Sergey Gordeychik Denis Baranov

Gleb Gritsai

Sergey Gordeychik Positive Technologies CTO, Positive Hack Days Director

and Scriptwriter, WASC board member

http://sgordey.blogspot.com, http://www.phdays.com

Gleb Gritsai Principal Researcher, Network security and forensic

researcher, member of PHDays Challenges team

@repdet, http://repdet.blogspot.com

Denis Baranov Head of AppSec group, researcher, member of PHDays

CTF team

Group of security researchers focused on ICS/SCADA

to save Humanity from industrial disaster and

to keep Purity Of Essence Sergey Gordeychik Gleb Gritsai Denis Baranov Roman Ilin Ilya Karpov Sergey Bobrov Artem Chaykin Yuriy Dyachenko Sergey Drozdov Dmitry Efanov Yuri Goltsev Vladimir Kochetkov Andrey Medov Sergey Scherbel Timur Yunusov Alexander Zaitsev Dmitry Serebryannikov Dmitry Nagibin Dmitry Sklyarov Alexander Timorin Vyacheslav Egoshin Ilya Smith Roman Ilin Alexander Tlyapov

http://scadastrangelove.blogspot.com/2012/11/scada-safety-in-numbers.html

Siemens ProductCERT Really professional team

Quick responses

Personal contacts

Even Patches

You guys rock!

Common target during pentests

Most common platform (market, ShodanHQ)

Largest number of published and fixed bugs

Invensys Wonderware

Yokogawa

ICONICS

….

Stay tuned!

DIRECT CONTROL

SUPERVISOR CONTROL

OPERATION AND PRODUCTION SUPERVISION

BUSINESS LAYER

PL

C/R

TU

S

CA

DA

ME

S E

RP

SCADA network is isolated and is not connected to other networks, all the more so to Internet

MES/SCADA/PLC is based on custom platforms, and attackers can’t hack it

HMI has limited functionality and does not allow to mount attack

…

100% of tested SCADA networks are exposed to Internet/Corporate network

Network equipment/firewalls misconfiguration

MES/OPC/ERP integration gateways

HMI external devices (Phones/Modems/USB Flash) abuse

VPN/Dialup remote access

99.9(9)% of tested SCADA can be hacked with Metasploit

Standard platforms (Windows, Linux, QNX, BusyBox, Solaris…)

Standard protocols (RCP, CIFS/SMB, Telnet, HTTP…)

Standard bugs (patch management, passwords, firewalling, application vulnerabilities)

50% of HMI/Engineering stations are also used as desktops

Kiosk mode bypass

(Secret) Internet access

games/”keygens”/trojans and other useful software

ICS security = Internet security in the early 2000

VS

• NO magic on network

• Standard network protocols/channel level

• NO magic on system level

• Standard OS/DBMS/APPs

• Windows/SQL for SCADA

• Linux/QNX for PLC

• NO AppSec at all

• ICS guys don’t care about IT/IS

• MES reality - connecting SCADA to other networks/systems (ERP etc.)

• Ethernet

• Cell (GSM, GPRS, …)

• RS-232/485

• Wi-Fi

• ZigBee

• Lot’s of other radio and wire

• All can be sniffed thanks to community

• Modbus

• DNP3

• OPC

• S7

• And more and more …

• EtherCAT

• FL-net

• Foundation Fieldbus

• Sniffing

• Spoofing/Injection

• Fingerprinting/Data collection

• Fuzzing

• Security?!

Wireshark supports most of it

Third-party protocol dissectors for Wireshark

Industry grade tools and their free functions

FTE NetDecoder

No dissector/tool – No problem

Plaintext and easy to understand protocols

Widely available tools for Modbus packet crafting

Other protocols only with general packet crafters (Scapy)

More tools to come (from us ;))

Most of protocols can be attacked by simple packet replay

Or you can write your own fuzZzer*…

*But don’t forget about Python compilation issues (sec-recon, hi there)

Well known ports

Modbus

Product, Device, GW, Unit enumeration

S7

Product, Device, Associated devices

OPC

RPC/DCOM, but authentication

Modern fingerprinting add-ons

snmp, http, management ports

By Gleb Gritsai, Alexander Timorin, Yuri Goltsev, Roman Ilin Google/Shodan dorks for: Siemens Emerson Allen-Bradley Rockwell Automation Schneider Electric General Electric

Want to be real SCADAHacker? Just click!

http://bit.ly/12RzuJC

Open Source ICS devices scan/fingerprint tool

Support modbus, S7, more to come

Software and hardware version

Device name and manufacturing

Other technical info

Thank to Dmitry Efanov

http://scadastrangelove.blogspot.ru/2012/11/plcscan.html

Just a network device with it’s own OS Network stack Applications …vulnerabilities

How to find vulnerabilities in PLC Nothing special Fuzzing Code analysis Firmware reversing

Firmware is in Intel HEX format

Several LZSS blobs and ARM code

Blobs contain file system for PLC

Web application source code (MSWL)

… And ...

ASCII armored certificate!

For what?

For built-in Certification Authority

?!?!??!!!??!

Is there a private key?

…responsible answer

Hardcoded S7 PLC CA certificate (Dmitry Sklarov) http://scadastrangelove.blogspot.com/2012/09/all-your-plc-belong-to-us.html Multiple vulnerabilities in S7 1200 PLC Web interface (Dmitriy Serebryannikov, Artem Chaikin, Yury Goltsev, Timur Yunusov) http://www.siemens.com/corporatetechnology/pool/de/forschungsfelder/siemens_security_advisory_ssa-279823.pdf

• Network stack • Connects with PLCs, etc

• OS

• Database

• Applications • HMI

• Web • Tools

Depends on OS/DBMS security

GUI restrictions/Kiosk mode for HMI

OS network stack and API heavily used

File shares

RPC/DCOM

Database replication

Password authentication, ACLs/RBAC

Something else?

• Nothing special

• Windows/Linux

• No Patches

• Weak/Absence-of Passwords

• Misconfiguration

• Insecure defaults

• Insecurity configuration

• Users/password

• Configuration

• ICS-related data

• Hardcoded accounts (fixed) • MS SQL listening network from

the box* • “Security controller” restricts to Subnet

• Two-tier architecture with Windows integrated auth and direct data access • We don’t know how to make it secure

• Lot of “encrypted” stored procedures with exec

• First noticed in May 2005

• Published in April 2008

• Abused by StuxNet in 2010

• Fixed by Siemens in Nov 2010*

• Still works almost everywhere

*WinCC V7.0 SP2 Update 1

• {Hostname}_{Project}_TLG*

• TAG data

• СС_{Project}_{Timestamp}*

• Project data and configuration

• Users, PLCs, Priviledges

• Managed by UM app

• Stored in dbo.PW_USER

• Administrator:ADMINISTRATOR

• Avgur2 > Avgur

This is my encryptionkey

…responsible disclosure

WinCC Harvester msf module

WinCC security hardening guide

Exclusive cipher tool & msf module. We don’t have yet…

http://scadastrangelove.blogspot.com/2012/11/wincc-harvester.html

http://scadastrangelove.blogspot.ru/2012/12/siemens-simatic-wincc-7x-security.html

WebNavigator

Web-based HMI

IIS/ASP.NET

ActiveX client-side

DiagAgent

Diagnostic and remote management application

Custom web-server

…

Not started by default and shouldn’t never be launched

No authentication at all

XSSes

Path Traversal (arbitrary file reading)

Buffer overflow

Web-based HMI

XPath Injection (CVE-2012-2596)

Path Traversal (CVE-2012-2597)

XSS ~ 20 Instances (CVE-2012-2595)

Fixed in Update 2 for WinCC V7.0 SP3

http://support.automation.siemens.com/WW/view/en/60984587

Can help to exploit server-side vulnerabilities*

Operator’s browser is proxy to SCADAnet!

? Anybody works with SCADA and Internet

using same browser? * http://www.slideshare.net/phdays/root-via-xss-10716726

http://www.surfpatrol.ru/en/report

A lot of “WinCCed” IE from

countries/companies/industries

Special prize to guys from US for WinCC 6.X at 2012

Lot of XSS and CSRF CVE-2012-3031 CVE-2012-3028

Lot of arbitrary file reading CVE-2012-3030

SQL injection over SOAP CVE-2012-3032

ActiveX abuse CVE-2012-3034

http://bit.ly/WW0TL2

…responsible disclosure

All pictures are taken from Dr StrangeLove movie