Mainframe CICS

On thick client tests, you might often encounter fundamentally insecure design such as a thick client directly talking with a database with no intermediate webservice component controlling authentication and authorization. In such designs, the database’s password can be obtained by reversing the binary. You can execute arbitrary queries, elevate privileges and even achieve code execution on the database server. The remediation often requires a redesign.

Recently I encountered a variant of such a design – a thick client was directly communicating with the mainframe server. The app communicated with AD for authentication and subsequently used different hardcoded credentials to access the mainframe’s API interface. This is a clear disconnect.

Quick notes on this test:

  1. The application started a IBM process cicscli which establishes connection with the server.
  2. The application used Shared section IPC to communicate with cicscli. I have not seen this IPC mechanism used in modern applications. Fuzzing this IPC was less interesting as both cicscli and the app were running with same privileges.
  3. The AD authentication was bypassed by patching the binary.
  4. Reversing the binary got us the mainframe username password which is the same across users.
  5. CICS transaction gateway exposed both a terminal and API interface
  6. The terminal was so old that x3270 and other IBM terminal emulators don’t work
  7. CICSpwn doesn’t work either – https://github.com/ayoul3/cicspwn
  8. Fortunately, the machine had a terminal application cicsterm installed that can be used to connect to the server

Commands

  • When you connect to a terminal, you are already signed as default user. In my case it was “cicsuser”. CESN command can be used to signin with a different user
  • The terminal is not a linux shell. There are few predefined commands that you can run:

https://www.ibm.com/support/knowledgecenter/en/SSGMCP_5.3.0/com.ibm.cics.ts.systemprogramming.doc/topics/dfha726.html

Note not all of them will be supported

Quick intro on the different commands can be found here:

https://sites.google.com/site/mainframecicsworld/cics-commands

CEMT, CECI are the most useful commands. Although cicspwn did not run against the server, the source helped in identifying key commands to perform recon on the server.

For eg

CEMT I TASK  – to list process

CEMT I SYS – CICS version

CEMT I TRANS – Get transactions

I didn’t get a lot of time to explore it further – May be in another assessment. Do add comments if you have additional references/pointers for mainframe testing.