Pwning the mainframe: How to hack the "most secure" platform on Earth

A researcher found a security flaw that granted him access to a mainframe's vital, sensitive data.
Written by Zack Whittaker, Contributor

You know what aren't "sexy" for security researchers? Mainframes.

These high-performance systems typically designed for large-scale computing are the last bastion of security testing and research because typically they're considered to be the most secure platform on Earth. It's why these systems are at the heart of almost every critical transaction that ordinary people rely on every day -- including bank wire transfers and ATM transactions, booking flights, and handling millions of payments at retail outlets around the world.

But what doesn't help the appeal is that mainframes are notoriously difficult to get access to, making security testing difficult, if not impossible.

Ayoub Elaassal, a security auditor at consulting firm Wavestone, was one of the lucky few who were able to access a mainframe for an audit. It was running z/OS, a specialized operating system built by IBM for its z Series machines.

It didn't take him too long to find a vulnerability that, if exploited, could have given him root access to a mainframe and its vital, sensitive data.

"We could potentially compromise the whole system, and to whatever we want -- like intercepting transactions and issuing wire transfers," he told me on the phone last week.

Elaassal found that key system libraries, or directories -- known as authorized program facilities (APFs), could in many cases be updated by any of the mainframe's users. By his estimate, as many as half of all audits show accessible updatable libraries, he said, and therefore put affected mainframes at risk of attack.

Elaassal wrote several scripts that can escalate a user's privileges to the highest "root" level. One of the scripts compiles a payload and places it into one of these sensitive directories, effectively becoming a trusted part of the system itself. The malicious payload then flips some bytes and grants the user "root" or "special" privileges on the mainframe.

"Once you have that kind of leverage -- that backdoor -- you can do whatever you want," he explained. "You can change memory, you revoke users, shut down the machine -- you can do anything."

Elaassal was set to give a talk at the Black Hat conference in Las Vegas, but was denied entry to the US. His tools are open-source and are available on GitHub.

The good news is that it's not a completely silent attack. Because the script changes a user's permission, that's something that a company should ensure it monitors, said Elaassal.

"With the tool, you just get root," he said. "If someone becomes an admin all of a sudden at 5 am, that isn't normal."


IBM z Series mainframe. (Image: file photo)

Elaassal said that the threat is limited to those with access to the mainframe, but noted that anyone with remote access could carry out the privilege escalation attack, including remote or branch office staff. "You don't need to be physically at the mainframe," he said. "When you go to the bank, every bank agent has access to the mainframe."

"If it's a bank, you can do wire transfers, money laundering, add zero to a bank account," he said. "You can shut down the mainframe and lose the bank money -- real money, which can be millions for a big bank."

With root privileges, he said, "you could erase everything."

I asked him why then he would release tools that would escalate a user's privileges to a damaging level. He said the onus of ensuring responsible user permissions and mainframe security lands squarely with the owner, and not something that IBM can easily fix.

"Security on a mainframe used to be a guy with a gun," he joked. "Now, these sensitive systems files are accessible by default by hundreds of thousands of users on a mainframe."

"Companies find it hard and time consuming to set up proper fine-grain rules to define exactly who gets access to what," he added. "They usually get away with 'nobody knows how to hack it anyway, so why bother?' Now they can't say that anymore."

"It's really in the hands of the customers to control access," he said.

Editorial standards