Black Hat USA 2025 | Unix Underworld: Tales from the Dark Side of z/OS

You may have heard tales of mainframe pentesting and exploitation before - mostly from us! Those stories often focused on the MVS/ISPF side of the IBM z/OS. But did you know that all those same tricks (and more!) can be pulled off in z/OS Unix System Services (OMVS) as well? I bet you didn't even know z/OS had a UNIX side! Over the years, we've discovered multiple unique attack paths when it comes to Unix on the mainframe. In this talk, we'll present live demos of real-world scenarios we've encountered during mainframe penetration tests. These examples will showcase what can happen with poor file hygiene leading to database compromises, inadequate file permissions enabling privilege escalation, a lack of ESM resource understanding allowing for privileged command execution, and how dataset protection won't save you from these attacks. We'll also be demonstrating what can happen when we overflow the buffer in an APF authorized dataset. Attendees will learn how to test these controls themselves using freely available open-source tools and how to (partially) detect these attacks. While privesc in UNIX isn't game over for your mainframe, it's pretty close. By the end, it will be clear that simply granting superuser access to Unix can be just as dangerous, if not more so, than giving access to TSO on the mainframe. By: Philip Young | Director Mainframe Penetration Testing Services, NetSPI Chad Rikansrud | Software Security Researcher, Broadcom Presentation Materials Available at: https://ift.tt/DOXYWFE

source https://www.youtube.com/watch?v=3wQHhGxVTuo