Follow me on a journey where we pwn one of the most secure platforms on earth – a giant mammoth that to this day powers the most critical business functions around the world: The Mainframe! Be it a wire transfer, an ATM withdrawal, or flight booking, you can be sure that you’ve used the trusted services of a mainframe at least once during the last 24 hours.
CICS or the Customer Information Control System was developed by IBM to host and develop interactive application mainly on z/OS as well as handle an important volume of transactions. It is the most widely deployed transaction system in the world with more than 20 billion transactions a day relying on its services. Indeed for every person that withdraws money, there is a good to fair chance that multiple CICS applications are involved somewhere in the chain of request. Same goes for banking operators when creating a new account, handling refunds, etc.
In this talk, I will present methods on pentesting mainframe applications, deploying shells and elevating privileges on the system, all starting with zero authentication. If you are interested in mainframes or merely curious to see a what a shell looks like on MVS, you’ll want to attend this session.