scada strangelove - 29c3
TRANSCRIPT
Sergey Gordeychik Denis Baranov
Gleb Gritsai
Sergey Gordeychik Positive Technologies CTO, Positive Hack Days Director
and Scriptwriter, WASC board member
http://sgordey.blogspot.com, http://www.phdays.com
Gleb Gritsai Principal Researcher, Network security and forensic
researcher, member of PHDays Challenges team
@repdet, http://repdet.blogspot.com
Denis Baranov Head of AppSec group, researcher, member of PHDays
CTF team
Group of security researchers focused on ICS/SCADA
to save Humanity from industrial disaster and
to keep Purity Of Essence Sergey Gordeychik Gleb Gritsai Denis Baranov Roman Ilin Ilya Karpov Sergey Bobrov Artem Chaykin Yuriy Dyachenko Sergey Drozdov Dmitry Efanov Yuri Goltsev Vladimir Kochetkov Andrey Medov Sergey Scherbel Timur Yunusov Alexander Zaitsev Dmitry Serebryannikov Dmitry Nagibin Dmitry Sklyarov Alexander Timorin Vyacheslav Egoshin Ilya Smith Roman Ilin Alexander Tlyapov
http://scadastrangelove.blogspot.com/2012/11/scada-safety-in-numbers.html
Siemens ProductCERT Really professional team
Quick responses
Personal contacts
Even Patches
You guys rock!
Common target during pentests
Most common platform (market, ShodanHQ)
Largest number of published and fixed bugs
Invensys Wonderware
Yokogawa
ICONICS
….
Stay tuned!
DIRECT CONTROL
SUPERVISOR CONTROL
OPERATION AND PRODUCTION SUPERVISION
BUSINESS LAYER
PL
C/R
TU
S
CA
DA
ME
S E
RP
SCADA network is isolated and is not connected to other networks, all the more so to Internet
MES/SCADA/PLC is based on custom platforms, and attackers can’t hack it
HMI has limited functionality and does not allow to mount attack
…
100% of tested SCADA networks are exposed to Internet/Corporate network
Network equipment/firewalls misconfiguration
MES/OPC/ERP integration gateways
HMI external devices (Phones/Modems/USB Flash) abuse
VPN/Dialup remote access
99.9(9)% of tested SCADA can be hacked with Metasploit
Standard platforms (Windows, Linux, QNX, BusyBox, Solaris…)
Standard protocols (RCP, CIFS/SMB, Telnet, HTTP…)
Standard bugs (patch management, passwords, firewalling, application vulnerabilities)
50% of HMI/Engineering stations are also used as desktops
Kiosk mode bypass
(Secret) Internet access
games/”keygens”/trojans and other useful software
ICS security = Internet security in the early 2000
VS
• NO magic on network
• Standard network protocols/channel level
• NO magic on system level
• Standard OS/DBMS/APPs
• Windows/SQL for SCADA
• Linux/QNX for PLC
• NO AppSec at all
• ICS guys don’t care about IT/IS
• MES reality - connecting SCADA to other networks/systems (ERP etc.)
• Ethernet
• Cell (GSM, GPRS, …)
• RS-232/485
• Wi-Fi
• ZigBee
• Lot’s of other radio and wire
• All can be sniffed thanks to community
• Modbus
• DNP3
• OPC
• S7
• And more and more …
• EtherCAT
• FL-net
• Foundation Fieldbus
• Sniffing
• Spoofing/Injection
• Fingerprinting/Data collection
• Fuzzing
• Security?!
Wireshark supports most of it
Third-party protocol dissectors for Wireshark
Industry grade tools and their free functions
FTE NetDecoder
No dissector/tool – No problem
Plaintext and easy to understand protocols
Widely available tools for Modbus packet crafting
Other protocols only with general packet crafters (Scapy)
More tools to come (from us ;))
Most of protocols can be attacked by simple packet replay
Or you can write your own fuzZzer*…
*But don’t forget about Python compilation issues (sec-recon, hi there)
Well known ports
Modbus
Product, Device, GW, Unit enumeration
S7
Product, Device, Associated devices
OPC
RPC/DCOM, but authentication
Modern fingerprinting add-ons
snmp, http, management ports
By Gleb Gritsai, Alexander Timorin, Yuri Goltsev, Roman Ilin Google/Shodan dorks for: Siemens Emerson Allen-Bradley Rockwell Automation Schneider Electric General Electric
Want to be real SCADAHacker? Just click!
http://bit.ly/12RzuJC
Open Source ICS devices scan/fingerprint tool
Support modbus, S7, more to come
Software and hardware version
Device name and manufacturing
Other technical info
Thank to Dmitry Efanov
http://scadastrangelove.blogspot.ru/2012/11/plcscan.html
Just a network device with it’s own OS Network stack Applications …vulnerabilities
How to find vulnerabilities in PLC Nothing special Fuzzing Code analysis Firmware reversing
Firmware is in Intel HEX format
Several LZSS blobs and ARM code
Blobs contain file system for PLC
Web application source code (MSWL)
… And ...
ASCII armored certificate!
For what?
For built-in Certification Authority
?!?!??!!!??!
Is there a private key?
…responsible answer
Hardcoded S7 PLC CA certificate (Dmitry Sklarov) http://scadastrangelove.blogspot.com/2012/09/all-your-plc-belong-to-us.html Multiple vulnerabilities in S7 1200 PLC Web interface (Dmitriy Serebryannikov, Artem Chaikin, Yury Goltsev, Timur Yunusov) http://www.siemens.com/corporatetechnology/pool/de/forschungsfelder/siemens_security_advisory_ssa-279823.pdf
• Network stack • Connects with PLCs, etc
• OS
• Database
• Applications • HMI
• Web • Tools
Depends on OS/DBMS security
GUI restrictions/Kiosk mode for HMI
OS network stack and API heavily used
File shares
RPC/DCOM
Database replication
Password authentication, ACLs/RBAC
Something else?
• Nothing special
• Windows/Linux
• No Patches
• Weak/Absence-of Passwords
• Misconfiguration
• Insecure defaults
• Insecurity configuration
• Users/password
• Configuration
• ICS-related data
• Hardcoded accounts (fixed) • MS SQL listening network from
the box* • “Security controller” restricts to Subnet
• Two-tier architecture with Windows integrated auth and direct data access • We don’t know how to make it secure
• Lot of “encrypted” stored procedures with exec
• First noticed in May 2005
• Published in April 2008
• Abused by StuxNet in 2010
• Fixed by Siemens in Nov 2010*
• Still works almost everywhere
*WinCC V7.0 SP2 Update 1
• {Hostname}_{Project}_TLG*
• TAG data
• СС_{Project}_{Timestamp}*
• Project data and configuration
• Users, PLCs, Priviledges
• Managed by UM app
• Stored in dbo.PW_USER
• Administrator:ADMINISTRATOR
• Avgur2 > Avgur
This is my encryptionkey
…responsible disclosure
WinCC Harvester msf module
WinCC security hardening guide
Exclusive cipher tool & msf module. We don’t have yet…
http://scadastrangelove.blogspot.com/2012/11/wincc-harvester.html
http://scadastrangelove.blogspot.ru/2012/12/siemens-simatic-wincc-7x-security.html
WebNavigator
Web-based HMI
IIS/ASP.NET
ActiveX client-side
DiagAgent
Diagnostic and remote management application
Custom web-server
…
Not started by default and shouldn’t never be launched
No authentication at all
XSSes
Path Traversal (arbitrary file reading)
Buffer overflow
Web-based HMI
XPath Injection (CVE-2012-2596)
Path Traversal (CVE-2012-2597)
XSS ~ 20 Instances (CVE-2012-2595)
Fixed in Update 2 for WinCC V7.0 SP3
http://support.automation.siemens.com/WW/view/en/60984587
Can help to exploit server-side vulnerabilities*
Operator’s browser is proxy to SCADAnet!
? Anybody works with SCADA and Internet
using same browser? * http://www.slideshare.net/phdays/root-via-xss-10716726
http://www.surfpatrol.ru/en/report
A lot of “WinCCed” IE from
countries/companies/industries
Special prize to guys from US for WinCC 6.X at 2012
Lot of XSS and CSRF CVE-2012-3031 CVE-2012-3028
Lot of arbitrary file reading CVE-2012-3030
SQL injection over SOAP CVE-2012-3032
ActiveX abuse CVE-2012-3034
http://bit.ly/WW0TL2
…responsible disclosure
All pictures are taken from Dr StrangeLove movie