1Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Tú a Boston Barcelona y yo a California Tejas
A patadas con mi SCADA!
Juan Vazquez & Julian Vilas
2Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Presentation
Juan Vazquez (@_juan_vazquez_) from Austin (USA)– Exploit developer at Metasploit (Rapid7)
Julian Vilas (@julianvilas) from Barcelona (Spain)– Security analyst & researcher at Scytl
Bloggers of a non-too-much-regularly-updated blog – testpurposes.net
3Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Motivation
After being working side by side during years, we decided to do something together! (Just when we’re 8.000 Km far)
What? Some SCADA research:– No intro to SCADA.– No compliance & regulation review.– No paperwork research about its security in
general.– Just (in-depth) analysis of a big SCADA product.
Why?...
4Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Index
Introduction
Organization
Platform Discovery
Vulnerabilities & Exploitation
Post Exploitation
Last topic
Conclusions
5Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Introduction
Yokogawa CENTUM CS 3000 R3“Yokogawa released CENTUM CS 3000 R3 in 1998 as the first Windows-based production control system under our brand. For over 10 years of continuous developments and enhancements, CENTUM CS 3000 R3 is equipped with functions to make it a matured system. With over 7600 systems sold worldwide, it is a field-proven system with 99.99999% of availability.”
6Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Introduction
Why we selected this product?
First version achieved– R3.02 (September 2001)
Finally, thanks to Russian & Vietnamese forums (you rocks guys! ;P)– R3.08.50 (October 2007)
7Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Introduction
Since here, strange things started to happen...
8Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Introduction. Basic elements.
FCS
HIS
Field elements
9Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Introduction. Topology.
10Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Introduction
Doesn’t look familiar?
11Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Organization. Problems
Distance & Timezones (GMT +1 vs GMT - 6)
12Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Organization. Problems
SCADA Software– Closed Software– Documentation and Training– Deployment– Development
Think: Mozilla Firefox vs Yokogawa Centum CS3000
13Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Organization. Solutions
Communications:– Google Hangout / Google Chat– Adium + OTR (mode paranoia /on)
Work & Collaboration Environment:– Upgrade ADSL line + VPN– Google Drive + Google Docs– Confluence + Team Calendars– VirtualBox– GIT– CollabREate
14Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Organization. Solutions
Work methodology– SCRUM based (just a little)
15Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Organization. Our Environment
What exactly do we have?
Software with capabilities for:– Operating & monitoring functions (HIS)– Engineering– FCS simulation & virtual testing
Tons of exe’s, dll’s, docs, installed on Windows XP SP2 (SP3 support was added on R3.08.70 (November 2008)) ← Yes, WTF!
16Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Platform Discovery
Work with the product
Discover the components
Discover the Real Attack Surface!– Windows Services– Application Network Services– Application Local Services– Application client components (ActvX).
17Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Platform Discovery
Example: Initial Installation
18Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Platform Discovery
Example: Basic Demo Project Running (I) / Processes
19Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Platform Discovery
Example: Basic Demo Project Running (II) / Network
20Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Vulnerabilities. Documentation.
First fails were discovered during installation process– User created: “CENTUM”– Password: we’re sure you can guess it in your
first try ;)
21Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Vulnerabilities. Documentation.
– Program installed under “C:\CS3000”– Wait….
22Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Vulnerabilities. Documentation.
WTF?
23Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Vulnerabilities. Documentation.
WTF?
24Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Vulnerabilities. Documentation.
WTF?
25Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Vulnerabilities. Documentation.
WTF?
26Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Vulnerabilities. Design.
Problems in typical SCADA protocols (like MODBUS) have been widely discussed
Things are not so different here, even in the application layers you can spot a set of protocols with a lack of authentication, integrity checks, etc.
27Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Vulnerabilities. Design.
Example: BKBCopyD.exe– Brief Description: Allows File Sharing,
similarities with FTP. No authentication
28Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
RETR command STOR command
Vulnerabilities. Design.
29Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Vulnerabilities. Design.
Metasploit DEMO.– Using Auxiliary modules to download and
upload files.
30Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Vulnerabilities. Implementation...
5 Vulnerabilities Found– Stack and Heap Based Buffer Overflows– In different binaries (applications and
protocols)
Disclosure– Rapid7 Vulnerability Disclosure Policy
• https://www.rapid7.com/disclosure.jsp
– Contact with Vendor (15 days)– Disclosure with CERT (45 days) (CERT and
JPCERT in our case)– Public Disclosure (60 days)
31Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Vulnerabilities. Implementation.
Today we make public details and exploits for three vulnerabilities.
One disclosure has been delayed because the vendor asked.
Last one is still in the disclosure process explained.
32Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Vulnerabilities. Implementation.
Summary– Heap Buffer Overflow in
– Stack Buffer Overflow in
– It shouldn’t be readable
– Stack Buffer Overflow in
– It shouldn’t be readable
33Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Vulnerabilities. Implementation.
Heap overflow in
34Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Vulnerabilities. Implementation.
Buffer Overflow….
35Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Vulnerabilities. Implementation.
Buffer Overflow in….
36Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Vulnerabilities. Implementation.
How to find them? Semi Guided Dumb Fuzzing
1) Basic understanding of the Protocol– Network Captures– Reverse Engineering
2) Fuzz
3) Profit
37Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Exploitation
Supported Operating Systems
38Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Exploitation
Lack of Compilation Time Protections (stack cookies)
Lack of Linking Time Protections (SAFESeh)
39Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Exploitation
DEMO: Metasploit vs Yokogawa CENTUM CS3000– Exploits already landed in Metasploit.– Free shells! we love shells! – Check your installations! (more about that
later…)
40Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Post Exploitation
We got shells… now what?
41Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Post Exploitation
We should have access to systems with highly valuable data, get it!
Steal data in SCADA environments :?– Meterpreter is a powerful payload!!– OJ (TheColonial) is doing an awesome work
with it!– You definitely should read:
• http://buffered.io/posts/3-months-of-meterpreter/
42Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Post Exploitation
The recent OJ’s work includes Window Integration:
“The goal here was to make it possible to enumerate all the windows on the current desktop to give you a clearer view of what the user is running, and to perhaps allow for interaction with those Windows later via Railgun”
We have used it to enumerate interesting windows, maximize and screenshot them!
43Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Post Exploitation
We should have access to systems with the power… to move things… move them!
Spend few hours reading documentation– Wasn’t funny :(
Found utilities where design the operation & monitoring graphics
44Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Post Exploitation
45Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Post Exploitation
Started playing with it
46Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Post Exploitation
We realized we were totally lost
Who said 8 == D ?
47Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Post Exploitation
OK, goto fail… mmm… no, go back to read more doc we mean ;)
Some hours later, we knew a few more things…
48Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Post Exploitation
Process Variable (PV)
Set Point Variable (SV)
Manipulated Variable (MV)
49Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Post Exploitation
50Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Post Exploitation
It means:– FCS gets PVs from I/O modules– FCS knows the SV value, and therefore if it
should do any correction operation (MV) to I/O modules
From the point of view of operating & monitoring– HIS gets PVs from FCS– HIS can set SVs to FCS– HIS can get MVs from FCS
51Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Post Exploitation
Our hello world: a loop between PV and MV
52Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Post Exploitation
How does it look?
53Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Post Exploitation
Code Injection to allow tampering of communications between HIS and FCS
What to tamper?– SV
Where?– BKFSim_vhfd.exe
How?– Uses ws2_32.dll and its API for TCP sockets.
54Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Post Exploitation
How?– File System: Just drop a trojanized DLL– Memory:
• IAT hijack?• Detours Hooks?
…
Metasploit Friendly :?:?
55Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Post Exploitation
Reflective DLL Injection!– Stephen Fewer
Integrated Into Metasploit / Meterpreter– https://github.com/stephenfewer/ReflectiveDLLI
njection
56Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Post Exploitation
Metasploit & Reflective DLL Injection– Meterpreter & Extensions Loading
– Payload stage• payload/windows/stage/dllinject
– Local Kernel Exploits• Example: CVE-2013-3660 (pprFlattenRec)
– Post Exploitation• post/windows/manage/reflective_dll_inject
57Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Post Exploitation
DEMO– Windows Screenshots with Metasploit– Reflective DLL injection: Tamper
communications for manipulating the control processes!
58Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Last topic
OK, the system is…
…but, it isn’t so important because these systems live in isolated environments, right?...
59Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Last topic
Shit! Let’s see again Yokogawa docs…
60Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Last topic
61Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Last topic
Let’s see if we can find something out there…UDP Services TCP Services
BKESysView 1057/UDPBKERDBFlagSet 1059/UDPBKHBos 1062/UDPBKHOdeq 1064/UDPBKHMsMngr 1065/UDPBKHExtRecorder 1069/UDPBKHClose 1070/UDPBKHlongTerm 1071/UDPBKHSched 1072/UDPBKBBDFH 1074/UDPBKBRECP 1075/UDPBKHOpmp 1076/UDPBKHPanel 1077-1082/UDPBKHSysMsgWnd 1083/UDPBKETestFunc 1084/UDPBKFOrca 1085/UDP
BKHOdeq 20109/TCPBKFSim_vhfd.exe 20110/TCPBKBCopyD 20111/TCPBKBBDFH 20153/TCPBKHOdeq 20171/TCPBKBBDFH 20174/TCPBKHlongTerm 20183/TCP
62Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Last topic
In addition we’ve a bunch of vulnerabilities which worths to detect– Metasploit isn’t a Vulnerability Scanner but...
...because some probes/checks in exploits are really good.Writing good probes isn’t easy indeed!
63Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Last topic
With all this knowledge… wouldn’t be awesome to know if all this research matters?
#ScanAllTheThings
64Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
#ScanAllTheThings
Rapid7 - Project Sonar– ZMAP– Metasploit
Thanks to Rapid7 for helping us to #ScanAllTheThings– Specially to Tas Giakouminakis and Mark
Schloesser– Don’t lose the opportunity to attend BHUSA
2014!
65Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
#ScanAllTheThings
Problems when #ScanAllTheThings:– Internet is huge!
– We’ve just scanned for two vulnerable TCP services
– False positives
– Laws / Attorneys
66Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
#ScanAllTheThings
Methodology:– TCP Scan the Internet with ZMAP: 1,301,154
suspicious addresses
– Eliminate false positives (blacklists, plus tests to discover addresses answering open to all): 56,911 suspicious addresses
– Use metasploit-framework to scan with the safe probes
67Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
#ScanAllTheThings
Results:– 2 important universities around the world, conducting
important research projects with Yokogawa, are exposing CENTUM CS 3000 projects to the world
68Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Conclusions
Goals
Difficulties
Final conclusions
Top Related