Stream: Virtual Room 7
Time: 16:15 - 17:00
IBM provides various callable services for programs to execute REXX, allowing users to easily extend the functionality of programs by writing their own REXX scripts. However, this can violate system integrity if the program calling this service is running with APF authorization. This talk will explain how a malicious user can abuse the functionality of REXX to gain code execution of the program. Because the program is running APF authorized, they can then gain full access to the system. There will be a discussion on why it doesn't matter if the callable service was called in key 0/8 or supervisor/problem state.
This talk will provide methods to determine if your program is vulnerable, as well as a step-by-step demo of how an attacker would exploit a sample program. Attendees will learn how to ensure their own authorized code is not vulnerable and well as to be able to find and report any vulnerable code.
There is currently no attachment for Vivat REXX: The Danger of Executing REXX in an Authorized Environment
Hi I'm Jake Labelle, an associate security consultant at F-Secure. In my spare time, I like to tinker and reverse engineer z/OS binaries, and over the last year I have had a lot of spare time. I have found and reported a number of security vulnerabilities in z/OS binaries to IBM. For the past year and a half, I have been getting a crash course in all things mainframe, and seem to learn something new every week, hopefully I will bring a unique perspective on mainframe security.
Click here to give some Feedback so we can make it even better next year!