Your SlideShare is downloading. ×
0
Vulnerability Market
Celil ÜNÜVER
SignalSEC Ltd.
www.signalsec.com
About me
• Co-founder and Researcher @ SignalSEC Corp.
• Vulnerability Research and Intelligence
• Have discovered lots of...
Briefly
I’m interested in bug hunting
Jargon / Terminology
• Vulnerability: software bug which causes a security
issue.
• 0-day: Unknown vulnerability in a comp...
SCADA (in)Security
No more stuxnet
Exploit Market
Underground:
Exploit Market
Legal Buyers: Governments , Brokers (iDefense,
ZDI, Netragard, Exodus etc.)
Price List
Price List
Price List
• Price depends on where you live and who you
are  (800 usd for zeroday attacks)
How you serve it?
PoC Weaponized
Exploit
Price List
• And price depends on how you serve it:
Weaponized Exploit
Fighting Crime with the help
of cyber weapons
A spy software and exploits used in Mexico to arrest a drug lord and
organiz...
Bug Hunting Methods
• Reversing
Reversing
There are 10 types of people in the world: Those who
understand binary and those who don’t.
Bug Hunter’s Toolbag
1-) Debugger:
- Debugger
2-) Disassembler:
- IDA Pro
WinDBG
IDA Disassembler
SCADA Vulns
Sometimes it’s really easy to find SCADA VULNS!!!
Why it’s easy?
There was not a real threat for SCADA software
untill 2010
So the developers were not aware of SECURE
Devel...
Case-1: CoDeSys Vulnerability
• CoDeSys PLC Visualization Software – WebVisu
Vulnerability
• WebVisu uses a webserver whic...
Case-1: CoDeSys Vulnerability
• France, Poland, Deutch Telecom use this
software
• Buffer overflow vulnerability when pars...
Case-1: CoDeSys Vulnerability
• Direct contol on EIP
Case-2: Schneider IGSS Vulnerability
• Oslo Traffic Center, Czech Republic Gas
Center, Kuala Lumpur Airport
Case-2: Schneider IGSS Vulnerability
• Discovered by SignalSEC
• http://ics-cert.us-cert.gov/pdf/ICSA-11-355-01-7.pdf
• IG...
Finding Targets
• Banner Information: “SCXWebServer”
HTTP/1.1 200 OK
Content-Encoding: deflate
Date: Tue, 14 Dec 2010 19:0...
Search on SHODAN
CoDeSys ENI on SHODAN
• Server’s Banner : “ENIServer”
• Shodan Results: 195
CoDeSys WebServer on SHODAN
• Server’s Banner : “3S_WebServer”
• Shodan Results: 151
Reversing Tips
• It’s hard to find bugs via static reversing
• Use debugger + disassembler together and do
dynamic reversi...
Static Reversing
• Bol
• Good luck!
Dynamic Reversing
BreakPoint on some “juicy” instructions and functions:
REP MOVSD = memcpy (edi , esi, ecx)
REP STOSD = m...
Office Zero-day Exploit
• Demo
D Thank you!
• Contact:
• cunuver@signalsec.com
• www.signalsec.com
• vis.signalsec.com
• Twitter: @celilunuver
Upcoming SlideShare
Loading in...5
×

The Market for Cyber Weapons - NATO Cooperative Cyber Defence Centre of Excellence

669

Published on

The talk will be about 0-day cyber weapons. We will cover hot topics about software vulnerabilities and vulnerability market.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
669
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
5
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Transcript of " The Market for Cyber Weapons - NATO Cooperative Cyber Defence Centre of Excellence"

  1. 1. Vulnerability Market Celil ÜNÜVER SignalSEC Ltd. www.signalsec.com
  2. 2. About me • Co-founder and Researcher @ SignalSEC Corp. • Vulnerability Research and Intelligence • Have discovered lots of vuln affects Adobe, IBM, Microsoft, Facebook, SCADA , Novell etc. • Speaker at CONFidence, Hackfest, Swiss Cyber Storm, c0c0n etc. • Organizer of NOPcon Hacker Conference
  3. 3. Briefly I’m interested in bug hunting
  4. 4. Jargon / Terminology • Vulnerability: software bug which causes a security issue. • 0-day: Unknown vulnerability in a computer application. No patch! • Exploit: A software to break software and take advantage 
  5. 5. SCADA (in)Security
  6. 6. No more stuxnet
  7. 7. Exploit Market Underground:
  8. 8. Exploit Market Legal Buyers: Governments , Brokers (iDefense, ZDI, Netragard, Exodus etc.)
  9. 9. Price List
  10. 10. Price List
  11. 11. Price List • Price depends on where you live and who you are  (800 usd for zeroday attacks)
  12. 12. How you serve it? PoC Weaponized Exploit
  13. 13. Price List • And price depends on how you serve it: Weaponized Exploit
  14. 14. Fighting Crime with the help of cyber weapons A spy software and exploits used in Mexico to arrest a drug lord and organized crime leader
  15. 15. Bug Hunting Methods • Reversing
  16. 16. Reversing There are 10 types of people in the world: Those who understand binary and those who don’t.
  17. 17. Bug Hunter’s Toolbag 1-) Debugger: - Debugger 2-) Disassembler: - IDA Pro
  18. 18. WinDBG
  19. 19. IDA Disassembler
  20. 20. SCADA Vulns Sometimes it’s really easy to find SCADA VULNS!!!
  21. 21. Why it’s easy? There was not a real threat for SCADA software untill 2010 So the developers were not aware of SECURE Development
  22. 22. Case-1: CoDeSys Vulnerability • CoDeSys PLC Visualization Software – WebVisu Vulnerability • WebVisu uses a webserver which is usually open to Internet for visualization of PLC • Discovered by me • http://ics-cert.us-cert.gov/pdf/ICSA-12-006-01.pdf
  23. 23. Case-1: CoDeSys Vulnerability • France, Poland, Deutch Telecom use this software • Buffer overflow vulnerability when parsing long http requests due to an unsafe function
  24. 24. Case-1: CoDeSys Vulnerability • Direct contol on EIP
  25. 25. Case-2: Schneider IGSS Vulnerability • Oslo Traffic Center, Czech Republic Gas Center, Kuala Lumpur Airport
  26. 26. Case-2: Schneider IGSS Vulnerability • Discovered by SignalSEC • http://ics-cert.us-cert.gov/pdf/ICSA-11-355-01-7.pdf • IGSS listens 12399 and 12397 ports in runtime • A simple bunch of code causes to Buffer Overflow use IO::Socket; $host = "localhost"; $port = 12399; $port2 = 12397; $first = "x01x01x00x00"; $second = "x02x01x00x00";
  27. 27. Finding Targets • Banner Information: “SCXWebServer” HTTP/1.1 200 OK Content-Encoding: deflate Date: Tue, 14 Dec 2010 19:09:52 GMT Expires: Tue, 14 Dec 2010 19:09:52 GMT Cache-Control: no-cache Server: SCXWebServer/6.0
  28. 28. Search on SHODAN
  29. 29. CoDeSys ENI on SHODAN • Server’s Banner : “ENIServer” • Shodan Results: 195
  30. 30. CoDeSys WebServer on SHODAN • Server’s Banner : “3S_WebServer” • Shodan Results: 151
  31. 31. Reversing Tips • It’s hard to find bugs via static reversing • Use debugger + disassembler together and do dynamic reversing!
  32. 32. Static Reversing • Bol • Good luck!
  33. 33. Dynamic Reversing BreakPoint on some “juicy” instructions and functions: REP MOVSD = memcpy (edi , esi, ecx) REP STOSD = memset (edi, eax, ecx) STRCPY RECV WSARecv
  34. 34. Office Zero-day Exploit • Demo
  35. 35. D Thank you! • Contact: • cunuver@signalsec.com • www.signalsec.com • vis.signalsec.com • Twitter: @celilunuver
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×