Tom, This is an old trick that allows a program to call SVC to switch to supervisor mode and key zero. Once you are there, you can do almost everything. for example, login to another user without specifying a password, use the bypass userid, and so on.
However, David only mentions a facility that is quite common, but hasn't proved it was used in an illegal operation. Best, ITschak *| **Itschak Mugzach | Director | SecuriTeam Software **|** IronSphere Platform* *|* *Information Security Continuous Monitoring for Z/OS, zLinux and IBM I **| * *|* *Email**: i_mugz...@securiteam.co.il **|* *Mob**: +972 522 986404 **|* *Skype**: ItschakMugzach **|* *Web**: www.Securiteam.co.il **|* On Sun, Jan 30, 2022 at 9:57 AM Tom Brennan <t...@tombrennansoftware.com> wrote: > The badcyber.com page points to a program calling a magic SVC. Maybe > that's what David is referring to? But I didn't read/understand enough > to see if they used UID=0 somehow to implement that SVC, or if they had > to rely on it already being in place, or if this program was used at all. > > https://github.com/mainframed/logica/blob/master/Tfy.source.backdoor > > On 1/29/2022 10:27 PM, Itschak Mugzach wrote: > > David, > > > > I am 40+ years developer in assembler. I believe I wrote and used SVCs > > before you. If you read my previous emails you would see that > modernisation > > is a must. However, you haven't given any sample of breach caused by > > standard mvs code, while I gave two. > > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN