1234 How to break into a Tandem System… …and how to prevent it! Carl Weber GreenHouse Software & Consulting Security SIG of ETUG, 25. September 2012 1234 This is what you have to secure 1234 The security advice (PCI) 1234 The security mechanism 1234 … nad this is how it looks like - BUT… 1234 … this is your environment! 1234 And you still believe you are secure? 1234 Currently… The government of Nordrhein-Westfalen bought and still buys tax related data, stolen from Swiss banks. All these banks for sure successfully passed a PCI audit! What does this mean in terms of being PCI compliant? 1234 What you really need! 1234 Brief intro Carl Weber Started with Tandem(*) Germany in October 1978. ‘In security’ since 1985, when SAFEGUARD was introduced in Cupertino by Tim Chou. Leading the German system evaluation at GISA and participating in the NCSC evaluation (1989-1993). Started GreenHouse 1994 as a Tandem Alliance Partner. www.GreenHouse.de Specialized in security consulting and security reviews, security product and tool development, PRIV system code, and code specialties. (*) to me it still is Tandem … 1234 Session overview How secure is a Tandem system? Can be broken in? Easily? Is there an easy way to detect and prevent it? Solutions! This presentation is related to the GUARDIAN side only: There is OSS and the network (LAN) as well! 1234 Well known truths Ignorance doesn’t solve the problem … it just lets you sleep better… Once you lost your integrity … the rest is easy … Good judgment comes from experience. Experience comes from bad judgment. 1234 Well known truths Everybody has his price … trust me … In theory, there is no difference between theory and practice; in practice, there is. Chuck Reid 1234 What you possibly think about me … Security people do have a good heart … but a sick mind … 1234 … but … Hackers do have a sick heart AND a sick mind! 1234 Keep in Mind SAFEGUARD does not introduce a better security, but a better granularity as well as auditing. (an error 48 in GUARDIAN is as solid as in SAFEGUARD) Automated security checks are nice to watch – but it is better to understand, what they do, and what they do NOT do! Train yourself , and/or hire a trustworthy expert. Test your system before intruders or POIEs(*) do. Have OSS and LAN on your radar as well! (*) POIE = pissed off internal expert [not politically correct, but precise] 1234 Questions NonStop Systems are considered to be FailSafe – but what about their security? Does/can GUARDIAN and SAFEGUARD protect all system assets? OK - GUARDIAN/SAFEGUARD does have two (outdated) certificates: NCSC (C2) and GISA (F2 @Q3 and F7 @Q3) So what … ??? 1234 Questions Can be broken into the system, or an application? Is it possible to gain access to ID’s without the knowledge of the password? In case there are real threats - are there effective countermeasures? 1234 General All my attacks start from a NON PRIV logged on TACL with the ID of SA.CARL = 100,5 - NO SUPER.SUPER (255,255) - NO SUPER group (255,n) - NO group Manager (n,255) and available system I have access to, e.g.: - PATHCOM, SQLCI, SCF etc. Sounds like a first hurdle – but all your administrators, operators, developers, and system users do have interactive access to your system! 1234 General Demos run on \GINKGO of GreenHouse. (NS1002, H06.24.01) Connection by VPN through the Internet. 1234 General Used system software: - MyLogin (single sign on TO the system) - SECOM (single sign on ON the system; command level security, ID hopping) - GreenHouse tools - Special demo programs (TAL/native TAL) - TACL macros - GreenHouse developed hack code using well documented GUARDIAN procedure calls … and here we go … 1234 PATHWAY-Threat Getting access to the application ID. Getting access to application data. Worst case: Getting interactive access to SUPER.SUPER. This is my classic way to break into a system! 1234 PATHWAY-Threat Weak point is insufficient default security of PATHWAY monitor. Unknown security mechanism. System applications are often started from SUPER.SUPER (do you use SUPER.SUPER in the day-to-day business?). Requirement to succeed an attack: Interactive access to the system with possibly ANY ID! 1234 PATHWAY-Threat PATHWAY system (PATHMON) - PAID - Owner - Security Is the ID of the starting user. By default the starting user; can be configured differently! By default “N”; can be configured differently! This has changed with TS/MP 2.3 from N to O. It is available starting H06.14, but can be installed on any system beginning H06.06 or later(*). *** BUT NOT IN PATHWAY *** *18. December 2008, Evans, Keith B (NonStop) [keith.b.evans@hp.com], HP Product manager for PATHWAY 1234 PATHWAY-Threat PAID (Process Access ID) - Derived from the starting user Propagated to all programs (= Servers), started from PATHMON A PRIV ID even gives management users access rights they should not get to 1234 PATHWAY-Threat Owner - Set to PAID by default. Can easily be changed to any other user ID. Is used to manage the system via PATHMON. 1234 PATHWAY-Threat Security - Set to “N” by default – still! Allows ALL system users to manage this PATHWAY system (e.g. to stop it!) Can easily be changed to any other (more secure) GUARDIAN security vector Related to PATHWAY “Owner” 1234 PATHWAY-Attack Search for PATHMON’s, running SUPER.SUPER, or any other interesting application owner ID $GHS1 ARROW Process $GHS $S600 $GHS B $S600 B $GHS1 ARROW 23> status *,user super.super,prog $system.sys*.pathmon Pri PFR %WT Userid Program file Hometerm 0,46 167 005 255,255 $SYSTEM.SYSTEM.PATHMON $ZHOME 0,54 180 005 255,255 $SYSTEM.SYSTEM.PATHMON $ZHOME 1,58 167 001 255,255 $SYSTEM.SYSTEM.PATHMON $ZHOME 1,74 180 001 255,255 $SYSTEM.SYSTEM.PATHMON $ZHOME 24> 1234 PATHWAY-Attack Check PATHMON security setting $GHS1 ARROW 24>pathcom $ghs;info pathway PATHWAY MAXASSIGNS 100 [CURRENTLY 63] MAXDEFINES 0 [CURRENTLY 0] . . MAXTERMS 60 [CURRENTLY 0] MAXTMFRESTARTS 5 OWNER \GINKGO.255,255 SECURITY “N" $GHS1 ARROW 25> 1234 PATHWAY-Attack … and how does it work? Introduce a new server, such as SQLCI, FUP, BACKUP etc. SUPER.SUPER even gives access to ANY other system ID WITHOUT the need to know a password, AND: This break in is NOT audited in SAFEGUARD! 1234 PATHWAY-Showtime Showtime … (\GINKGO.$GHS1.ETUG) - starting an insecure SUPER.SUPER PATHMON demonstrating interactive access to SUPER.SUPER - starting a correct secured SUPER.SUPER PATHMON demonstrating its robustness 1234 PATHWAY - Solution Prevent starting a PATHWAY application from a privileged system ID such as: SUPER.SUPER SUPER.xxx xxx.MANAGER Set PATHWAY management security to “O”. Define a real user as PATHMON manager; can be different from the PATHMON PAID! 1234 PATHWAY - Solution Optionally put an ACL on the PATHMON process name (know the consequences!). Activate the PATHWAY log, and check it on a regular basis (does not really help …). Make sure only authorized users can change the configuration files. This is true for ALL configuration files! 1234 PATHWAY - Solution Use the FreeWare tool GetPWSS to check all your pathway applications within seconds. Use command level security products (such as SECOM) to give management access rights on (sub)command level. (who is allowed to restart which server at what time from which IP address …) 1234 PATHWAY - Advanced Solution Run all PATHWAY-applications in ONE user group: This allows pretty stringent security settings for the PATHWAY environments as well as for the data base! Using non existing IDs to run the applications enforces the best security and access control possible. 1234 SPOOLER-Threat My second classic way to break into a system. Same problem as with PATHWAY. 1234 SPOOLER-Threat SPOOLERs are often started from SUPER.SUPER at cold load time. Weak point is unknown security mechanism. Requirement: Interactive access to the system with ANY SUPER-Group ID. 1234 SPOOLER-Threat Management access is granted to: - the starting ID - all SUPER-group members - SUPER.SUPER - optional to group managers 1234 SPOOLER-Attack Search for SPOOL, running SUPER.SUPER $GHS1 ARROW Process $SPLS B $SPLS $GHS1 ARROW 27> status *,prog $system.sys*.spool Pri PFR %WT Userid Program file 0,43 150 001 255,255 $SYSTEM.SYSTEM.SPOOL 1,38 150 001 255,255 $SYSTEM.SYSTEM.SPOOL 28> Hometerm $ZTNP0.#PTPAAAA $ZTNP0.#PTPAAAA 1234 SPOOLER-Attack … how does it work? Introduce a new print process, which is a normal GUARDIAN program, such as FUP, SCF, SQLCI etc. … yes – it works! A SUPER.SUPER running SPOOL allows even interactive access to SUPER.SUPER! (same procedure as with PATHWAY: Introduce a print process [= SPOOLER server]) 1234 SPOOLER - Solution Do NOT start a SPOOLER from SUPER.SUPER! Consider running different SPOOLER systems, where the starting ID is the owner/manager. Consider using ACLs on supervisor and collector processes. Use command level security products to control access to SPOOLER systems. 1234 USERID/LUSERID-Threat Wrong security setting on USERID as well as SAFEGUARD files. Unknown additional alternate file(s). Requirement: Interactive access to the system with ANY ID and READ access to USERID/LUSERID. 1234 USERID/LUSERID-Threat READ access allows a FUP COPY which discloses unencrypted passwords. READ/WRITE access allows the injection of a new password for EVERY user, or the modification of password cryptograms (DoS) Additional alternate key copies each entry into a separate file, which can be used for a brute force attack. 1234 USERID/LUSERID-Solution All mentioned files have to be secured to: “----”, where the owner has to be: SUPER.SUPER. Check with FUP INFO<fileset>,DETAIL for alternate file entries. Use the FreeWare tool FileTree to display all alternate key files of a given file. 1234 USERID/LUSERID-Solution Make use of the PWCONFIG product to configure the password attributes when SAFEGUARD is not used or Use appropriate SAFEGUARD settings. 1234 Alias Users - Threat Do you know all SUPER.SUPER related Alias users? Tandem engineers often place(d) a SUPER.SUPER Alias onto the system, that makes life easier for them… Insufficient knowledge of SAFEGUARD. Incomplete SAFEGUARD setup. 1234 Alias Users - Threat Unexpected access to SUPER.SUPER, where SUPER.SUPER is not used to logon, but an Alias. Requirement: Access to SAFECOM and insufficient OBJECTTYPE USER setup. SUPER.SUPER used by a ‘wrong’ person (just once is enough! Give me your system and SUPER.SUPER for a minute – and it is mine!). 1234 Alias Users - Solution Check all Alias users. Use the FreeWare tool MyUser to list all GUARDIAN/Alias user relations. Delete/Expire those users, not introduced/known by you. Have OBJECTTYPE USER defined. OK – have SAFEGUARD set-up correctly (next topic)! 1234 SAFEGUARD - Threat Undefined OBJECTTYPEs. Wrong understanding of ACL evaluation. Wrong object ACLs. Orphaned ACL owners or Access users. 1234 SAFEGUARD - Threat Each user can introduce a SUBVOL ACL, when OBJECTTYPE SUBVOL is not defined. My classic way: Introduce a non existing ACL for subvol $SYSTEM.SYSTEM or any other interesting collection of files, do a file copy, and delete the ACL … Check ACL evaluation, and find a hole… (SAFECOM INFO SAFEGUARD) 1234 SAFEGUARD - Attack Add an ACL e.g. on SUBVOL level. Access the required data. Re-set the ACL. OK – this ends up in the audit trails; BUT I am sure, that the owner of this system does not check these files at all! 1234 SAFEGUARD - Solution Understand SAFEGUARD. Understand what you do. Introduce ***ALL*** OBJECTTYPEs. Set up the evaluation rules for an easy understanding, e.g.: - FILE FIRST - FIRST ACL - PATTERN LAST - CHECK VOLUME OFF - CHECK SUBVOL ON - CHECK DISKFILE ON 1234 SAFEGUARD - Solution Check ACL evaluation with tools like: - CRYSTAL - SECINFO - ACLClean 1234 xxxCSTM - Threat Insufficient user default security, which is propagated to CSTM-files, especially the files of SUPER.SUPER’s - FUPCSTM - TACLCSTM This is true for TACL Macros (e.g. MYMACS etc.) as well! 1234 xxxCSTM - Attack Insert data into FUPCSTM, such as: LICENSE <mycode> Then visit SUPER.SUPER and ask him, to do ‘something’ that activates the CSTM-file you changed, e.g. to execute FUP. Remove the code from FUPCSTM. Insert data into TACLCSTM. What about a LOGOFF as first statement? 1234 xxxCSTM - Solution Secure all CSTM files to “OOOO”. No shared default locations. No shared USER IDs. Default security has to be “OOOO”, optionally “UUOO”. Individualize all users. Differentiate between functional and individual users. 1234 TACL Macro - Threat Same as CSTM-threat. Hard coded passwords in TACL Macros. 1234 TACL Macro - Attack Search for MYMAC files and check for passwords. 1234 TACL Macro - Solution All users TACL Macros should be secured to: “OOOO”. Do NOT have passwords hard coded anywhere; use products which support this, e.g. our Secure FTP client which is based on a repository, where passwords are stored in encoded form. 1234 Library - Threat Classic Trojan Horse. Not that easy to develop, but Easy to install and Difficult to find. … do you know what I’m talking about??? … I love this method … 1234 Library - Threat Adds code to an executable. Can easily spoof passwords. Can change the behavior of a program by - copying data - changing data - skipping code - etc. etc. etc. Requirement: - write & execution access on program file (just once) - execution access on library file 1234 Library - Attack Add a LIB to - TACL/FTPSERV to intercept USER_AUTHENTICATE_ : You get all passwords in the clear - any Tandem utility, and change the command behavior - … be creative (or is it subversive?)! 1234 Library-Showtime Showtime … ($GHS1.ETUG) - logging on to a TACL that has a library attached: The classic Trojan Horse! 1234 Library - Solution Check all executables on your system. Use the FreeWare tool: SHOWLIB Remove suspect libraries. Use the FreeWare tool: BINDLIB Set the security of all executables to: “xOxO” to prevent any LIB binding by non file owners. Use the FreeWare Tool SECURE. 1234 Library - Solution In general: - Secure all executables to: “OOxO” - Secure all system EDIT files to: “xOOO” - Secure all system files to: “OOOO” - Secure all application files to: “OOOO” - make SUPER.SUPER the owner of all system files 1234 Portconf - Threat PORTCONF causes LISTNER to start malicious code. 1234 Portconf - Attack Check security of PORTCONF and add an entry. Because LISTNER normally runs SUPER.SUPER, the defined resource runs SUPER.SUPER! 1234 Portconf - Solution Check PORTCONF for suspicious entries. Secure PORTCONF that only the system administrator can change it. Do not start LISTNER from SUPER.SUPER – there is no need! 1234 Search Path - Threat Before a resource is executed, TACL tries to find it in the search path. A typo causes an error, but a program, named like a typo, may cause a disaster… Requirement: Create access in a search path. 1234 Search Path - Attack Write a small program, that purges all files of the user, executing it. Place this program in the search path and name it like a typo, e.g. EDOT instead of EDIT. … lean back, relax, and wait … 1234 Search Path - Solution Introduce SAFEGUARD ACLs for all system wide search path locations: Deny CREATE for unauthorized users. Inform your users to check their search path settings, and add an ACL as well. 1234 Alternate Key File - Threat Alternate key files hold ‘real’ data, up to 256 bytes. They are not displayed by the FUP INFO command, but require FUP INFO,DETAIL! Are easily overlooked. This is true for SQL tables as well! 1234 Alternate Key File - Attack Add an alternate key file to a sensitive file, where the record contains the interesting part! 1234 Alternate Key File - Solution Use FUP and check all your sensitive data files for unknown alternate key file entries. Use FreeWare program FILETREE to display all alternate key files. 1234 Accessing Purged Data on Disk - Threat A PURGE does not WIPE the data, it updates the Disks Free List Table. Data is still available, and can be retrieved by ANY user who is allowed to create a file. 1234 Accessing Purged Data on Disk - Attack Create a big file. Allocate all extents (e.g. FUP ALLOCATE <file>, 900) Position the EOF to the last byte. (by a small program, or FUP RECLAIMDATA <file>) Perform a READ/COPY in the file. 1234 Accessing Purged Data on Disk - Solution Use CLEAR-ON-PURGE option. Know what you do: This as well might be a performance problem for large files. May be there is a solution in the future: The file to be cleaned will be renamed to a temp file, and then cleaned. 1234 Denial of Service - Threat Exhaustive use of system resources: - CPU cycles - internal tables - disk and disk directory space Causes unavailable system and services. Causes the operating people to panic! May even cause a system HALT. 1234 Denial of Service - Attack By Intention Corrupting a CPU ?Nolist ?Source $system.system.extdecs0 (alter_priority_) ?List Proc Test Main; Begin While 1 do begin alter_priority_(199); End; 1234 Denial of Service - Attack By Intention Corrupting a volume ?Nolist ?Source $system.system.extdecs0 (file_create_) ?List Proc Test Main; Begin String .system[0:35] := „$system“; Int Len := 7; While 1 do begin File_Create_(SYSTEM:36,Len); End; 1234 Denial of Service - Attack By Intention Corrupting a CPU by flooding LISTNER with incomplete FTP calls. 1234 Denial of Service - Attack By error Wrong and/or no error handling in the error handling. 1234 Denial of Service - Attack By Tandem utilities - DIVER TANDUMP 1234 Denial of Service - Solution Code reading. Exhaustive logic and error debugging. (Kindergarten test) Check error handling in error handling! No compilers on production systems. Test/development isolated from production – not even EXPAND. Check existing objet files with FreeWare tool EProcs. 1234 Denial of Service - Solution Make use of the Authorization SEEP. (PRCOSEEP) Use ListnerLib to harden LISTNER. Use PURGETMP FreeWare to keep track of ‘orphaned’ temporary disk files. Revoke LICENSE flag from DIVER and TANDUMP, at least set a tight security vector. 1234 Purge - Threat Purge a file’s data WITHOUT having purge access. Really deletes a files content. Requires only WRITE access: PURGE can be set to e.g. SUPER.SUPER! … and how? Perform a PURGEDATA followed by a DEALLOCATE! 1234 Covert Channel - Threat Information leakage to listener. Hidden data channel. 1234 Covert Channel - Attack Changing the priority. (ticker channel) Checking CPU buys values. Relating date, time and events. Checking EOF, files, process creates etc. 1234 Covert Channel - Solution Code reading. Procedure call check against a negative list (why calling AlterPriority in a server?) Exhaustive logic (20%) as well as error tests (80%). No production data for tests! 1234 Ghost Processes Started from a temporary file. Very difficult to track down. At least you should know about it. When we have time: Showtime! 1234 SCF Thread – just discovered Logon to ANY SUPER-Group user. Get SCF-Access to $ZZKRN. Allow all errors. Add a small program to $ZZKRN and define SUPER.SUPER as the PAID. The program introduced to $ZZKRN sets the ‘already logged on’ flag, and creates a TACL. This TACL then is started logged on with the SUPER.SUPER ID. Solution: Get rid of individual SUPER-Group users! Fixed at least in H06.24.01 1234 LINKMON Thread – just discovered Start a PATHMON under user A.B. Add a associative server class C with security “N" and with the process name $ZNET. Then send the SPI-command to add a process $ZZKRN to this server class; you can still do this as user A.B. Now the LINKMON (which runs under SUPER.SUPER) is able to open $ZNET. $ZNET thinks that a SUPER.SUPER user is the user. Add a process to $ZZKRN and since SUPER.SUPER is the boss .....: Voila 1234 LINKMON Thread – just discovered The real problem here is that LINKMON's run under SUPER.SUPER. According to Wendy Bartlett, these two problems are fixed in: T1084H01^AAV and T1085H01^ABB 1234 Social Engineering Works on ANY platform at any site. Misuse of helpfulness. Use of unthoughtfulness. (do not think about what you do…) Most efficient non technical method. Cheap! 1234 Best practice No code licensing - except you know what you license. No PROGID – use ID hopping products instead. No orphaned files and orphaned IDs in ACLs. No shared IDs. Tight user default security (OOOO). Tight system file security. Control of functional users by e.g. session I/O tracing (GUARDIAN as well as OSS). Management support for system operators. 1234 Tools All mentioned tools are Free- or ShareWare from GreenHouse and can be found at: www.GreenHouse.de For GreenHouse products please contact: Carl.Weber@GreenHouse.de 1234 Third Parties* Bowden Systems CAIL comForte21 Crystal Point CSP GreenHouse Insession Technologies Unlimited Software Associates XYPRO *This list might be incomplete. 1234 Questions 1234 Thank you for listening!
© Copyright 2024