| |||||
| |||||
Search Irongeek.com: ![]() ![]()
Help Irongeek.com pay for bandwidth and research equipment: |
IBM System Z Mainframes are in regular use in Fortune 500
companies. Far from being legacy these systems are running
an actively maintained operating system (z/OS). Applications
on these often occupy roles critical to the business processes
they underpin, with much of the later technology built around
them, rather than replacing them. However, these systems
are often bypassed by security testing due to worried of
availability or assumptions about legacy. This talk will introduce
you to assessing mainframe applications, which turn out to
be quite similar to web applications. For this purpose we
built a tool, Big Iron Recon & Pwnage (BIRP), to assist with
performing such assessments. Importantly, our research
uncovered a family of mainframe application vulnerabilities
introduced by the TN3270 protocol. We found numerous applications, but not all, vulnerable to these flaws. Applications
running within the two most popular transaction managers
(CICS and IMS) as well as one of IBM’s own applications. The
tool released assists with the exploitation of these flaws.
15 most recent posts on Irongeek.com:
|
If you would like to republish one of the articles from this site on your
webpage or print journal please contact IronGeek.
Copyright 2020, IronGeek
Louisville / Kentuckiana Information Security Enthusiast