Logica Investigation
Description: In this repository is a collection of files outlined/documented in the various files included within the alleged Logica breach. Most of the files are complete (typos notwithstanding) and incomplete files contain whatever was documented in the investigation paperwork.
WHY?
I decided to document these files here due to the historical nature of the breach. It is the first publicly documented IBM z/OS breach in which the some of the code is actually available. It also serves as educational resources to those wanting to get interested in testing/auditing mainframes and mainframe security.
The Files
aptitup.jcl: A JCL file which executes the file /tmp/a.env file in OMVS (aka UNIX) using BPXBATCH.
Enum.c: A C program to enumerate users using getpwuid.
go.rx: A REXX script used to escalate privileges to the UID/GID supplied to the script. It is assumed this program is running with an appropriate setuid.
Ha.C: A C program that takes two arguments UID/GID and executes /bin/sh as the supplied arguments.
kuku.rx: A REXX script which exploits a previously unknown 0-Day vulnerability in CNMEUNIX (a program in OMVS with setuid). The script uses CNMEUNIX to locally escalate privileges to superuser (aka root) access in OMVS. This code is only a snippet as that is all that is available.
nop.jcl: A JCL file which "does nothing" ;)
Tfy.source.backdoor: A ASM program which changes ACEE settings.
tsocmd.rx: A REXX script which executes TSO commands. This is different from the /bin/tso command as it can execute authorized programs. This script is freely available from IBM but was found during the investigation.
utcam.sh: BASH script which when run send commands to a remote listening web server.
vc242: Turns on and off the JSCBAUTH bit depending on the contents of Register 0. (thanks @BarrySchrager1)
DeFeNeStRaTe.C: z/OS OMVS local exploit for APF authorized load module IOELMD10