SCADA Software or Swiss Cheese Software? by Celil UNUVER
-
Upload
code-blue -
Category
Technology
-
view
705 -
download
0
description
Transcript of SCADA Software or Swiss Cheese Software? by Celil UNUVER
SCADA So'ware or Swiss Cheese So'ware?
Code Blue 2014 , Tokyo Celil ÜNÜVER, SignalSEC Ltd.
Agenda
• About me • How it started? • Why are SCADA apps so BUGGY? • HunGng SCADA vulnerabiliGes • Analysis of the vulnerabiliGes
About me
• Co-‐founder and Researcher @ SignalSEC Ltd.
• Organizer of NOPcon Hacker Conference (Istanbul,Turkey)
• Interested in vulnerability research , reversing • Hunted a lot of bugs affect Adobe, IBM, Microso',
Facebook, Novell , SCADA vendors etc.
• Has been a speaker at CONFidence, Swiss Cyber Storm, c0c0n etc.
How it started?
• SCADA systems are in our daily life for long years!
• There was not too much interest in SCADA Security
Milestone
• Stuxnet and Duqu a^acks in 2010 – 2011
• SCADA systems got a^enGon of hackers and researchers a'er these a^acks.
• CriGcal systems , fame, profit etc.. • They are all JUICY target • Lots of SCADA systems are open to INTERNET
No more stuxnet • Sure , all of us know about stuxnet!
SCADA Overview
ICS VulnerabiliGes
• Hardware/Firmware VulnerabiliGes: Vulns in PLC & RTU devices
• So'ware VulnerabiliGes:
Vulns in Control System So'ware(HMI) but also affects PLC/RTU devices
TWO DOZEN BUGS IN A FEW HOURS
Trust me , it’s easy!
Actually, it’s really easy to hunt SCADA BUGS!!!
Why it’s easy?
There wasn’t a real threat for SCADA soEware unFll 2010
So the developers were not aware of SECURE
Development
HunGng VulnerabiliGes
• Simple reversing rocks! • 1-‐) Analyze the target so'ware (PotentaGal
inputs; communicaGon protocols, acGvex etc.)
• 2-‐) Discover & trace the input
• 3-‐) Hunt the bugs.
HunGng VulnerabiliGes
“You must understand that there is more than one path to the top of the mountain.”
-‐ Miyamoto Musashi -‐
Case-‐1: CoDeSys Gateway Vuln
• CoDeSys is development environment for industrial control systems used by lots of manufacturers.
• Aaron Portnoy from Exodus discovered these vulnerabiliGes.
• Status: Patched
Case-‐1 : CoDeSys -‐ RECON
• Listening PORT
Case-‐1: CoDeSys -‐ Debug
• Breakpoint on recv() • Send junk bytes
• Breapoint Access on recv’s ‘buf’ parameter
Case-‐1: CoDeSys -‐ Debug
• Comparing
Case-‐1: CoDeSys – Switch Cases / Opcodes
• A'er we pass the comparison
Case-‐1: CoDeSys – Switch Cases
• Let’s find the bugs
Case-‐1: CoDeSys – Delete File • Opcode : 13
Case-‐1: CoDeSys – Upload File • Opcode: 6
Case-‐1: RecommendaGon
• Actually, file remove / upload bugs are ‘feature’ of this applicaGon ☺
• But there is no authenGcaGon for these operaGons. Somebody can reverse the packet structure and use these features for evil!
• To solve this kind of bugs, developers should add an “authenGcaGon” step before execuGg opcodes.
• Patched in 2013
An InteresGng Story: Progea MOVICON Vulnerability – sGll 0day
“When a patch doesn’t patch anything!”
• 23 Nov 2013: I’ve discovered some vulnerabiliGes on the latest version of Progea MOVICON HMI so'ware
• 24 Nov 2013: We’ve published a short analysis on Pastebin • 3 Dec 2013: ICS-‐CERT contacted us about the post on
Pastebin. They asked details , we sent informaGon etc.
An InteresGng Story: Progea MOVICON Vulnerability – 0day
• 5 Dec 2013:
• from ICS-‐CERT to me;
An InteresGng Story: Progea MOVICON Vulnerability – 0day
• THEY SAY : The bugs you discovered are SIMILAR to a bunch of OLDER BUGS and PATCHED IN 2011.
• ICSA-‐11-‐056;
• My findings looks exactly same!!!! But I am able to reproduce on the latest version!!
An InteresGng Story: Progea MOVICON Vulnerability – 0day
• These bugs are similar to the bugs that we analyzed in Case-‐1:CoDeSys
• There is NO authenGcaGon to call some funcGons , operaGons in the so'ware. Somebody can reverse the packet structure and use these features for evil!
• A"er a conversa,on with Code Blue staff, we have decided to mask some details of this zero-‐day vulnerability.
An InteresGng Story: Progea MOVICON Vulnerability – 0day
An InteresGng Story: Progea MOVICON Vulnerability – 0day
• Remote InformaGon Disclosure: opcode [-‐censored-‐]
An InteresGng Story: Progea MOVICON Vulnerability – 0day
• Opcode [-‐censored-‐] calls GetVersionExA API and sends output to the client
An InteresGng Story: Progea MOVICON Vulnerability – 0day
• Here is a simple PoC for this bug;
An InteresGng Story: Progea MOVICON Vulnerability – 0day
• When we run it and call opcode [-‐censored-‐]:
• 6th byte in printed data is "dwMajorVersion" which is a return value of GetVersionExA and gives informaGon about the OS.
• Status: PATCHED(!) in 2011 but we are able to exploit it in 2014!
An InteresGng Story: Progea MOVICON Vulnerability – 0day
• So what is the problem? Why old bugs are sGll there !? • A'er comparing the older version and the latest version ,
I understood that actually vendor didn’t patch anything. • Instead of fixing vulnerabiliGes, they just changed
“opcodes” of the funcGons in new version! • Older version: Opcode 7 causes info disclosure
vulnerability by calling GetVersionEx API • New version: They just changed opcode “7” to “X” for
calling GetversionEx API
PROGEA, your fail is unbelievable!
Temporary soluGon
• Block remote connecGons to TCP:10651
• If you contact me in personal , I can share vulnerability signatures that you can use in your IDS/IPS (snort etc.)
Case-‐3: CoDeSys WebVisu
• CodeSys WebVisu uses a webserver which is usually open to Internet for visualizaGon of PLC
• Discovered by me • Status: Patched
Case-‐3: CoDeSys Vulnerability
• Buffer overflow vulnerability when parsing long h^p requests due to an unsafe funcGon.
• It uses “vsprinv” to print which file is requested.
Case-‐4: Schneider IGSS Vulnerability • Gas DistrubuFon in Europe
• Airport in Asia • Traffic Control Center in Europe
Case-‐4: Schneider IGSS Vulnerability • Discovered by me • Status: Patched • IGSS listens 12399 and 12397 ports in runGme • A simple bunch of code causes to DoS
use IO::Socket; $host = "localhost"; $port = 12399; $port2 = 12397; $first = "\x01\x01\x00\x00"; $second = "\x02\x01\x00\x00";
Case-‐5: Schneider Electric Accutech Heap Overflow Vulnerability
Buffer overflow vulnerability when parsing long h^p requests due to an unsafe funcGon
Status: Patched
Case-‐5: Schneider Electric Accutech Heap Overflow Vulnerability
Case-‐3: Schneider Electric Accutech Heap Overflow Vulnerability
Case-‐6: Pwning the Operator
Case-‐6: Invensys Wonderware System Plavorm Vulnerability
• Discovered by me
• Status: Patched • Killing five birds with one stone ☺
Case-‐6: Invensys Wonderware System Plavorm Vulnerability
• An AcGveX Buffer Overflow vulnerability
• Just found by AcGveX fuzzing... • Send the exploit URL to HMI Operator • Click and pwn !
Case-‐7: InduSo' HMI Bugs
Case-‐7: InduSo' HMI Bugs
• This is really creepy! • This so'ware doesn’t check even any “magic”
value of incoming packets. There is no custom packet structure!
• Sending 1 byte to TCP:4322 is enough to jump a switch case
Case-‐7: InduSo' HMI Exploit ☺
Finding Targets
• Banner InformaGon: “3S_WebServer” • Let’s search it on SHODAN! ☺
CoDeSys WebServer on SHODAN
Server’s Banner : “3S_WebServer” Shodan Results: 151
Demo
• DEMO
Conclusion
• CriGcal Infrastructures are juicy targets! • HackGvists are interested in SCADA Hacking
too. Not only government intelligence agencies.
• ApplicaFons are insecure!
D Thank you! • Contact: • [email protected]
• Twicer: @celilunuver
• www.signalsec.com
• www.securityarchitect.org