Juan Vazquez & Julián Vilas – Tú a Barcelona y yo a Tejas, a patadas con mi SCADA! [Rooted CON 2014]

2,559 views
2,434 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
2,559
On SlideShare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
38
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Juan Vazquez & Julián Vilas – Tú a Barcelona y yo a Tejas, a patadas con mi SCADA! [Rooted CON 2014]

  1. 1. 1 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Tú a Boston Barcelona y yo a California Tejas A patadas con mi SCADA! Juan Vazquez & Julian Vilas
  2. 2. 2 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Presentation Juan Vazquez (@_juan_vazquez_) from Austin (USA) – Exploit developer at Metasploit (Rapid7) Julian Vilas (@julianvilas) from Barcelona (Spain) – Security analyst & researcher at Scytl Bloggers of a non-too-much-regularly-updated blog  – testpurposes.net
  3. 3. 3 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Motivation After being working side by side during years, we decided to do something together! (Just when we’re 8.000 Km far) What? Some SCADA research: – No intro to SCADA. – No compliance & regulation review. – No paperwork research about its security in general. – Just (in-depth) analysis of a big SCADA product. Why?...
  4. 4. 4 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Index Introduction Organization Platform Discovery Vulnerabilities & Exploitation Post Exploitation Last topic Conclusions
  5. 5. 5 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Introduction Yokogawa CENTUM CS 3000 R3 “Yokogawa released CENTUM CS 3000 R3 in 1998 as the first Windows-based production control system under our brand. For over 10 years of continuous developments and enhancements, CENTUM CS 3000 R3 is equipped with functions to make it a matured system. With over 7600 systems sold worldwide, it is a field-proven system with 99.99999% of availability.”
  6. 6. 6 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Introduction Why we selected this product? First version achieved – R3.02 (September 2001) Finally, thanks to Russian & Vietnamese forums (you rocks guys! ;P) – R3.08.50 (October 2007)
  7. 7. 7 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Introduction Since here, strange things started to happen...
  8. 8. 8 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Introduction. Basic elements. FCS HIS Field elements
  9. 9. 9 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Introduction. Topology.
  10. 10. 10 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Introduction Doesn’t look familiar?
  11. 11. 11 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Organization. Problems Distance & Timezones (GMT +1 vs GMT - 6)
  12. 12. 12 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Organization. Problems SCADA Software – Closed Software – Documentation and Training – Deployment – Development Think: Mozilla Firefox vs Yokogawa Centum CS3000
  13. 13. 13 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Organization. Solutions Communications: – Google Hangout / Google Chat – Adium + OTR (mode paranoia /on) Work & Collaboration Environment: – Upgrade ADSL line + VPN – Google Drive + Google Docs – Confluence + Team Calendars – VirtualBox – GIT – CollabREate
  14. 14. 14 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Organization. Solutions Work methodology – SCRUM based (just a little)
  15. 15. 15 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Organization. Our Environment What exactly do we have? Software with capabilities for: – Operating & monitoring functions (HIS) – Engineering – FCS simulation & virtual testing Tons of exe’s, dll’s, docs, installed on Windows XP SP2 (SP3 support was added on R3.08.70 (November 2008)) ← Yes, WTF!
  16. 16. 16 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Platform Discovery Work with the product Discover the components Discover the Real Attack Surface! – Windows Services – Application Network Services – Application Local Services – Application client components (ActvX).
  17. 17. 17 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Platform Discovery Example: Initial Installation
  18. 18. 18 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Platform Discovery Example: Basic Demo Project Running (I) / Processes
  19. 19. 19 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Platform Discovery Example: Basic Demo Project Running (II) / Network
  20. 20. 20 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Vulnerabilities. Documentation. First fails were discovered during installation process – User created: “CENTUM” – Password: we’re sure you can guess it in your first try ;)
  21. 21. 21 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Vulnerabilities. Documentation. – Program installed under “C:CS3000” – Wait….
  22. 22. 22 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Vulnerabilities. Documentation. WTF?
  23. 23. 23 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Vulnerabilities. Documentation. WTF?
  24. 24. 24 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Vulnerabilities. Documentation. WTF?
  25. 25. 25 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Vulnerabilities. Documentation. WTF?
  26. 26. 26 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Vulnerabilities. Design. Problems in typical SCADA protocols (like MODBUS) have been widely discussed Things are not so different here, even in the application layers you can spot a set of protocols with a lack of authentication, integrity checks, etc.
  27. 27. 27 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Vulnerabilities. Design. Example: BKBCopyD.exe – Brief Description: Allows File Sharing, similarities with FTP. No authentication
  28. 28. 28 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March RETR command STOR command Vulnerabilities. Design.
  29. 29. 29 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Vulnerabilities. Design. Metasploit DEMO. – Using Auxiliary modules to download and upload files.
  30. 30. 30 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Vulnerabilities. Implementation... 5 Vulnerabilities Found – Stack and Heap Based Buffer Overflows – In different binaries (applications and protocols) Disclosure – Rapid7 Vulnerability Disclosure Policy • https://www.rapid7.com/disclosure.jsp – Contact with Vendor (15 days) – Disclosure with CERT (45 days) (CERT and JPCERT in our case) – Public Disclosure (60 days)
  31. 31. 31 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Vulnerabilities. Implementation. Today we make public details and exploits for three vulnerabilities. One disclosure has been delayed because the vendor asked. Last one is still in the disclosure process explained.
  32. 32. 32 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Vulnerabilities. Implementation. Summary – Heap Buffer Overflow in – Stack Buffer Overflow in – It shouldn’t be readable – Stack Buffer Overflow in – It shouldn’t be readable
  33. 33. 33 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Vulnerabilities. Implementation. Heap overflow in
  34. 34. 34 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Vulnerabilities. Implementation. Buffer Overflow….
  35. 35. 35 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Vulnerabilities. Implementation. Buffer Overflow in….
  36. 36. 36 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Vulnerabilities. Implementation. How to find them? Semi Guided Dumb Fuzzing 1) Basic understanding of the Protocol – Network Captures – Reverse Engineering 2) Fuzz 3) Profit
  37. 37. 37 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Exploitation Supported Operating Systems
  38. 38. 38 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Exploitation Lack of Compilation Time Protections (stack cookies) Lack of Linking Time Protections (SAFESeh)
  39. 39. 39 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Exploitation DEMO: Metasploit vs Yokogawa CENTUM CS3000 – Exploits already landed in Metasploit. – Free shells! we love shells!  – Check your installations! (more about that later…)
  40. 40. 40 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Post Exploitation We got shells… now what?
  41. 41. 41 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Post Exploitation We should have access to systems with highly valuable data, get it! Steal data in SCADA environments :? – Meterpreter is a powerful payload!! – OJ (TheColonial) is doing an awesome work with it! – You definitely should read: • http://buffered.io/posts/3-months-of-meterpreter/
  42. 42. 42 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Post Exploitation The recent OJ’s work includes Window Integration: “The goal here was to make it possible to enumerate all the windows on the current desktop to give you a clearer view of what the user is running, and to perhaps allow for interaction with those Windows later via Railgun” We have used it to enumerate interesting windows, maximize and screenshot them!
  43. 43. 43 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Post Exploitation We should have access to systems with the power… to move things… move them! Spend few hours reading documentation – Wasn’t funny :( Found utilities where design the operation & monitoring graphics
  44. 44. 44 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Post Exploitation
  45. 45. 45 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Post Exploitation Started playing with it
  46. 46. 46 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Post Exploitation We realized we were totally lost Who said 8 == D ?
  47. 47. 47 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Post Exploitation OK, goto fail… mmm… no, go back to read more doc we mean ;) Some hours later, we knew a few more things…
  48. 48. 48 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Post Exploitation Process Variable (PV) Set Point Variable (SV) Manipulated Variable (MV)
  49. 49. 49 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Post Exploitation
  50. 50. 50 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Post Exploitation It means: – FCS gets PVs from I/O modules – FCS knows the SV value, and therefore if it should do any correction operation (MV) to I/O modules From the point of view of operating & monitoring – HIS gets PVs from FCS – HIS can set SVs to FCS – HIS can get MVs from FCS
  51. 51. 51 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Post Exploitation Our hello world: a loop between PV and MV
  52. 52. 52 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Post Exploitation How does it look?
  53. 53. 53 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Post Exploitation Code Injection to allow tampering of communications between HIS and FCS What to tamper? – SV Where? – BKFSim_vhfd.exe How? – Uses ws2_32.dll and its API for TCP sockets.
  54. 54. 54 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Post Exploitation How? – File System: Just drop a trojanized DLL – Memory: • IAT hijack? • Detours Hooks? … Metasploit Friendly :?:?
  55. 55. 55 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Post Exploitation Reflective DLL Injection! – Stephen Fewer Integrated Into Metasploit / Meterpreter – https://github.com/stephenfewer/ReflectiveDLLInjectio n
  56. 56. 56 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Post Exploitation Metasploit & Reflective DLL Injection – Meterpreter & Extensions Loading – Payload stage • payload/windows/stage/dllinject – Local Kernel Exploits • Example: CVE-2013-3660 (pprFlattenRec) – Post Exploitation • post/windows/manage/reflective_dll_inject
  57. 57. 57 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Post Exploitation DEMO – Windows Screenshots with Metasploit – Reflective DLL injection: Tamper communications for manipulating the control processes!
  58. 58. 58 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Last topic OK, the system is… …but, it isn’t so important because these systems live in isolated environments, right?...
  59. 59. 59 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Last topic Shit! Let’s see again Yokogawa docs…
  60. 60. 60 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Last topic
  61. 61. 61 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Last topic Let’s see if we can find something out there… UDP Services TCP Services BKESysView 1057/UDP BKERDBFlagSet 1059/UDP BKHBos 1062/UDP BKHOdeq 1064/UDP BKHMsMngr 1065/UDP BKHExtRecorder 1069/UDP BKHClose 1070/UDP BKHlongTerm 1071/UDP BKHSched 1072/UDP BKBBDFH 1074/UDP BKBRECP 1075/UDP BKHOpmp 1076/UDP BKHPanel 1077-1082/UDP BKHSysMsgWnd 1083/UDP BKETestFunc 1084/UDP BKFOrca 1085/UDP BKHOdeq 20109/TCP BKFSim_vhfd.exe 20110/TCP BKBCopyD 20111/TCP BKBBDFH 20153/TCP BKHOdeq 20171/TCP BKBBDFH 20174/TCP BKHlongTerm 20183/TCP
  62. 62. 62 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Last topic In addition we’ve a bunch of vulnerabilities which worths to detect – Metasploit isn’t a Vulnerability Scanner but... ...because some probes/checks in exploits are really good. Writing good probes isn’t easy indeed!
  63. 63. 63 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Last topic With all this knowledge… wouldn’t be awesome to know if all this research matters? #ScanAllTheThings
  64. 64. 64 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March #ScanAllTheThings Rapid7 - Project Sonar – ZMAP – Metasploit Thanks to Rapid7 for helping us to #ScanAllTheThings – Specially to Tas Giakouminakis and Mark Schloesser – Don’t lose the opportunity to attend BHUSA 2014!
  65. 65. 65 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March #ScanAllTheThings Problems when #ScanAllTheThings: – Internet is huge! – We’ve just scanned for two vulnerable TCP services – False positives – Laws / Attorneys
  66. 66. 66 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March #ScanAllTheThings Methodology: – TCP Scan the Internet with ZMAP: 1,301,154 suspicious addresses – Eliminate false positives (blacklists, plus tests to discover addresses answering open to all): 56,911 suspicious addresses – Use metasploit-framework to scan with the safe probes
  67. 67. 67 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March #ScanAllTheThings Results: – 2 important universities around the world, conducting important research projects with Yokogawa, are exposing CENTUM CS 3000 projects to the world
  68. 68. 68 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Conclusions Goals Difficulties Final conclusions

×