scada software or swiss cheese software?　 by celil unuver

SCADA So'ware or Swiss Cheese So'ware?

Code Blue 2014 , Tokyo Celil ÜNÜVER, SignalSEC Ltd.

Agenda

•  About me •  How it started? •  Why are SCADA apps so BUGGY? •  HunGng SCADA vulnerabiliGes •  Analysis of the vulnerabiliGes

About me

•  Co-‐founder and Researcher @ SignalSEC Ltd.

•  Organizer of NOPcon Hacker Conference (Istanbul,Turkey)

•  Interested in vulnerability research , reversing •  Hunted a lot of bugs affect Adobe, IBM, Microso',

Facebook, Novell , SCADA vendors etc.

•  Has been a speaker at CONFidence, Swiss Cyber Storm, c0c0n etc.

How it started?

•  SCADA systems are in our daily life for long years!

•  There was not too much interest in SCADA Security

Milestone

•  Stuxnet and Duqu aâcks in 2010 – 2011

•  SCADA systems got aênGon of hackers and researchers a'er these aâcks.

•  CriGcal systems , fame, profit etc.. •  They are all JUICY target •  Lots of SCADA systems are open to INTERNET

No more stuxnet •  Sure , all of us know about stuxnet!

SCADA Overview

ICS VulnerabiliGes

•  Hardware/Firmware VulnerabiliGes: Vulns in PLC & RTU devices

•  So'ware VulnerabiliGes:

Vulns in Control System So'ware(HMI) but also affects PLC/RTU devices

TWO DOZEN BUGS IN A FEW HOURS

Trust me , it’s easy!

Actually, it’s really easy to hunt SCADA BUGS!!!

Why it’s easy?

There wasn’t a real threat for SCADA soEware unFll 2010

So the developers were not aware of SECURE

Development

HunGng VulnerabiliGes

•  Simple reversing rocks! •  1-‐) Analyze the target so'ware (PotentaGal

inputs; communicaGon protocols, acGvex etc.)

•  2-‐) Discover & trace the input

•  3-‐) Hunt the bugs.

HunGng VulnerabiliGes

“You must understand that there is more than one path to the top of the mountain.”

-‐ Miyamoto Musashi -‐

Case-‐1: CoDeSys Gateway Vuln

•  CoDeSys is development environment for industrial control systems used by lots of manufacturers.

•  Aaron Portnoy from Exodus discovered these vulnerabiliGes.

•  Status: Patched

Case-‐1 : CoDeSys -‐ RECON

•  Listening PORT

Case-‐1: CoDeSys -‐ Debug

•  Breakpoint on recv() •  Send junk bytes

•  Breapoint Access on recv’s ‘buf’ parameter

Case-‐1: CoDeSys -‐ Debug

•  Comparing

Case-‐1: CoDeSys – Switch Cases / Opcodes

•  A'er we pass the comparison

Case-‐1: CoDeSys – Switch Cases

•  Let’s find the bugs

Case-‐1: CoDeSys – Delete File •  Opcode : 13

Case-‐1: CoDeSys – Upload File •  Opcode: 6

Case-‐1: RecommendaGon

•  Actually, file remove / upload bugs are ‘feature’ of this applicaGon ☺

•  But there is no authenGcaGon for these operaGons. Somebody can reverse the packet structure and use these features for evil!

•  To solve this kind of bugs, developers should add an “authenGcaGon” step before execuGg opcodes.

•  Patched in 2013

An InteresGng Story: Progea MOVICON Vulnerability – sGll 0day

“When a patch doesn’t patch anything!”

•  23 Nov 2013: I’ve discovered some vulnerabiliGes on the latest version of Progea MOVICON HMI so'ware

•  24 Nov 2013: We’ve published a short analysis on Pastebin •  3 Dec 2013: ICS-‐CERT contacted us about the post on

Pastebin. They asked details , we sent informaGon etc.

An InteresGng Story: Progea MOVICON Vulnerability – 0day

•  5 Dec 2013:

•  from ICS-‐CERT to me;


•  THEY SAY : The bugs you discovered are SIMILAR to a bunch of OLDER BUGS and PATCHED IN 2011.

•  ICSA-‐11-‐056;

•  My findings looks exactly same!!!! But I am able to reproduce on the latest version!!


•  These bugs are similar to the bugs that we analyzed in Case-‐1:CoDeSys

•  There is NO authenGcaGon to call some funcGons , operaGons in the so'ware. Somebody can reverse the packet structure and use these features for evil!

•  A"er a conversa,on with Code Blue staff, we have decided to mask some details of this zero-‐day vulnerability.


•  Remote InformaGon Disclosure: opcode [-‐censored-‐]


•  Opcode [-‐censored-‐] calls GetVersionExA API and sends output to the client


•  Here is a simple PoC for this bug;


•  When we run it and call opcode [-‐censored-‐]:

•  6th byte in printed data is "dwMajorVersion" which is a return value of GetVersionExA and gives informaGon about the OS.

•  Status: PATCHED(!) in 2011 but we are able to exploit it in 2014!


•  So what is the problem? Why old bugs are sGll there !? •  A'er comparing the older version and the latest version ,

I understood that actually vendor didn’t patch anything. •  Instead of fixing vulnerabiliGes, they just changed

“opcodes” of the funcGons in new version! •  Older version: Opcode 7 causes info disclosure

vulnerability by calling GetVersionEx API •  New version: They just changed opcode “7” to “X” for

calling GetversionEx API

PROGEA, your fail is unbelievable!

Temporary soluGon

•  Block remote connecGons to TCP:10651

•  If you contact me in personal , I can share vulnerability signatures that you can use in your IDS/IPS (snort etc.)

Case-‐3: CoDeSys WebVisu

•  CodeSys WebVisu uses a webserver which is usually open to Internet for visualizaGon of PLC

•  Discovered by me •  Status: Patched

Case-‐3: CoDeSys Vulnerability

•  Buffer overflow vulnerability when parsing long h^p requests due to an unsafe funcGon.

•  It uses “vsprinv” to print which file is requested.

Case-‐4: Schneider IGSS Vulnerability •  Gas DistrubuFon in Europe

•  Airport in Asia •  Traffic Control Center in Europe

Case-‐4: Schneider IGSS Vulnerability •  Discovered by me •  Status: Patched •  IGSS listens 12399 and 12397 ports in runGme •  A simple bunch of code causes to DoS

use IO::Socket; $host = "localhost"; $port = 12399; $port2 = 12397; $first = "\x01\x01\x00\x00"; $second = "\x02\x01\x00\x00";

Case-‐5: Schneider Electric Accutech Heap Overflow Vulnerability

Buffer overflow vulnerability when parsing long h^p requests due to an unsafe funcGon

Status: Patched

Case-‐6: Pwning the Operator

Case-‐6: Invensys Wonderware System Plavorm Vulnerability

•  Discovered by me

•  Status: Patched •  Killing five birds with one stone ☺

Case-‐6: Invensys Wonderware System Plavorm Vulnerability

•  An AcGveX Buffer Overflow vulnerability

•  Just found by AcGveX fuzzing... •  Send the exploit URL to HMI Operator •  Click and pwn !

Case-‐7: InduSo' HMI Bugs

Case-‐7: InduSo' HMI Bugs

•  This is really creepy! •  This so'ware doesn’t check even any “magic”

value of incoming packets. There is no custom packet structure!

•  Sending 1 byte to TCP:4322 is enough to jump a switch case

Case-‐7: InduSo' HMI Exploit ☺

Finding Targets

•  Banner InformaGon: “3S_WebServer” •  Let’s search it on SHODAN! ☺

CoDeSys WebServer on SHODAN

Server’s Banner : “3S_WebServer” Shodan Results: 151

Demo

•  DEMO

Conclusion

•  CriGcal Infrastructures are juicy targets! •  HackGvists are interested in SCADA Hacking

too. Not only government intelligence agencies.

•  ApplicaFons are insecure!

D Thank you! •  Contact: •  [email protected]

•  Twicer: @celilunuver

•  www.signalsec.com

•  www.securityarchitect.org

scada software or swiss cheese software?　 by celil unuver

Technology

codesysdeletefile opcode

codesysuploadfile opcode

codesysrecon listeningport

agenda aboutme howitstarted

milestone stuxnetandduqua

prequests duetoan

swisscyber storm

tokyo celilnver

scada software or swiss cheese software? by celil unuver

scada software or swiss cheese software?　 by celil unuver