Unix Underworld: Tales from the Dark Side of z/OS
Black Hat USA 2025 · Day 1 · Briefings
Mainframes running IBM z/OS expose a Unix System Services (USS) subsystem that security teams already know how to attack — using the same enumeration scripts, privilege escalation patterns, and credential harvesting techniques that work on Linux. Chad Rickensrud and Phil Young demonstrate a full attack path from low-privileged SSH access to RACF special/operations attributes, using open-source tools written in REXX and shell scripting. ---
AI review
Rickensrud and Young have spent a decade doing the work nobody else would touch, and they've made mainframe hacking look embarrassingly approachable. The APF authorization attack chain — REXX enum script, extattr +a, ACEE swap, SSH back as admin — is a complete kill chain on a platform managing trillions of dollars in daily transactions. Real tools, real engagement data, real CVEs on the board.