Unix Underworld: Tales from the Dark Side of z/OS

When most security professionals think about Unix systems, they picture Linux servers or traditional Unix boxes like AIX, but mostly Linux. in fact, some readers have probably never interacted with a Unix system in their career. But there’s a Unix environment that’s been quietly running some of the world’s most critical infrastructure for decades, often overlooked by both IT security teams and mainframe operations: z/OS Unix. 

Our research and war stories, presented at Black Hat USA 2025 and DEF CON 33 revealed a concerning reality: this “forgotten” Unix environment represents a significant attack surface that could lead to complete system compromise on platforms where downtime is measured in seconds and minutes. 

z/OS Unix 

z/OS Unix is a full-blown POSIX-compliant Unix environment that’s been evolving since 1991. Originally called OpenEdition, it’s gone through several iterations and is now fully integrated into z/OS, supporting modern tools, compilers, and scripting languages including Python and Rust. 

The problem? At most organizations, z/OS Unix falls into a dangerous gap. Mainframe teams understand the traditional z/OS side but may not be Unix security experts, while IT security teams typically have Linux knowledge, which is not always applicable, and lack mainframe access or knowledge. This creates an area of limited visibility that attackers can exploit. 

This blog is a summary of our Black Hat and DEF CON talks, centering on z/OS Unix attack paths from the perspective of an authenticated user, using various techniques to obtain APF authorized code execution or superuser (UID 0) authority, and how to detect and prevent these types of exploits.  

4 Paths to Mainframe Compromise 

When pentesting zSeries mainframes there’s typically four paths that we use: 

1. Network attacks through TCP/IP and SNA protocols 

2. Filesystem vulnerabilities via improperly secured datasets 

3. External Security Manager (ESM) misconfigurations in RACF, ACF2, or TopSecret 

4. z/OS Unix exploitation the focus of their research and this presentation 

Companies running z/OS typically include major banks, insurance companies, government agencies, airlines, and retail giants. For these organizations, a mainframe compromise isn’t just a security incident, it’s a business-critical emergency. 

The Enumeration Toolset 

Over the years we have developed and open-sourced several tools specifically for z/OS Unix enumeration: 

• ENUM: A REXX script that enumerates z/OS settings and security configurations 

• OMVSEnum.sh: A shell script that checks file permissions, schedulers, and RACF settings 

• FileTraversal: A Java program for finding accessible Unix files 

• zOSHog: A regex-based secret scanner for Unix filesystems 

• portscan: Network port mapping and service identification tools 

These tools can be compiled and deployed through a single JCL job stream, making initial reconnaissance surprisingly straightforward for attackers who gain basic access. 

Common Critical Findings 

Throughout our mainframe penetration testing engagements, we’ve uncovered several categories of vulnerabilities that are particularly dangerous in z/OS Unix environments. Here’s what we covered in our presentation: 

1. Stored Credentials  

One of the most common findings is hardcoded credentials in user files. Our research discovered passwords stored in maintenance scripts with overly permissive file permissions. In one example, a Python script contained the following in /u/user1/cics_health.py which had the permissions -rwxrwxrwx: 

username = "phil" 

password = "3$vByHd%" 

I developed zOSHog specifically to automate finding these types of secrets, and it makes discovering credentials across large Unix filesystems trivial. During our demo, it immediately flagged this exact type of exposure. 

2. APF Authorization Privilege Escalation 

This is where z/OS Unix gets particularly interesting from a security perspective. Unlike traditional Unix systems, z/OS has the concept of APF (Authorized Program Facility) libraries and programs that can run with elevated system privileges. 

While traditional APF programs must reside in specially designated datasets, z/OS Unix allows programs to gain APF authorization through the extattr +a command on any mounted zFS file system, assuming the user has the required RACF/ACF2/TopSecret authorization. 

The privilege escalation flow works like this: 

1. Gain access to an account with  BPX.EXTATTR.APF  READ permissions 

2. Create a program that uses the MODESET macro with KEY=ZERO to bypass memory protection 

3. Mark it APF authorized with extattr +a 

4. Execute privilege escalation code that can impersonate any user 

We demonstrated this with assembly code that manipulates the RACF Access Control Environment Element (ACEE) to switch user contexts without requiring passwords. 

3. Mount Point Attack Vector 

Another sophisticated attack vector involves users with the ability to mount with the RACF profile SUPERUSER.FILESYS.MOUNT or SUPERUSER.FILESYS.USERMOUNT. We showed how attackers can: 

1. Create malicious zFS datasets on controlled systems 

2. Populate them with setuid and APF-authorized programs 

3. Package and transfer these datasets to target systems 

4. Mount them with preserved privileges using JCL 

This technique bypasses many traditional security controls because the malicious programs aren’t created on the target system; they’re imported with their dangerous permissions intact. Since the security bits of the mounted filesystem are maintained, including APF authorization, we can then run any malicious code, becoming any user on the system. 

4. Superuser – UID 0 

Unlike Linux systems where root access means complete administrative control, z/OS Unix operates differently. Having root access, more accurately called superuser or UID 0 on z/OS, provides complete z/OS Unix filesystem control, but doesn’t grant the same system-wide administrative capabilities. Your effective userid changes to zero, allowing you to create, edit, delete any file or modify its permissions/owner, but you still can’t switch to other users without passwords or add new user accounts. 

We demonstrated one technique for bypassing these restrictions, however many other techniques exist. With root-level Unix access (achievable through BPX.SUPERUSER permissions), attackers can establish persistent access by: 

1. Creating .ssh directories in administrator home folders 

2. Installing SSH public keys 

3. Setting appropriate ownership and permissions 

This provides a backdoor that survives password changes and many traditional security responses, in addition, this also bypasses accounts that are PROTECTED in RACF! 

Real-World Impact: Beyond Unix UID 0 

While gaining root access on a Linux system is often considered “game over,” z/OS Unix requires additional escalation opportunities. We demonstrated how Unix-level access can be leveraged to: 

• Access MVS datasets through Unix commands (cp "//'DATASET.NAME'" /some/file) 

• Execute traditional mainframe commands through the tsocmd utility 

• Manipulate RACF user profiles and permissions 

• Access and modify critical system configuration files 

Other Tales from the Unix Underworld 

While the APF privilege escalation and mount point attacks represent sophisticated techniques, over the years we’ve encountered numerous other vulnerabilities during assessments that demonstrate just how varied the attack surface can be in z/OS Unix. 

The Simple Wins: Configuration Mishaps 

Not every compromise requires advanced assembly programming or complex privilege escalation chains. we’ve found several “low-hanging fruit” vulnerabilities that provided immediate access: 

Improperly managed ESM permissions: Organizations sometimes use their External Security Manager (RACF, ACF2, or TopSecret) to layer additional access controls on top of Unix file permissions. However, misconfigurations can make the system less secure than relying on standard Unix permissions alone. An example that we shared in our talk was when I encountered a system where the Unix file permissions were setup properly, however they were using the ESM to manage access rights and had inadvertently given all users read access to the enter z/OS Unix file system. This resulted in exposing items such as private ssh keys and customer data. 

World-writable executables in critical paths: On a recent engagement, I discovered instances where files in /bin that were executed as part of /etc/profile had world-writable permissions. This meant any user could modify scripts that would be executed by other users during login—a classic privilege escalation opportunity. 

Logging vulnerabilities: Before log data reached centralized systems like Splunk, temporary log files were stored with overly permissive permissions, potentially exposing sensitive operational data or credentials. 

Web Application Crossover Attacks 

The boundary between traditional mainframe applications and modern web interfaces creates unique attack opportunities. We’ve found instances of Local File Inclusion (LFI) vulnerabilities in web applications running on z/OS that could be leveraged to access Unix files that our compromised account could not, effectively bridging the gap between web application security and mainframe system security. 

The Network Dimension 

Beyond the Unix filesystem and permission issues, we’ve consistently identified that z/OS systems often had network configurations dating back decades. Many systems had network routes and firewall rules that predated modern security practices, creating unexpected egress opportunities for attackers. 

Our “egress busting” technique is surprisingly effective: running a simple Java port scanner from the mainframe while monitoring for connections on cloud infrastructure. The success rate of finding open outbound paths was much higher than expected, often in environments where even desktop computers have very limited access to internet resources, allowing us to bypass network monitoring and security controls. In one case, we even found our client’s mainframe internet facing.  

Detection and Prevention Strategies 

Here are several recommendations for organizations running z/OS Unix: 

Prevention Measures 

1. Review file permissions rigorously: Implement proper Unix permission schemes and avoid world-writable files 

2. Strictly control privileged ESM resources:  

• BPX.SUPERUSER (allows us to root) 

• BPX.FILEATTR.APF (enables APF authorization) 

• SUPERUSER.FILESYS.MOUNT OR USERMOUNT  (controls filesystem mounting) 

3. Implement proper credential management: Never store passwords in scripts or configuration files 

4. Test permission implementations: Verify that z/OS Unix permission settings match security policies and that nothing is overriding file system permissions 

Detection and Monitoring 

• Monitor SMF records for usage of privileged RACF resources 

• Watch for suspicious patterns: mass file access attempts, unusual network connections, multiple authentication failures 

• Use the enumeration tools defensively to identify misconfigurations 

Use the chaudit command and the extended file listing format (ls -lW) that shows audit flags: -rw-r--r-- fff---, where the audit flags can be user-controlled (fff) or admin-controlled (---). 

This Unix filesystem auditing capability is unique to z/OS and provides granular control over what file access events get logged. The audit flags work as follows: 

• First three positions (fff): User-controlled audit settings 

• Last three positions (—): Administrator-controlled audit settings 

• Each position represents: Read, Write, Execute operations 

• Flag values: f = audit failures, s = audit successes, a = audit all, - = no auditing 

We recommended identifying z/OS Unix files that require enhanced auditing and implementing those changes with the chaudit command. 

The Bigger Picture: Securing Hybrid Environments 

Our research highlights a broader challenge in modern enterprise security, hybrid environments where different technologies intersect often create unexpected attack surfaces. z/OS Unix represents a perfect example, it’s Unix, but it’s also mainframe, and securing it requires expertise in both domains. 

Organizations running z/OS need to ensure their security teams understand both the traditional mainframe security model and Unix security principles. This might require: 

• Cross-training security staff on both platforms 

• Implementing security scanning tools that understand z/OS Unix 

• Developing incident response procedures that account for Unix-to-mainframe escalation paths 

• Regular security assessments that specifically target z/OS Unix components 

Key Takeaways 

Our “Unix Underworld” research reveals that z/OS Unix environments may be less secure than organizations realize. Key lessons include: 

1. Visibility matters: You can’t secure what you don’t see, and z/OS Unix is often invisible to security teams 

2. Traditional Unix security principles apply: File permissions, credential management, and access control are just as important in z/OS Unix 

3. Mainframe-specific escalation paths exist: APF authorization and dataset mounting create unique privilege escalation opportunities 

4. Defense requires hybrid expertise: Securing z/OS Unix requires understanding both Unix and mainframe security models 

As organizations continue to rely on mainframe systems for their most critical operations, the security of every component, including often-overlooked z/OS Unix environments, becomes paramount. Our research demonstrates that these environments can’t be ignored or treated as secondary concerns. 

The tools and techniques we’ve developed provide both a wake-up call and a path forward. Organizations can use these same enumeration tools defensively to identify their own vulnerabilities before attackers do. More importantly, this research provides a roadmap for implementing proper security controls in these hybrid environments. 

For security professionals, this serves as a reminder that comprehensive security requires understanding all components of your infrastructure, even the ones that might seem peripheral or “legacy.” In the case of z/OS Unix, that peripheral component might just be the key to your kingdom. 

For more information about NetSPI’s offerings in these areas visit our Mainframe Penetration Testing.  

The enumeration tools discussed in this research are available on GitHub at: https://github.com/mainframed/Enumeration/tree/master/Unix  

For more detailed information about mainframe security, buffer overflow research, and z/OS Unix exploitation techniques, check out the researchers’ additional work and presentations referenced in the original Black Hat talk.