Post on 19-Oct-2014
description
Vulnerability Market
Celil ÜNÜVER SignalSEC Ltd. www.signalsec.com
About me
• Co-founder and Researcher @ SignalSEC Corp.
• Vulnerability Research and Intelligence
• Have discovered lots of vuln affects Adobe, IBM, Microsoft, Facebook, SCADA , Novell etc.
• Speaker at CONFidence, Hackfest, Swiss Cyber Storm, c0c0n etc.
• Organizer of NOPcon Hacker Conference
Briefly
I’m interested in bug hunting
Jargon / Terminology
• Vulnerability: software bug which causes a security issue.
• 0-day: Unknown vulnerability in a computer
application. No patch!
• Exploit: A software to break software and take advantage
SCADA (in)Security
No more stuxnet
Exploit Market
Underground:
Exploit Market
Legal Buyers: Governments , Brokers (iDefense, ZDI, Netragard, Exodus etc.)
Price List
Price List
Price List
• Price depends on where you live and who you are (800 usd for zeroday attacks)
How you serve it?
PoC Weaponized Exploit
Price List
• And price depends on how you serve it:
Weaponized Exploit
Fighting Crime with the help of cyber weapons
A spy software and exploits used in Mexico to arrest a drug lord and organized crime leader
Bug Hunting Methods
• Reversing
Reversing
There are 10 types of people in the world: Those who
understand binary and those who don’t.
Bug Hunter’s Toolbag
1-) Debugger:
- Debugger
2-) Disassembler:
- IDA Pro
WinDBG
IDA Disassembler
SCADA Vulns
Sometimes it’s really easy to find SCADA VULNS!!!
Why it’s easy?
There was not a real threat for SCADA software untill 2010
So the developers were not aware of SECURE
Development
Case-1: CoDeSys Vulnerability
• CoDeSys PLC Visualization Software – WebVisu Vulnerability
• WebVisu uses a webserver which is usually open to Internet for visualization of PLC
• Discovered by me • http://ics-cert.us-cert.gov/pdf/ICSA-12-006-01.pdf
Case-1: CoDeSys Vulnerability
• France, Poland, Deutch Telecom use this software
• Buffer overflow vulnerability when parsing long http requests due to an unsafe function
Case-1: CoDeSys Vulnerability
• Direct contol on EIP
Case-2: Schneider IGSS Vulnerability
• Oslo Traffic Center, Czech Republic Gas Center, Kuala Lumpur Airport
Case-2: Schneider IGSS Vulnerability • Discovered by SignalSEC • http://ics-cert.us-cert.gov/pdf/ICSA-11-355-01-7.pdf • IGSS listens 12399 and 12397 ports in runtime • A simple bunch of code causes to Buffer Overflow use IO::Socket; $host = "localhost"; $port = 12399; $port2 = 12397; $first = "\x01\x01\x00\x00"; $second = "\x02\x01\x00\x00";
Finding Targets
• Banner Information: “SCXWebServer”
HTTP/1.1 200 OK
Content-Encoding: deflate
Date: Tue, 14 Dec 2010 19:09:52 GMT
Expires: Tue, 14 Dec 2010 19:09:52 GMT
Cache-Control: no-cache
Server: SCXWebServer/6.0
Search on SHODAN
CoDeSys ENI on SHODAN
• Server’s Banner : “ENIServer”
• Shodan Results: 195
CoDeSys WebServer on SHODAN
• Server’s Banner : “3S_WebServer”
• Shodan Results: 151
Reversing Tips
• It’s hard to find bugs via static reversing
• Use debugger + disassembler together and do dynamic reversing!
Static Reversing
• Bol
• Good luck!
Dynamic Reversing
BreakPoint on some “juicy” instructions and functions:
REP MOVSD = memcpy (edi , esi, ecx)
REP STOSD = memset (edi, eax, ecx)
STRCPY
RECV
WSARecv
Office Zero-day Exploit
• Demo
D Thank you! • Contact:
• cunuver@signalsec.com
• www.signalsec.com
• vis.signalsec.com
• Twitter: @celilunuver