The Market for Cyber Weapons - NATO Cooperative Cyber Defence Centre of Excellence

1,024 views

Published on

The talk will be about 0-day cyber weapons. We will cover hot topics about software vulnerabilities and vulnerability market.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,024
On SlideShare
0
From Embeds
0
Number of Embeds
16
Actions
Shares
0
Downloads
8
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

The Market for Cyber Weapons - NATO Cooperative Cyber Defence Centre of Excellence

  1. 1. Vulnerability Market Celil ÜNÜVER SignalSEC Ltd. www.signalsec.com
  2. 2. About me • Co-founder and Researcher @ SignalSEC Corp. • Vulnerability Research and Intelligence • Have discovered lots of vuln affects Adobe, IBM, Microsoft, Facebook, SCADA , Novell etc. • Speaker at CONFidence, Hackfest, Swiss Cyber Storm, c0c0n etc. • Organizer of NOPcon Hacker Conference
  3. 3. Briefly I’m interested in bug hunting
  4. 4. Jargon / Terminology • Vulnerability: software bug which causes a security issue. • 0-day: Unknown vulnerability in a computer application. No patch! • Exploit: A software to break software and take advantage 
  5. 5. SCADA (in)Security
  6. 6. No more stuxnet
  7. 7. Exploit Market Underground:
  8. 8. Exploit Market Legal Buyers: Governments , Brokers (iDefense, ZDI, Netragard, Exodus etc.)
  9. 9. Price List
  10. 10. Price List
  11. 11. Price List • Price depends on where you live and who you are  (800 usd for zeroday attacks)
  12. 12. How you serve it? PoC Weaponized Exploit
  13. 13. Price List • And price depends on how you serve it: Weaponized Exploit
  14. 14. Fighting Crime with the help of cyber weapons A spy software and exploits used in Mexico to arrest a drug lord and organized crime leader
  15. 15. Bug Hunting Methods • Reversing
  16. 16. Reversing There are 10 types of people in the world: Those who understand binary and those who don’t.
  17. 17. Bug Hunter’s Toolbag 1-) Debugger: - Debugger 2-) Disassembler: - IDA Pro
  18. 18. WinDBG
  19. 19. IDA Disassembler
  20. 20. SCADA Vulns Sometimes it’s really easy to find SCADA VULNS!!!
  21. 21. Why it’s easy? There was not a real threat for SCADA software untill 2010 So the developers were not aware of SECURE Development
  22. 22. Case-1: CoDeSys Vulnerability • CoDeSys PLC Visualization Software – WebVisu Vulnerability • WebVisu uses a webserver which is usually open to Internet for visualization of PLC • Discovered by me • http://ics-cert.us-cert.gov/pdf/ICSA-12-006-01.pdf
  23. 23. Case-1: CoDeSys Vulnerability • France, Poland, Deutch Telecom use this software • Buffer overflow vulnerability when parsing long http requests due to an unsafe function
  24. 24. Case-1: CoDeSys Vulnerability • Direct contol on EIP
  25. 25. Case-2: Schneider IGSS Vulnerability • Oslo Traffic Center, Czech Republic Gas Center, Kuala Lumpur Airport
  26. 26. Case-2: Schneider IGSS Vulnerability • Discovered by SignalSEC • http://ics-cert.us-cert.gov/pdf/ICSA-11-355-01-7.pdf • IGSS listens 12399 and 12397 ports in runtime • A simple bunch of code causes to Buffer Overflow use IO::Socket; $host = "localhost"; $port = 12399; $port2 = 12397; $first = "x01x01x00x00"; $second = "x02x01x00x00";
  27. 27. Finding Targets • Banner Information: “SCXWebServer” HTTP/1.1 200 OK Content-Encoding: deflate Date: Tue, 14 Dec 2010 19:09:52 GMT Expires: Tue, 14 Dec 2010 19:09:52 GMT Cache-Control: no-cache Server: SCXWebServer/6.0
  28. 28. Search on SHODAN
  29. 29. CoDeSys ENI on SHODAN • Server’s Banner : “ENIServer” • Shodan Results: 195
  30. 30. CoDeSys WebServer on SHODAN • Server’s Banner : “3S_WebServer” • Shodan Results: 151
  31. 31. Reversing Tips • It’s hard to find bugs via static reversing • Use debugger + disassembler together and do dynamic reversing!
  32. 32. Static Reversing • Bol • Good luck!
  33. 33. Dynamic Reversing BreakPoint on some “juicy” instructions and functions: REP MOVSD = memcpy (edi , esi, ecx) REP STOSD = memset (edi, eax, ecx) STRCPY RECV WSARecv
  34. 34. Office Zero-day Exploit • Demo
  35. 35. D Thank you! • Contact: • cunuver@signalsec.com • www.signalsec.com • vis.signalsec.com • Twitter: @celilunuver

×