Files compiled from the Logica breach investigation materials
C Shell
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.

Logica Investigation

Description: In this repository is a collection of files outlined/documented in the various files included within the alleged Logica breach. Most of the files are complete (typos notwithstanding) and incomplete files contain whatever was documented in the investigation paperwork.


I decided to document these files here due to the historical nature of the breach. It is the first publicly documented IBM z/OS breach in which the some of the code is actually available. It also serves as educational resources to those wanting to get interested in testing/auditing mainframes and mainframe security.

The Files

aptitup.jcl: A JCL file which executes the file /tmp/a.env file in OMVS (aka UNIX) using BPXBATCH.

Enum.c: A C program to enumerate users using getpwuid.

go.rx: A REXX script used to escalate privileges to the UID/GID supplied to the script. It is assumed this program is running with an appropriate setuid.

Ha.C: A C program that takes two arguments UID/GID and executes /bin/sh as the supplied arguments.

kuku.rx: A REXX script which exploits a previously unknown 0-Day vulnerability in CNMEUNIX (a program in OMVS with setuid). The script uses CNMEUNIX to locally escalate privileges to superuser (aka root) access in OMVS. This code is only a snippet as that is all that is available.

nop.jcl: A JCL file which "does nothing" ;)

Tfy.source.backdoor: A ASM program which changes ACEE settings.

tsocmd.rx: A REXX script which executes TSO commands. This is different from the /bin/tso command as it can execute authorized programs. This script is freely available from IBM but was found during the investigation. BASH script which when run send commands to a remote listening web server.

vc242: Turns on and off the JSCBAUTH bit depending on the contents of Register 0. (thanks @BarrySchrager1)

DeFeNeStRaTe.C: z/OS OMVS local exploit for APF authorized load module IOELMD10