scada software or swiss cheese software? by celil unuver
DESCRIPTION
The talk is about SCADA vulnerabilities and exploiting. We will answer some specific questions about SCADA software vulnerabilities with technical details. The questions are; - Why are SCADA applications buggy? - What is the status and impact of the threat? - How do researchers or hackers discover these vulnerabilities? In this talk we will also look at some SCADA vulnerabilities that affects well-known SCADA/HMI vendors, and will show how it's easy to hunt these vulnerabilities via reverse engineering , fuzzing etc. Celil UNUVER Celil Unuver is co-founder & security researcher of SignalSEC Ltd. He is also founder of NOPcon Security Conference. His areas of expertise include Vulnerability Research & Discovery, Exploit Development, Penetration Testing and Reverse Engineering. He has been a speaker at CONFidence, Swiss Cyber Storm, c0c0n, IstSec, Kuwait Info Security Forum. He enjoys hunting bugs and has discovered critical vulnerabilities affect well-known vendors such as Adobe, IBM, Microsoft, Novell etc.TRANSCRIPT
SCADA So'ware or Swiss Cheese So'ware?
Code Blue 2014 , Tokyo Celil ÜNÜVER, SignalSEC Ltd.
Agenda
• About me • How it started? • Why are SCADA apps so BUGGY? • HunGng SCADA vulnerabiliGes • Analysis of the vulnerabiliGes
About me
• Co-‐founder and Researcher @ SignalSEC Ltd.
• Organizer of NOPcon Hacker Conference (Istanbul,Turkey)
• Interested in vulnerability research , reversing • Hunted a lot of bugs affect Adobe, IBM, Microso',
Facebook, Novell , SCADA vendors etc.
• Has been a speaker at CONFidence, Swiss Cyber Storm, c0c0n etc.
How it started?
• SCADA systems are in our daily life for long years!
• There was not too much interest in SCADA Security
Milestone
• Stuxnet and Duqu a^acks in 2010 – 2011
• SCADA systems got a^enGon of hackers and researchers a'er these a^acks.
• CriGcal systems , fame, profit etc.. • They are all JUICY target • Lots of SCADA systems are open to INTERNET
No more stuxnet • Sure , all of us know about stuxnet!
SCADA Overview
ICS VulnerabiliGes
• Hardware/Firmware VulnerabiliGes: Vulns in PLC & RTU devices
• So'ware VulnerabiliGes:
Vulns in Control System So'ware(HMI) but also affects PLC/RTU devices
TWO DOZEN BUGS IN A FEW HOURS
Trust me , it’s easy!
Actually, it’s really easy to hunt SCADA BUGS!!!
Why it’s easy?
There wasn’t a real threat for SCADA soEware unFll 2010
So the developers were not aware of SECURE
Development
HunGng VulnerabiliGes
• Simple reversing rocks! • 1-‐) Analyze the target so'ware (PotentaGal
inputs; communicaGon protocols, acGvex etc.)
• 2-‐) Discover & trace the input
• 3-‐) Hunt the bugs.
HunGng VulnerabiliGes
“You must understand that there is more than one path to the top of the mountain.”
-‐ Miyamoto Musashi -‐
Case-‐1: CoDeSys Gateway Vuln
• CoDeSys is development environment for industrial control systems used by lots of manufacturers.
• Aaron Portnoy from Exodus discovered these vulnerabiliGes.
• Status: Patched
Case-‐1 : CoDeSys -‐ RECON
• Listening PORT
Case-‐1: CoDeSys -‐ Debug
• Breakpoint on recv() • Send junk bytes
• Breapoint Access on recv’s ‘buf’ parameter
Case-‐1: CoDeSys -‐ Debug
• Comparing
Case-‐1: CoDeSys – Switch Cases / Opcodes
• A'er we pass the comparison
Case-‐1: CoDeSys – Switch Cases
• Let’s find the bugs
Case-‐1: CoDeSys – Delete File • Opcode : 13
Case-‐1: CoDeSys – Upload File • Opcode: 6
Case-‐1: RecommendaGon
• Actually, file remove / upload bugs are ‘feature’ of this applicaGon ☺
• But there is no authenGcaGon for these operaGons. Somebody can reverse the packet structure and use these features for evil!
• To solve this kind of bugs, developers should add an “authenGcaGon” step before execuGg opcodes.
• Patched in 2013
An InteresGng Story: Progea MOVICON Vulnerability – sGll 0day
“When a patch doesn’t patch anything!”
• 23 Nov 2013: I’ve discovered some vulnerabiliGes on the latest version of Progea MOVICON HMI so'ware
• 24 Nov 2013: We’ve published a short analysis on Pastebin • 3 Dec 2013: ICS-‐CERT contacted us about the post on
Pastebin. They asked details , we sent informaGon etc.
An InteresGng Story: Progea MOVICON Vulnerability – 0day
• 5 Dec 2013:
• from ICS-‐CERT to me;
An InteresGng Story: Progea MOVICON Vulnerability – 0day
• THEY SAY : The bugs you discovered are SIMILAR to a bunch of OLDER BUGS and PATCHED IN 2011.
• ICSA-‐11-‐056;
• My findings looks exactly same!!!! But I am able to reproduce on the latest version!!
An InteresGng Story: Progea MOVICON Vulnerability – 0day
• These bugs are similar to the bugs that we analyzed in Case-‐1:CoDeSys
• There is NO authenGcaGon to call some funcGons , operaGons in the so'ware. Somebody can reverse the packet structure and use these features for evil!
• A"er a conversa,on with Code Blue staff, we have decided to mask some details of this zero-‐day vulnerability.
An InteresGng Story: Progea MOVICON Vulnerability – 0day
An InteresGng Story: Progea MOVICON Vulnerability – 0day
• Remote InformaGon Disclosure: opcode [-‐censored-‐]
An InteresGng Story: Progea MOVICON Vulnerability – 0day
• Opcode [-‐censored-‐] calls GetVersionExA API and sends output to the client
An InteresGng Story: Progea MOVICON Vulnerability – 0day
• Here is a simple PoC for this bug;
An InteresGng Story: Progea MOVICON Vulnerability – 0day
• When we run it and call opcode [-‐censored-‐]:
• 6th byte in printed data is "dwMajorVersion" which is a return value of GetVersionExA and gives informaGon about the OS.
• Status: PATCHED(!) in 2011 but we are able to exploit it in 2014!
An InteresGng Story: Progea MOVICON Vulnerability – 0day
• So what is the problem? Why old bugs are sGll there !? • A'er comparing the older version and the latest version ,
I understood that actually vendor didn’t patch anything. • Instead of fixing vulnerabiliGes, they just changed
“opcodes” of the funcGons in new version! • Older version: Opcode 7 causes info disclosure
vulnerability by calling GetVersionEx API • New version: They just changed opcode “7” to “X” for
calling GetversionEx API
PROGEA, your fail is unbelievable!
Temporary soluGon
• Block remote connecGons to TCP:10651
• If you contact me in personal , I can share vulnerability signatures that you can use in your IDS/IPS (snort etc.)
Case-‐3: CoDeSys WebVisu
• CodeSys WebVisu uses a webserver which is usually open to Internet for visualizaGon of PLC
• Discovered by me • Status: Patched
Case-‐3: CoDeSys Vulnerability
• Buffer overflow vulnerability when parsing long h^p requests due to an unsafe funcGon.
• It uses “vsprinv” to print which file is requested.
Case-‐4: Schneider IGSS Vulnerability • Gas DistrubuFon in Europe
• Airport in Asia • Traffic Control Center in Europe
Case-‐4: Schneider IGSS Vulnerability • Discovered by me • Status: Patched • IGSS listens 12399 and 12397 ports in runGme • A simple bunch of code causes to DoS
use IO::Socket; $host = "localhost"; $port = 12399; $port2 = 12397; $first = "\x01\x01\x00\x00"; $second = "\x02\x01\x00\x00";
Case-‐5: Schneider Electric Accutech Heap Overflow Vulnerability
Buffer overflow vulnerability when parsing long h^p requests due to an unsafe funcGon
Status: Patched
Case-‐5: Schneider Electric Accutech Heap Overflow Vulnerability
Case-‐3: Schneider Electric Accutech Heap Overflow Vulnerability
Case-‐6: Pwning the Operator
Case-‐6: Invensys Wonderware System Plavorm Vulnerability
• Discovered by me
• Status: Patched • Killing five birds with one stone ☺
Case-‐6: Invensys Wonderware System Plavorm Vulnerability
• An AcGveX Buffer Overflow vulnerability
• Just found by AcGveX fuzzing... • Send the exploit URL to HMI Operator • Click and pwn !
Case-‐7: InduSo' HMI Bugs
Case-‐7: InduSo' HMI Bugs
• This is really creepy! • This so'ware doesn’t check even any “magic”
value of incoming packets. There is no custom packet structure!
• Sending 1 byte to TCP:4322 is enough to jump a switch case
Case-‐7: InduSo' HMI Exploit ☺
Finding Targets
• Banner InformaGon: “3S_WebServer” • Let’s search it on SHODAN! ☺
CoDeSys WebServer on SHODAN
Server’s Banner : “3S_WebServer” Shodan Results: 151
Demo
• DEMO
Conclusion
• CriGcal Infrastructures are juicy targets! • HackGvists are interested in SCADA Hacking
too. Not only government intelligence agencies.
• ApplicaFons are insecure!
D Thank you! • Contact: • [email protected]
• Twicer: @celilunuver
• www.signalsec.com
• www.securityarchitect.org