Penetration Testing mailing list archives
Re: Default passwords for TSO and CICS ?
From: Brian O'Berry <brian () zen-data com>
Date: Sun, 07 Jul 2002 08:20:26 -0400
I consulted a mainframe buddy of mine, who sent the info below. If the shop is running RACF as its security manager, you can try logging into TSO with userid IBMUSER password SYS1.
Hope this helps, BrianThe primer userid that IBM supplies is IBMUSER and in fact it is hard coded into RACF. If you delete it RACF will add it back at the next IPL. IBMUSER comes out of the factory with RACF SYSTEM SPECIAL ready to be used to configure your system. Most sites pull the teeth of IBMUSER by removing any authority after they bootstrap RACF and REVOKEing it but it may remain enabled with the default password if someone forget AUDITing 101. It certainly is a default account. At least in old school shops it's unlikely this would ever be left open as an exploit. In new age shops that might be deploying z/OS.e just to support the new workloads like Wehsphere and where an mainframe audit is not (yet) an annual event it might just be left open if they did not get a good consultant.
You can find the current z/OS Security Server nee RACF book shelf here http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/Shelves/ICHZBK21Here is where you can find specific documentation that points IBMUSER and it's default password (SYS1)
in the System Administrator's Guide.http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/BOOKS/ICHZA720/8.2?SHELF=ICHZBK21&DT=20020109124747
CICS at the current level is a another story. Since CICS no longer supports internal security it requires an external security manager IBM RACF/CA-Top-Secret,CA-ACF2 CICS itself does not have any default users. Many shops do wind up using the IBM samples and seeing an id called CICSUSER is not uncommon. CICSTEST,CICSPROD after also likely to be present in more than a few shops just by the way people seem to think.
---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- Default passwords for TSO and CICS ? Rainer Duffner (Jul 04)
- Re: Default passwords for TSO and CICS ? Cold Fire (Jul 05)
- Re: Default passwords for TSO and CICS ? Glenn Larsson (Jul 11)
- <Possible follow-ups>
- Re: Default passwords for TSO and CICS ? Neil Pike (Jul 05)
- RE: Default passwords for TSO and CICS ? Shane Miller (Jul 07)
- Re: Default passwords for TSO and CICS ? Brian O'Berry (Jul 07)
- RE: Default passwords for TSO and CICS ? Shane Miller (Jul 07)
- RE: Default passwords for TSO and CICS ? Craig, Scott (Jul 08)
- RE: Default passwords for TSO and CICS ? Chris Reining (Jul 08)
- RE: Default passwords for TSO and CICS ? Wayne Maples (Jul 11)
- RE: Default passwords for TSO and CICS ? Chris Reining (Jul 08)