys tax related data, stolen from Swiss banks.
All these banks for sure successfully passed a PCI audit!
What does this mean in terms of being PCI compliant?
1234
What you really need!
1234
Brief intro Carl Weber
ƒ Started with Tandem(*) Germany in October 1978.
ƒ ‘In security’ since 1985, when SAFEGUARD was
introduced in Cupertino by Tim Chou.
ƒ Leading the German system evaluation at GISA and
participating in the NCSC evaluation (1989-1993).
ƒ Started GreenHouse 1994 as a Tandem Alliance Partner.
www.GreenHouse.de
ƒ Specialized in security consulting and security reviews,
security product and tool development, PRIV system code,
and code specialties.
(*)
to me it still is Tandem …
1234
Session overview
ƒ How secure is a Tandem system?
ƒ Can be broken in? Easily?
ƒ Is there an easy way to detect and prevent it?
ƒ Solutions!
ƒ This presentation is related to the GUARDIAN side only:
There is OSS and the network (LAN) as well!
1234
Well known truths
Ignorance doesn’t solve the problem
… it just lets you sleep better…
Once you lost your integrity
… the rest is easy …
Good judgment comes from experience.
Experience comes from bad judgment.
1234
Well known truths
Everybody has his price
… trust me …
In theory,
there is no difference between theory and practice;
in practice, there is.
Chuck Reid
1234
What you possibly think about me …
Security people do have a good heart
… but a sick mind …
1234
… but …
Hackers do have a sick heart
AND a sick mind!
1234
Keep in Mind
ƒ SAFEGUARD does not introduce a better security, but a better
granularity as well as auditing.
(an error 48 in GUARDIAN is as solid as in SAFEGUARD)
ƒ Automated security checks are nice to watch – but it is better
to understand, what they do, and what they do NOT do!
ƒ Train yourself , and/or hire a trustworthy expert.
ƒ Test your system before intruders or POIEs(*) do.
ƒ Have OSS and LAN on your radar as well!
(*) POIE = pissed off internal expert [not politically correct, but precise]
1234
Questions
ƒ NonStop Systems are considered to be FailSafe – but what
about their security?
ƒ Does/can GUARDIAN and SAFEGUARD protect all
system assets?
ƒ OK - GUARDIAN/SAFEGUARD does have two (outdated)
certificates:
NCSC (C2) and
GISA (F2 @Q3 and F7 @Q3)
ƒ So what … ???
1234
Questions
ƒ Can be broken into the system, or an application?
ƒ Is it possible to gain access to ID’s without the knowledge
of the password?
ƒ In case there are real threats - are there effective
countermeasures?
1234
General
ƒ All my attacks start from a NON PRIV logged on TACL
with the ID of SA.CARL = 100,5
- NO SUPER.SUPER (255,255)
- NO SUPER group (255,n)
- NO group Manager (n,255)
and available system I have access to, e.g.:
- PATHCOM, SQLCI, SCF etc.
ƒ Sounds like a first hurdle – but all your administrators,
operators, developers, and system users do have
interactive access to your system!
1234
General
ƒ Demos run on \GINKGO of GreenHouse.
(NS1002, H06.24.01)
ƒ Connection by VPN through the Internet.
1234
General
ƒ Used system software:
- MyLogin
(single sign on TO the system)
- SECOM
(single sign on ON the system; command level security, ID hopping)
- GreenHouse tools
- Special demo programs (TAL/native TAL)
- TACL macros
- GreenHouse developed hack code using well
documented GUARDIAN procedure calls
… and here we go …
1234
PATHWAY-Threat
ƒ Getting access to the application ID.
ƒ Getting access to application data.
ƒ Worst case:
Getting interactive access to SUPER.SUPER.
ƒ This is my classic way to break into a system!
1234
PATHWAY-Threat
ƒ Weak point is insufficient default security of PATHWAY
monitor.
ƒ Unknown security mechanism.
ƒ System applications are often started from SUPER.SUPER
(do you use SUPER.SUPER in the day-to-day business?).
ƒ Requirement to succeed an attack:
Interactive access to the system with possibly ANY ID!
1234
PATHWAY-Threat
ƒ PATHWAY system (PATHMON)
- PAID
- Owner
- Security
Is the ID of the starting user.
By default the starting user;
can be configured differently!
By default “N”;
can be configured differently!
This has changed with TS/MP 2.3 from
N to O. It is available starting H06.14, but
can be installed on any system beginning
H06.06 or later(*).
*** BUT NOT IN PATHWAY ***
*18. December 2008, Evans, Keith B (NonStop) [keith.b.evans@hp.com],
HP Product manager for PATHWAY
1234
PATHWAY-Threat
ƒ PAID (Process Access ID)
-
Derived from the starting user
Propagated to all programs
(= Servers), started from PATHMON
A PRIV ID even gives management users access
rights they should not get to
1234
PATHWAY-Threat
ƒ Owner
-
Set to PAID by default.
Can easily be changed to any other user ID.
Is used to manage the system via PATHMON.
1234
PATHWAY-Threat
ƒ Security
-
Set to “N” by default – still!
Allows ALL system users to manage this
PATHWAY system (e.g. to stop it!)
Can easily be changed to any other (more secure)
GUARDIAN security vector
Related to PATHWAY “Owner”
1234
PATHWAY-Attack
ƒ Search for PATHMON’s, running SUPER.SUPER,
or any other interesting application owner ID
$GHS1 ARROW
Process
$GHS
$S600
$GHS
B
$S600
B
$GHS1 ARROW
23> status *,user super.super,prog $system.sys*.pathmon
Pri PFR %WT Userid Program file
Hometerm
0,46
167
005 255,255 $SYSTEM.SYSTEM.PATHMON
$ZHOME
0,54
180
005 255,255 $SYSTEM.SYSTEM.PATHMON
$ZHOME
1,58
167
001 255,255 $SYSTEM.SYSTEM.PATHMON
$ZHOME
1,74
180
001 255,255 $SYSTEM.SYSTEM.PATHMON
$ZHOME
24>
1234
PATHWAY-Attack
ƒ Check PATHMON security setting
$GHS1 ARROW 24>pathcom $ghs;info pathway
PATHWAY
MAXASSIGNS 100
[CURRENTLY 63]
MAXDEFINES 0
[CURRENTLY 0]
.
.
MAXTERMS 60
[CURRENTLY 0]
MAXTMFRESTARTS 5
OWNER \GINKGO.255,255
SECURITY “N"
$GHS1 ARROW 25>
1234
PATHWAY-Attack
… and how does it work?
ƒ Introduce a new server, such as
SQLCI, FUP, BACKUP etc.
ƒ SUPER.SUPER even gives access to ANY other system ID
WITHOUT the need to know a password, AND: This break
in is NOT audited in SAFEGUARD!
1234
PATHWAY-Showtime
ƒ Showtime … (\GINKGO.$GHS1.ETUG)
-
starting an insecure SUPER.SUPER PATHMON
demonstrating interactive access to SUPER.SUPER
-
starting a correct secured SUPER.SUPER PATHMON
demonstrating its robustness
1234
PATHWAY - Solution
ƒ Prevent starting a PATHWAY application from a privileged
system ID such as:
SUPER.SUPER
SUPER.xxx
xxx.MANAGER
ƒ Set PATHWAY management security to “O”.
ƒ Define a real user as PATHMON manager; can be different
from the PATHMON PAID!
1234
PATHWAY - Solution
ƒ Optionally put an ACL on the PATHMON process name
(know the consequences!).
ƒ Activate the PATHWAY log, and check it on a regular basis
(does not really help …).
ƒ Make sure only authorized users can change the
configuration files.
This is true for ALL configuration files!
1234
PATHWAY - Solution
ƒ Use the FreeWare tool GetPWSS to check all your pathway
applications within seconds.
ƒ Use command level security products (such as SECOM) to
give management access rights on (sub)command level.
(who is allowed to restart which server at what time from which IP
address …)
1234
PATHWAY - Advanced Solution
ƒ Run all PATHWAY-applications in ONE user group:
This allows pretty stringent security settings for the
PATHWAY environments as well as for the data base!
ƒ Using non existing IDs to run the applications enforces the
best security and access control possible.
1234
SPOOLER-Threat
ƒ My second classic way to break into a system.
ƒ Same problem as with PATHWAY.
1234
SPOOLER-Threat
ƒ SPOOLERs are often started from SUPER.SUPER at cold
load time.
ƒ Weak point is unknown security mechanism.
ƒ Requirement: Interactive access to the system with ANY
SUPER-Group ID.
1234
SPOOLER-Threat
ƒ Management access is granted to:
- the starting ID
- all SUPER-group members
- SUPER.SUPER
- optional to group managers
1234
SPOOLER-Attack
ƒ Search for SPOOL, running SUPER.SUPER
$GHS1 ARROW
Process
$SPLS
B
$SPLS
$GHS1 ARROW
27> status *,prog $system.sys*.spool
Pri PFR %WT Userid Program file
0,43
150
001 255,255 $SYSTEM.SYSTEM.SPOOL
1,38
150
001 255,255 $SYSTEM.SYSTEM.SPOOL
28>
Hometerm
$ZTNP0.#PTPAAAA
$ZTNP0.#PTPAAAA
1234
SPOOLER-Attack
… how does it work?
ƒ Introduce a new print process, which is a normal
GUARDIAN program, such as FUP, SCF, SQLCI etc.
… yes – it works!
ƒ A SUPER.SUPER running SPOOL allows even interactive
access to SUPER.SUPER!
(same procedure as with PATHWAY: Introduce a print process
[= SPOOLER server])
1234
SPOOLER - Solution
ƒ Do NOT start a SPOOLER from SUPER.SUPER!
ƒ Consider running different SPOOLER systems, where the
starting ID is the owner/manager.
ƒ Consider using ACLs on supervisor and collector
processes.
ƒ Use command level security products to control access to
SPOOLER systems.
1234
USERID/LUSERID-Threat
ƒ Wrong security setting on USERID as well as SAFEGUARD
files.
ƒ Unknown additional alternate file(s).
ƒ Requirement: Interactive access to the system with ANY ID
and READ access to USERID/LUSERID.
1234
USERID/LUSERID-Threat
ƒ READ access allows a FUP COPY which discloses
unencrypted passwords.
ƒ READ/WRITE access allows the injection of a new
password for EVERY user, or the modification of password
cryptograms (DoS)
ƒ Additional alternate key copies each entry into a separate
file, which can be used for a brute force attack.
1234
USERID/LUSERID-Solution
ƒ All mentioned files have to be secured to: “----”, where the
owner has to be: SUPER.SUPER.
ƒ Check with
FUP INFO<fileset>,DETAIL
for alternate file entries.
ƒ Use the FreeWare tool FileTree to display all alternate key
files of a given file.
1234
USERID/LUSERID-Solution
ƒ Make use of the PWCONFIG product to configure the
password attributes when SAFEGUARD is not used
or
ƒ Use appropriate SAFEGUARD settings.
1234
Alias Users - Threat
ƒ Do you know all SUPER.SUPER related Alias users?
ƒ Tandem engineers often place(d) a SUPER.SUPER Alias
onto the system, that makes life easier for them…
ƒ Insufficient knowledge of SAFEGUARD.
ƒ Incomplete SAFEGUARD setup.
1234
Alias Users - Threat
ƒ Unexpected access to SUPER.SUPER, where
SUPER.SUPER is not used to logon, but an Alias.
ƒ Requirement: Access to SAFECOM and insufficient
OBJECTTYPE USER setup.
ƒ SUPER.SUPER used by a ‘wrong’ person
(just once is enough! Give me your system and SUPER.SUPER for a
minute – and it is mine!).
1234
Alias Users - Solution
ƒ Check all Alias users.
ƒ Use the FreeWare tool MyUser to list all GUARDIAN/Alias
user relations.
ƒ Delete/Expire those users, not introduced/known by you.
ƒ Have OBJECTTYPE USER defined.
OK – have SAFEGUARD set-up correctly (next topic)!
1234
SAFEGUARD - Threat
ƒ
ƒ
ƒ
ƒ
Undefined OBJECTTYPEs.
Wrong understanding of ACL evaluation.
Wrong object ACLs.
Orphaned ACL owners or Access users.
1234
SAFEGUARD - Threat
ƒ Each user can introduce a SUBVOL ACL, when
OBJECTTYPE SUBVOL is not defined.
ƒ My classic way: Introduce a non existing ACL for subvol
$SYSTEM.SYSTEM or any other interesting collection of
files, do a file copy, and delete the ACL …
ƒ Check ACL evaluation, and find a hole…
(SAFECOM INFO SAFEGUARD)
1234
SAFEGUARD - Attack
ƒ Add an ACL e.g. on SUBVOL level.
ƒ Access the required data.
ƒ Re-set the ACL.
ƒ OK – this ends up in the audit trails; BUT I am sure, that
the owner of this system does not check these files at all!
1234
SAFEGUARD - Solution
ƒ
ƒ
ƒ
ƒ
Understand SAFEGUARD.
Understand what you do.
Introduce ***ALL*** OBJECTTYPEs.
Set up the evaluation rules for an easy understanding, e.g.:
- FILE FIRST
- FIRST ACL
- PATTERN LAST
- CHECK VOLUME OFF
- CHECK SUBVOL ON
- CHECK DISKFILE ON
1234
SAFEGUARD - Solution
ƒ Check ACL evaluation with tools like:
- CRYSTAL
- SECINFO
- ACLClean
1234
xxxCSTM - Threat
ƒ Insufficient user default security, which is propagated to
CSTM-files, especially the files of SUPER.SUPER’s
- FUPCSTM
- TACLCSTM
ƒ This is true for TACL Macros (e.g. MYMACS etc.) as well!
1234
xxxCSTM - Attack
ƒ Insert data into FUPCSTM, such as:
LICENSE <mycode>
ƒ Then visit SUPER.SUPER and ask him, to do ‘something’
that activates the CSTM-file you changed, e.g. to execute
FUP.
ƒ Remove the code from FUPCSTM.
ƒ Insert data into TACLCSTM.
What about a LOGOFF as first statement?
1234
xxxCSTM - Solution
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
Secure all CSTM files to “OOOO”.
No shared default locations.
No shared USER IDs.
Default security has to be “OOOO”, optionally “UUOO”.
Individualize all users.
Differentiate between functional and individual users.
1234
TACL Macro - Threat
ƒ Same as CSTM-threat.
ƒ Hard coded passwords in TACL Macros.
1234
TACL Macro - Attack
ƒ Search for MYMAC files and check for passwords.
1234
TACL Macro - Solution
ƒ All users TACL Macros should be secured to: “OOOO”.
ƒ Do NOT have passwords hard coded anywhere;
use products which support this, e.g. our Secure FTP client
which is based on a repository, where passwords are
stored in encoded form.
1234
Library - Threat
ƒ Classic Trojan Horse.
ƒ Not that easy to develop, but
ƒ Easy to install and
ƒ Difficult to find.
… do you know what I’m talking about???
… I love this method …
1234
Library - Threat
ƒ Adds code to an executable.
ƒ Can easily spoof passwords.
ƒ Can change the behavior of a program by
- copying data
- changing data
- skipping code
- etc. etc. etc.
ƒ Requirement:
- write & execution access on program file (just once)
- execution access on library file
1234
Library - Attack
ƒ Add a LIB to
- TACL/FTPSERV to intercept USER_AUTHENTICATE_ :
You get all passwords in the clear
- any Tandem utility, and change the command behavior
- … be creative (or is it subversive?)!
1234
Library-Showtime
ƒ Showtime … ($GHS1.ETUG)
-
logging on to a TACL that has a library attached:
The classic Trojan Horse!
1234
Library - Solution
ƒ Check all executables on your system.
Use the FreeWare tool: SHOWLIB
ƒ Remove suspect libraries.
Use the FreeWare tool: BINDLIB
ƒ Set the security of all executables to: “xOxO” to prevent any
LIB binding by non file owners.
Use the FreeWare Tool SECURE.
1234
Library - Solution
ƒ In general:
- Secure all executables to: “OOxO”
- Secure all system EDIT files to: “xOOO”
- Secure all system files to: “OOOO”
- Secure all application files to: “OOOO”
- make SUPER.SUPER the owner of all system files
1234
Portconf - Threat
ƒ PORTCONF causes LISTNER to start malicious code.
1234
Portconf - Attack
ƒ Check security of PORTCONF and add an entry.
ƒ Because LISTNER normally runs SUPER.SUPER, the
defined resource runs SUPER.SUPER!
1234
Portconf - Solution
ƒ Check PORTCONF for suspicious entries.
ƒ Secure PORTCONF that only the system administrator can
change it.
ƒ Do not start LISTNER from SUPER.SUPER – there is no
need!
1234
Search Path - Threat
ƒ Before a resource is executed, TACL tries to find it in the
search path.
ƒ A typo causes an error, but a program, named like a typo,
may cause a disaster…
ƒ Requirement: Create access in a search path.
1234
Search Path - Attack
ƒ Write a small program, that purges all files of the user,
executing it.
ƒ Place this program in the search path and name it like a
typo, e.g. EDOT instead of EDIT.
ƒ … lean back, relax, and wait …
1234
Search Path - Solution
ƒ Introduce SAFEGUARD ACLs for all system wide search
path locations: Deny CREATE for unauthorized users.
ƒ Inform your users to check their search path settings, and
add an ACL as well.
1234
Alternate Key File - Threat
ƒ Alternate key files hold ‘real’ data, up to 256 bytes.
ƒ They are not displayed by the FUP INFO command, but
require FUP INFO,DETAIL!
ƒ Are easily overlooked.
ƒ This is true for SQL tables as well!
1234
Alternate Key File - Attack
ƒ Add an alternate key file to a sensitive file, where the
record contains the interesting part!
1234
Alternate Key File - Solution
ƒ Use FUP and check all your sensitive data files for
unknown alternate key file entries.
ƒ Use FreeWare program FILETREE to display all alternate
key files.
1234
Accessing Purged Data on Disk - Threat
ƒ A PURGE does not WIPE the data, it updates the Disks
Free List Table.
ƒ Data is still available, and can be retrieved by ANY user
who is allowed to create a file.
1234
Accessing Purged Data on Disk - Attack
ƒ Create a big file.
ƒ Allocate all extents
(e.g. FUP ALLOCATE <file>, 900)
ƒ Position the EOF to the last byte.
(by a small program, or FUP RECLAIMDATA <file>)
ƒ Perform a READ/COPY in the file.
1234
Accessing Purged Data on Disk - Solution
ƒ Use CLEAR-ON-PURGE option.
Know what you do: This as well might be a performance
problem for large files.
May be there is a solution in the future: The file to be
cleaned will be renamed to a temp file, and then cleaned.
1234
Denial of Service - Threat
ƒ Exhaustive use of system resources:
- CPU cycles
- internal tables
- disk and disk directory space
ƒ Causes unavailable system and services.
ƒ Causes the operating people to panic!
ƒ May even cause a system HALT.
1234
Denial of Service - Attack
ƒ By Intention
Corrupting a CPU
?Nolist
?Source $system.system.extdecs0 (alter_priority_)
?List
Proc Test Main;
Begin
While 1 do begin alter_priority_(199);
End;
1234
Denial of Service - Attack
ƒ By Intention
Corrupting a volume
?Nolist
?Source $system.system.extdecs0 (file_create_)
?List
Proc Test Main;
Begin
String .system[0:35] := „$system“;
Int
Len := 7;
While 1 do begin File_Create_(SYSTEM:36,Len);
End;
1234
Denial of Service - Attack
ƒ By Intention
Corrupting a CPU by flooding LISTNER with incomplete
FTP calls.
1234
Denial of Service - Attack
ƒ By error
Wrong and/or no error handling in the error handling.
1234
Denial of Service - Attack
ƒ By Tandem utilities
-
DIVER
TANDUMP
1234
Denial of Service - Solution
ƒ Code reading.
ƒ Exhaustive logic and error debugging.
(Kindergarten test)
ƒ Check error handling in error handling!
ƒ No compilers on production systems.
ƒ Test/development isolated from production – not even
EXPAND.
ƒ Check existing objet files with FreeWare tool EProcs.
1234
Denial of Service - Solution
ƒ Make use of the Authorization SEEP.
(PRCOSEEP)
ƒ Use ListnerLib to harden LISTNER.
ƒ Use PURGETMP FreeWare to keep track of ‘orphaned’
temporary disk files.
ƒ Revoke LICENSE flag from DIVER and TANDUMP, at least
set a tight security vector.
1234
Purge - Threat
ƒ Purge a file’s data WITHOUT having purge access.
ƒ Really deletes a files content.
ƒ Requires only WRITE access: PURGE can be set to e.g.
SUPER.SUPER!
ƒ … and how?
Perform a PURGEDATA followed by a DEALLOCATE!
1234
Covert Channel - Threat
ƒ Information leakage to listener.
ƒ Hidden data channel.
1234
Covert Channel - Attack
ƒ Changing the priority.
(ticker channel)
ƒ Checking CPU buys values.
ƒ Relating date, time and events.
ƒ Checking EOF, files, process creates etc.
1234
Covert Channel - Solution
ƒ Code reading.
ƒ Procedure call check against a negative list
(why calling AlterPriority in a server?)
ƒ Exhaustive logic (20%) as well as error tests (80%).
ƒ No production data for tests!
1234
Ghost Processes
ƒ Started from a temporary file.
ƒ Very difficult to track down.
ƒ At least you should know about it.
ƒ When we have time: Showtime!
1234
SCF Thread – just discovered
ƒ
ƒ
ƒ
ƒ
Logon to ANY SUPER-Group user.
Get SCF-Access to $ZZKRN.
Allow all errors.
Add a small program to $ZZKRN and define
SUPER.SUPER as the PAID.
ƒ The program introduced to $ZZKRN sets the ‘already
logged on’ flag, and creates a TACL.
ƒ This TACL then is started logged on with the
SUPER.SUPER ID.
ƒ Solution: Get rid of individual SUPER-Group users!
ƒ Fixed at least in H06.24.01
1234
LINKMON Thread – just discovered
ƒ Start a PATHMON under user A.B.
ƒ Add a associative server class C with security “N" and with
the process name $ZNET.
ƒ Then send the SPI-command to add a process $ZZKRN to
this server class; you can still do this as user A.B.
ƒ Now the LINKMON (which runs under SUPER.SUPER) is
able to open $ZNET.
ƒ $ZNET thinks that a SUPER.SUPER user is the user.
Add a process to $ZZKRN and since SUPER.SUPER is the
boss .....:
ƒ Voila
1234
LINKMON Thread – just discovered
ƒ The real problem here is that LINKMON's run under
SUPER.SUPER.
ƒ According to Wendy Bartlett, these two problems are fixed
in: T1084H01^AAV and T1085H01^ABB
1234
Social Engineering
ƒ Works on ANY platform at any site.
ƒ Misuse of helpfulness.
ƒ Use of unthoughtfulness.
(do not think about what you do…)
ƒ Most efficient non technical method.
ƒ Cheap!
1234
Best practice
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
No code licensing - except you know what you license.
No PROGID – use ID hopping products instead.
No orphaned files and orphaned IDs in ACLs.
No shared IDs.
Tight user default security (OOOO).
Tight system file security.
Control of functional users by e.g. session I/O tracing
(GUARDIAN as well as OSS).
ƒ Management support for system operators.
1234
Tools
All mentioned tools are
Free- or ShareWare from GreenHouse
and can be found at:
www.GreenHouse.de
For GreenHouse products please contact:
Carl.Weber@GreenHouse.de
1234
Third Parties*
Bowden Systems
CAIL
comForte21
Crystal Point
CSP
GreenHouse
Insession Technologies
Unlimited Software Associates
XYPRO
*This list
might be incomplete.
1234
Questions
1234
Thank you for listening!