Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Whether this is about ha.ckers.org, sla.ckers.org or some other project you are interested in or want to talk about, throw it in here to get feedback. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Green Screen of Death
Posted by: Matt Presson
Date: June 02, 2008 11:59AM

Hey guys I have been tasked with assessing the security of an application that exists solely on the mainframe. Have any of you had any experience or have any suggestions as to how to attack something like this?



Edited 1 time(s). Last edit at 06/02/2008 11:59AM by Matt Presson.

Options: ReplyQuote
Re: Green Screen of Death
Posted by: thrill
Date: June 02, 2008 01:29PM

TN3270 emulator (I think there's a perl module you can use) and then your standard bruteforce type attacks.. I've never heard of a buffer overflow on a main frame, but then again, my experience is limited.

From what I remember though, there are very distinctly different errors for 'failed password with valid user' and 'invalid user' which can assist in determining whether a user is valid or not. But most OS/390 logins have very restrictive login attempt rules which requires manual unlocking of a locked account, so timing of attempts is necessary to allow a valid login in between X failed.

If you have an SNA server between your webapp and your DB2, that's also a point of failure to test.

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Options: ReplyQuote
Re: Green Screen of Death
Posted by: Matt Presson
Date: June 02, 2008 02:16PM

Thanks trill, but unfortunately there is no web app. There is only the green screen. I have a terminal emulator already, but thanks for the suggestion anyway. I will also keep in mind the different error messages for failed logins.

Matt

Options: ReplyQuote
Re: Green Screen of Death
Posted by: id
Date: June 02, 2008 07:18PM

What mainframe?

And what OS/App are they running on top of it?

-id

Options: ReplyQuote
Re: Green Screen of Death
Posted by: thrill
Date: June 02, 2008 07:29PM

Quote

And what OS/App are they running on top of it?

Umm.. I'm going to go out on a limb here and try to guess.. OS/390, DB2, homebrew app. :)

But that's just a wild guess.. <g>

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Options: ReplyQuote
Re: Green Screen of Death
Posted by: id
Date: June 02, 2008 08:32PM

modern mainframes can run windows/linux/aix/hpux/solaris/opensolaris/and other shit, so it's kind of important.

-id

Options: ReplyQuote
Re: Green Screen of Death
Posted by: thrill
Date: June 02, 2008 10:13PM

Green Screen homey.. green screen.. AS/400 or OS/390.. although the AS/400 mostly used 5250 by default, I once saw one using 3270 as a default term emu.. oh wait, you did too.. it was that place that used 192.100.x.x.. you member?

That actually explains why someone would go through the pains of enabling 3270.. if it was 'him' accessing it, I'm sure he demanded it. heh..

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Options: ReplyQuote
Re: Green Screen of Death
Posted by: Matt Presson
Date: June 03, 2008 08:35AM

The OS is AS/400. It is a homebrew COBOL app that has been running for about thirty 30 years, and no I am not exaggerating. That app has been around longer than I have.

thrill is correct, we have no mainframe linux going on here. Does anyone have any custom back end ways to interact with the mainframe other than through a terminal emulator? ActiveX controls/COM objects/Java/Python/C APIs I can program to?

-----------------------------------------------------------------------
(ú=(&#952;='',[µ=!(&#934;=!&#952;+{})+&#952;,&#920;=&#934;[ø=+!&#952;]+&#934;[+&#952;],&#297;=µ[ø],Ø=µ[º=ø+++ø],Ç=&#934;[º+ø],à=ú[&#934;[º+º]+&#934;[+&#952;]+Ç+&#297;]][Ø+Ç+&#920;])())[&#297;+à('&#149;êí')](Ç+à('Á«)'))

Options: ReplyQuote
Re: Green Screen of Death
Posted by: id
Date: June 03, 2008 09:38AM

Never say thrill is correct, his ego will grow out of control.

If I had time I'd just buy one and play with it

http://cgi.ebay.com/AS400-9406-270-2248-1517-eServer-AS-400-Configured-4-5_W0QQitemZ370056551967QQihZ024QQcategoryZ162QQssPageNameZWDVWQQrdZ1QQcmdZViewItem

-id

Options: ReplyQuote
Re: Green Screen of Death
Posted by: Matt Presson
Date: June 03, 2008 10:25AM

Have you had any experience against COBOL apps though? Is the only main difference here that I can't do CSRF, XSS, etc? I can't have a proxy obviously so I am kindof restricted by the screen length constraints. Any ideas about how to get around that?

Options: ReplyQuote
Re: Green Screen of Death
Posted by: thrill
Date: June 03, 2008 11:44AM

@Matt - I hate to say it, but some of those homebrew Cobol apps were quite secure, not because of the way they were written, but because of the underlying OS.

As for a programming language you can use to make things 'programmable', your best bet is Perl.

There is also some documentation that might be of help to you here: http://www.venera.com/downloads.htm

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Options: ReplyQuote
Re: Green Screen of Death
Posted by: id
Date: June 03, 2008 02:18PM

I've played with a few both on AS400s and Unisys machines, but none of it was hardcore hacking on the systems.

The flaws on the Unisys machine gave me the ability to reinstall the system, so bad flaw, but simple security problem...default account, yay.

So no real advice that you don't already know, or wouldn't test. Old green screen apps tend to have 6 char password limits, and many just include alpha numeric using only uppercase letters.

Be careful using nmap or other scanning tools on AS400s though, I've hung interfaces on them with just a simple scan.

It might be worth looking in old 2600 mags, or cdc stuff.

-id

Options: ReplyQuote
Re: Green Screen of Death
Posted by: Matt Presson
Date: June 03, 2008 03:16PM

Awesome. I will check that out as soon as I can. It looks promising.

-----------------------------------------------------------------------
(ú=(&#952;='',[µ=!(&#934;=!&#952;+{})+&#952;,&#920;=&#934;[ø=+!&#952;]+&#934;[+&#952;],&#297;=µ[ø],Ø=µ[º=ø+++ø],Ç=&#934;[º+ø],à=ú[&#934;[º+º]+&#934;[+&#952;]+Ç+&#297;]][Ø+Ç+&#920;])())[&#297;+à('&#149;êí')](Ç+à('Á«)'))

Options: ReplyQuote


Sorry, only registered users may post in this forum.