Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

SCADA Software or Swiss Cheese Software?  by Celil UNUVER


Published on

The talk is about SCADA vulnerabilities and exploiting. We will answer some specific questions about SCADA software vulnerabilities with technical details.

The questions are;
- Why are SCADA applications buggy?
- What is the status and impact of the threat?
- How do researchers or hackers discover these vulnerabilities?

In this talk we will also look at some SCADA vulnerabilities that affects well-known SCADA/HMI vendors, and will show how it's easy to hunt these vulnerabilities via reverse engineering , fuzzing etc.


Celil Unuver is co-founder & security researcher of SignalSEC Ltd. He is also founder of NOPcon Security Conference. His areas of expertise include Vulnerability Research & Discovery, Exploit Development, Penetration Testing and Reverse Engineering. He has been a speaker at CONFidence, Swiss Cyber Storm, c0c0n, IstSec, Kuwait Info Security Forum. He enjoys hunting bugs and has discovered critical vulnerabilities affect well-known vendors such as Adobe, IBM, Microsoft, Novell etc.

Published in: Technology
  • Be the first to comment

SCADA Software or Swiss Cheese Software?  by Celil UNUVER

  1. 1. SCADA  So'ware  or  Swiss   Cheese  So'ware?   Code  Blue  2014  ,  Tokyo   Celil  ÜNÜVER,  SignalSEC  Ltd.  
  2. 2. Agenda   •  About  me   •  How  it  started?   •  Why    are  SCADA  apps  so  BUGGY?   •  HunGng  SCADA  vulnerabiliGes   •  Analysis  of  the  vulnerabiliGes  
  3. 3. About  me   •  Co-­‐founder  and  Researcher  @  SignalSEC  Ltd.   •  Organizer  of  NOPcon  Hacker  Conference   (Istanbul,Turkey)   •  Interested  in  vulnerability  research  ,  reversing   •  Hunted  a  lot  of  bugs  affect  Adobe,  IBM,  Microso',   Facebook,  Novell  ,  SCADA  vendors  etc.   •  Has  been  a  speaker  at  CONFidence,  Swiss  Cyber   Storm,  c0c0n  etc.  
  4. 4. How  it  started?   •  SCADA  systems  are  in  our  daily  life  for  long   years!   •  There  was  not  too  much  interest  in  SCADA   Security  
  5. 5. Milestone   •  Stuxnet  and  Duqu  a^acks  in  2010  –  2011   •  SCADA  systems  got  a^enGon  of  hackers  and   researchers  a'er  these  a^acks.   •  CriGcal  systems  ,  fame,  profit  etc..   •  They  are  all  JUICY  target   •  Lots  of  SCADA  systems  are  open  to  INTERNET  
  6. 6. No  more  stuxnet   •  Sure  ,  all  of  us  know  about  stuxnet!  
  7. 7. SCADA  Overview  
  8. 8. ICS  VulnerabiliGes   •  Hardware/Firmware  VulnerabiliGes:    Vulns  in  PLC  &  RTU  devices   •  So'ware  VulnerabiliGes:          Vulns  in  Control  System  So'ware(HMI)  but   also  affects  PLC/RTU  devices  
  9. 9.                                      TWO  DOZEN  BUGS  IN  A  FEW  HOURS  
  10. 10.            Trust  me  ,  it’s  easy!   Actually,  it’s  really  easy  to  hunt  SCADA  BUGS!!!  
  11. 11. Why  it’s  easy?   There  wasn’t  a  real  threat  for  SCADA  soEware   unFll  2010   So  the  developers  were  not  aware  of  SECURE   Development  
  12. 12. HunGng  VulnerabiliGes   •  Simple  reversing  rocks!   •  1-­‐)  Analyze  the  target  so'ware  (PotentaGal   inputs;  communicaGon  protocols,  acGvex  etc.)   •  2-­‐)  Discover  &  trace  the  input   •  3-­‐)  Hunt  the  bugs.  
  13. 13. HunGng  VulnerabiliGes   “You  must  understand  that  there  is  more  than   one  path  to  the  top  of  the  mountain.”   -­‐  Miyamoto  Musashi  -­‐    
  14. 14. Case-­‐1:  CoDeSys  Gateway  Vuln   •   CoDeSys  is  development  environment  for   industrial  control  systems  used  by  lots  of   manufacturers.   •  Aaron  Portnoy  from  Exodus  discovered  these   vulnerabiliGes.   •  Status:  Patched  
  15. 15. Case-­‐1  :  CoDeSys  -­‐  RECON   •  Listening  PORT  
  16. 16. Case-­‐1:  CoDeSys  -­‐  Debug   •  Breakpoint  on  recv()   •  Send  junk  bytes   •  Breapoint  Access  on  recv’s    ‘buf’  parameter  
  17. 17. Case-­‐1:  CoDeSys  -­‐  Debug   •  Comparing  
  18. 18. Case-­‐1:  CoDeSys  –  Switch  Cases  /   Opcodes   •  A'er  we  pass  the  comparison  
  19. 19. Case-­‐1:  CoDeSys  –  Switch  Cases   •  Let’s  find  the  bugs  
  20. 20. Case-­‐1:  CoDeSys  –  Delete  File   •  Opcode  :  13  
  21. 21. Case-­‐1:  CoDeSys  –  Upload  File   •  Opcode:  6  
  22. 22. Case-­‐1:  RecommendaGon   •  Actually,  file  remove  /  upload  bugs  are   ‘feature’  of  this  applicaGon  ☺   •  But  there  is  no  authenGcaGon  for  these   operaGons.  Somebody  can  reverse  the  packet   structure  and  use  these  features  for  evil!     •  To  solve  this  kind  of  bugs,  developers  should   add  an  “authenGcaGon”  step  before  execuGg   opcodes.     •  Patched  in  2013  
  23. 23.  An  InteresGng  Story:  Progea  MOVICON   Vulnerability  –  sGll  0day   “When  a  patch  doesn’t  patch  anything!”   •  23  Nov  2013:  I’ve  discovered  some  vulnerabiliGes  on  the   latest  version  of  Progea  MOVICON  HMI  so'ware   •  24  Nov  2013:  We’ve  published  a  short  analysis  on  Pastebin     •  3  Dec  2013:  ICS-­‐CERT  contacted  us  about  the  post  on   Pastebin.    They  asked  details  ,  we  sent  informaGon  etc.  
  24. 24.  An  InteresGng  Story:  Progea  MOVICON   Vulnerability  –  0day   •  5  Dec  2013:     •  from  ICS-­‐CERT  to  me;  
  25. 25. An  InteresGng  Story:  Progea  MOVICON   Vulnerability  –  0day   •  THEY  SAY  :    The  bugs  you  discovered  are  SIMILAR  to  a  bunch   of  OLDER  BUGS  and  PATCHED  IN  2011.       •  ICSA-­‐11-­‐056;   •  My  findings  looks  exactly  same!!!!  But  I  am  able  to  reproduce   on  the  latest  version!!    
  26. 26.  An  InteresGng  Story:  Progea  MOVICON   Vulnerability  –  0day   •  These  bugs  are  similar  to  the  bugs  that  we  analyzed   in  Case-­‐1:CoDeSys   •  There  is  NO  authenGcaGon  to  call  some  funcGons  ,   operaGons  in  the  so'ware.    Somebody  can  reverse   the  packet  structure  and  use  these  features  for  evil!   •  A"er  a  conversa,on  with  Code  Blue  staff,  we  have   decided  to  mask  some  details  of  this  zero-­‐day   vulnerability.  
  27. 27.  An  InteresGng  Story:  Progea  MOVICON   Vulnerability  –  0day  
  28. 28. An  InteresGng  Story:  Progea  MOVICON   Vulnerability  –  0day   •  Remote  InformaGon  Disclosure:  opcode  [-­‐censored-­‐]  
  29. 29. An  InteresGng  Story:  Progea  MOVICON   Vulnerability  –  0day   •  Opcode  [-­‐censored-­‐]    calls    GetVersionExA      API  and  sends   output  to  the  client  
  30. 30. An  InteresGng  Story:  Progea  MOVICON   Vulnerability  –  0day   •  Here  is  a  simple  PoC  for  this  bug;  
  31. 31. An  InteresGng  Story:  Progea  MOVICON   Vulnerability  –  0day   •  When  we  run  it  and  call  opcode  [-­‐censored-­‐]:   •  6th  byte  in  printed  data  is  "dwMajorVersion"  which  is  a  return   value  of  GetVersionExA  and  gives  informaGon  about  the  OS.   •  Status:  PATCHED(!)  in  2011    but  we  are  able  to  exploit  it  in   2014!  
  32. 32.  An  InteresGng  Story:  Progea  MOVICON   Vulnerability  –  0day   •  So  what  is  the  problem?  Why  old  bugs  are  sGll  there  !?   •  A'er  comparing  the  older  version  and  the  latest  version  ,   I  understood  that  actually  vendor  didn’t  patch  anything.   •  Instead  of  fixing  vulnerabiliGes,  they  just  changed   “opcodes”  of    the  funcGons  in  new  version!   •  Older  version:    Opcode  7  causes  info  disclosure   vulnerability  by  calling  GetVersionEx  API   •   New  version:    They  just  changed  opcode  “7”  to  “X”  for   calling  GetversionEx  API    
  33. 33.  PROGEA,  your  fail  is  unbelievable!  
  34. 34. Temporary  soluGon   •  Block  remote  connecGons  to  TCP:10651   •  If  you  contact  me  in  personal  ,  I  can  share  vulnerability   signatures  that  you  can  use  in  your  IDS/IPS  (snort  etc.)  
  35. 35. Case-­‐3:  CoDeSys  WebVisu   •  CodeSys  WebVisu  uses  a  webserver  which  is   usually  open  to  Internet  for  visualizaGon  of   PLC   •  Discovered  by  me   •  Status:  Patched  
  36. 36. Case-­‐3:  CoDeSys  Vulnerability   •  Buffer  overflow  vulnerability  when  parsing   long  h^p  requests  due  to  an  unsafe  funcGon.   •  It  uses  “vsprinv”  to  print  which  file  is   requested.  
  37. 37. Case-­‐4:  Schneider  IGSS  Vulnerability   •  Gas  DistrubuFon  in  Europe   •  Airport  in  Asia   •  Traffic  Control  Center  in  Europe  
  38. 38. Case-­‐4:  Schneider  IGSS  Vulnerability   •  Discovered  by  me   •  Status:  Patched   •  IGSS    listens  12399  and  12397  ports  in  runGme   •  A  simple  bunch  of  code  causes  to  DoS    use  IO::Socket;    $host  =  "localhost";    $port  =  12399;    $port2  =  12397;    $first  =  "x01x01x00x00";    $second  =  "x02x01x00x00";  
  39. 39. Case-­‐5:  Schneider  Electric   Accutech  Heap  Overflow  Vulnerability   Buffer  overflow  vulnerability  when  parsing  long  h^p  requests   due  to  an  unsafe  funcGon   Status:  Patched  
  40. 40. Case-­‐5:  Schneider  Electric   Accutech  Heap  Overflow  Vulnerability  
  41. 41. Case-­‐3:  Schneider  Electric   Accutech  Heap  Overflow  Vulnerability  
  42. 42. Case-­‐6:  Pwning  the  Operator  
  43. 43. Case-­‐6:  Invensys  Wonderware     System  Plavorm  Vulnerability   •  Discovered  by  me   •  Status:  Patched   •  Killing  five  birds  with  one  stone  ☺  
  44. 44. Case-­‐6:  Invensys  Wonderware     System  Plavorm  Vulnerability   •  An  AcGveX  Buffer  Overflow  vulnerability   •  Just  found  by  AcGveX  fuzzing...   •  Send  the  exploit  URL  to  HMI  Operator   •  Click  and  pwn  !    
  45. 45. Case-­‐7:  InduSo'  HMI  Bugs  
  46. 46. Case-­‐7:  InduSo'  HMI  Bugs   •  This  is  really  creepy!   •  This  so'ware  doesn’t  check  even  any  “magic”   value  of  incoming  packets.  There  is  no  custom   packet  structure!   •  Sending  1  byte  to  TCP:4322    is  enough  to  jump   a  switch  case  
  47. 47. Case-­‐7:  InduSo'  HMI  Exploit   ☺  
  48. 48. Finding  Targets   •  Banner  InformaGon:  “3S_WebServer”   •  Let’s  search  it  on  SHODAN!  ☺  
  49. 49. CoDeSys  WebServer  on  SHODAN   Server’s  Banner  :  “3S_WebServer”   Shodan  Results:  151  
  50. 50. Demo   •  DEMO  
  51. 51.    Conclusion   •  CriGcal  Infrastructures  are  juicy  targets!   •  HackGvists  are  interested  in  SCADA  Hacking   too.  Not  only  government  intelligence   agencies.   •  ApplicaFons  are  insecure!  
  52. 52. D                    Thank  you!   •  Contact:   •   •  Twicer:  @celilunuver   •       •