SSH-nanigans: Busting Open the Mainframes Iron Fortress through Unix

Presented at DEF CON 33 (2025), Aug. 10, 2025, 10 a.m. (45 minutes).

You may have heard tales of mainframe pentesting and exploitation before - mostly from us! Those stories often focused on the MVS/ISPF side of the IBM z/OS. But did you know that all those same tricks (and more!) can be pulled off in z/OS Unix System Services (OMVS) as well? I bet you didn't even know z/OS had a UNIX side! Over the years we've discovered multiple unique attack paths when it comes to Unix on the mainframe. In this talk, we'll present live demos of real-world scenarios we've encountered during mainframe penetration tests. These examples will showcase what can happen with poor file hygiene leading to database compromises, inadequate file permissions enabling privilege escalation, lack of ESM resource understanding allowing for privileged command execution, and how dataset protection won't save you from these attacks. We'll also be demonstrating what can happen when we overflow the buffer in an APF authorized dataset. Attendees will learn how to test these controls themselves using freely available open-source tools and how to (partially) detect these attacks. While privesc in UNIX isn't game over for your mainframe, it's pretty close. By the end, it will be clear that simply granting superuser access to Unix can be just as dangerous, if not more so, than giving access to TSO on the mainframe.

Presenters:

• Philip Young / Soldier of FORTRAN   as Philip "Soldier of FORTRAN" Young
  Philip Young, aka Soldier of FORTRAN, Director of Mainframe Penetration Testing Services at NetSPI is an oldschool hacker. He started out on with an Amiga 500 and a modem and never looked back, cutting his teeth on Datapac (the Canadian X.25 network) he eventually grew to searching the internet for interesting things. Later in his career he started taking a serious look at mainframe cybersecurity and realized how far behind mainframes had fallen when compared to their more open system (Windows/Linux). At that point he made it his lifes mission to raise awareness and produce tooling to aid in the testing of these critical resources to help keep them safe. Since then he has given talks around the world at places like BlackHat, DEFCON, RSA, has taught multiple workshops and was even under investigation by the Swedish secret police. In addition he has released countless opensources tools to pentest mainframes.

Similar Presentations:

• DEF CON 22 (2014) / From root to SPECIAL: Pwning IBM Mainframes
• CactusCon 12 (2024) / Breaking in to the Iron Fortress - How I hack IBM mainframes
• DEF CON 30 (2022) / Doing the Impossible: How I Found Mainframe Buffer Overflows