The document discusses vulnerabilities in SCADA (Supervisory Control and Data Acquisition) systems, highlighting various security flaws discovered by the author and others over the years. It emphasizes that SCADA applications are often insecure and lack proper authentication mechanisms, making them attractive targets for hackers. The document provides several case studies of vulnerabilities, their exploitations, and lessons learned regarding the security of critical infrastructure systems.

1. SCADA
So'ware
or
Swiss
Cheese
So'ware?
Code
Blue
2014
,
Tokyo
Celil
ÜNÜVER,
SignalSEC
Ltd.

2. Agenda
• About
me
• How
it
started?
• Why
are
SCADA
apps
so
BUGGY?
• HunGng
SCADA
vulnerabiliGes
• Analysis
of
the
vulnerabiliGes

3. About
me
• Co-­‐founder
and
Researcher
@
SignalSEC
Ltd.
• Organizer
of
NOPcon
Hacker
Conference
(Istanbul,Turkey)
• Interested
in
vulnerability
research
,
reversing
• Hunted
a
lot
of
bugs
affect
Adobe,
IBM,
Microso',
Facebook,
Novell
,
SCADA
vendors
etc.
• Has
been
a
speaker
at
CONFidence,
Swiss
Cyber
Storm,
c0c0n
etc.

4. How
it
started?
• SCADA
systems
are
in
our
daily
life
for
long
years!
• There
was
not
too
much
interest
in
SCADA
Security

5. Milestone
• Stuxnet
and
Duqu
a^acks
in
2010
–
2011
• SCADA
systems
got
a^enGon
of
hackers
and
researchers
a'er
these
a^acks.
• CriGcal
systems
,
fame,
profit
etc..
• They
are
all
JUICY
target
• Lots
of
SCADA
systems
are
open
to
INTERNET

6. No
more
stuxnet
• Sure
,
all
of
us
know
about
stuxnet!

7. SCADA
Overview

8. ICS
VulnerabiliGes
• Hardware/Firmware
VulnerabiliGes:
Vulns
in
PLC
&
RTU
devices
• So'ware
VulnerabiliGes:
Vulns
in
Control
System
So'ware(HMI)
but
also
affects
PLC/RTU
devices

9.
TWO
DOZEN
BUGS
IN
A
FEW
HOURS

10.
Trust
me
,
it’s
easy!
Actually,
it’s
really
easy
to
hunt
SCADA
BUGS!!!

11. Why
it’s
easy?
There
wasn’t
a
real
threat
for
SCADA
soEware
unFll
2010
So
the
developers
were
not
aware
of
SECURE
Development

12. HunGng
VulnerabiliGes
• Simple
reversing
rocks!
• 1-­‐)
Analyze
the
target
so'ware
(PotentaGal
inputs;
communicaGon
protocols,
acGvex
etc.)
• 2-­‐)
Discover
&
trace
the
input
• 3-­‐)
Hunt
the
bugs.

13. HunGng
VulnerabiliGes
“You
must
understand
that
there
is
more
than
one
path
to
the
top
of
the
mountain.”
-­‐
Miyamoto
Musashi
-­‐

14. Case-­‐1:
CoDeSys
Gateway
Vuln
•
CoDeSys
is
development
environment
for
industrial
control
systems
used
by
lots
of
manufacturers.
• Aaron
Portnoy
from
Exodus
discovered
these
vulnerabiliGes.
• Status:
Patched

15. Case-­‐1
:
CoDeSys
-­‐
RECON
• Listening
PORT

16. Case-­‐1:
CoDeSys
-­‐
Debug
• Breakpoint
on
recv()
• Send
junk
bytes
• Breapoint
Access
on
recv’s
‘buf’
parameter

17. Case-­‐1:
CoDeSys
-­‐
Debug
• Comparing

18. Case-­‐1:
CoDeSys
–
Switch
Cases
/
Opcodes
• A'er
we
pass
the
comparison

19. Case-­‐1:
CoDeSys
–
Switch
Cases
• Let’s
find
the
bugs

20. Case-­‐1:
CoDeSys
–
Delete
File
• Opcode
:
13

21. Case-­‐1:
CoDeSys
–
Upload
File
• Opcode:
6

22. Case-­‐1:
RecommendaGon
• Actually,
file
remove
/
upload
bugs
are
‘feature’
of
this
applicaGon
☺
• But
there
is
no
authenGcaGon
for
these
operaGons.
Somebody
can
reverse
the
packet
structure
and
use
these
features
for
evil!
• To
solve
this
kind
of
bugs,
developers
should
add
an
“authenGcaGon”
step
before
execuGg
opcodes.
• Patched
in
2013

23. An
InteresGng
Story:
Progea
MOVICON
Vulnerability
–
sGll
0day
“When
a
patch
doesn’t
patch
anything!”
• 23
Nov
2013:
I’ve
discovered
some
vulnerabiliGes
on
the
latest
version
of
Progea
MOVICON
HMI
so'ware
• 24
Nov
2013:
We’ve
published
a
short
analysis
on
Pastebin
• 3
Dec
2013:
ICS-­‐CERT
contacted
us
about
the
post
on
Pastebin.
They
asked
details
,
we
sent
informaGon
etc.

24. An
InteresGng
Story:
Progea
MOVICON
Vulnerability
–
0day
• 5
Dec
2013:
• from
ICS-­‐CERT
to
me;

25. An
InteresGng
Story:
Progea
MOVICON
Vulnerability
–
0day
• THEY
SAY
:
The
bugs
you
discovered
are
SIMILAR
to
a
bunch
of
OLDER
BUGS
and
PATCHED
IN
2011.
• ICSA-­‐11-­‐056;
• My
findings
looks
exactly
same!!!!
But
I
am
able
to
reproduce
on
the
latest
version!!

26. An
InteresGng
Story:
Progea
MOVICON
Vulnerability
–
0day
• These
bugs
are
similar
to
the
bugs
that
we
analyzed
in
Case-­‐1:CoDeSys
• There
is
NO
authenGcaGon
to
call
some
funcGons
,
operaGons
in
the
so'ware.
Somebody
can
reverse
the
packet
structure
and
use
these
features
for
evil!
• A"er
a
conversa,on
with
Code
Blue
staff,
we
have
decided
to
mask
some
details
of
this
zero-­‐day
vulnerability.

27. An
InteresGng
Story:
Progea
MOVICON
Vulnerability
–
0day

28. An
InteresGng
Story:
Progea
MOVICON
Vulnerability
–
0day
• Remote
InformaGon
Disclosure:
opcode
[-­‐censored-­‐]

29. An
InteresGng
Story:
Progea
MOVICON
Vulnerability
–
0day
• Opcode
[-­‐censored-­‐]
calls
GetVersionExA
API
and
sends
output
to
the
client

30. An
InteresGng
Story:
Progea
MOVICON
Vulnerability
–
0day
• Here
is
a
simple
PoC
for
this
bug;

31. An
InteresGng
Story:
Progea
MOVICON
Vulnerability
–
0day
• When
we
run
it
and
call
opcode
[-­‐censored-­‐]:
• 6th
byte
in
printed
data
is
"dwMajorVersion"
which
is
a
return
value
of
GetVersionExA
and
gives
informaGon
about
the
OS.
• Status:
PATCHED(!)
in
2011
but
we
are
able
to
exploit
it
in
2014!

32. An
InteresGng
Story:
Progea
MOVICON
Vulnerability
–
0day
• So
what
is
the
problem?
Why
old
bugs
are
sGll
there
!?
• A'er
comparing
the
older
version
and
the
latest
version
,
I
understood
that
actually
vendor
didn’t
patch
anything.
• Instead
of
fixing
vulnerabiliGes,
they
just
changed
“opcodes”
of
the
funcGons
in
new
version!
• Older
version:
Opcode
7
causes
info
disclosure
vulnerability
by
calling
GetVersionEx
API
•
New
version:
They
just
changed
opcode
“7”
to
“X”
for
calling
GetversionEx
API

33. PROGEA,
your
fail
is
unbelievable!

34. Temporary
soluGon
• Block
remote
connecGons
to
TCP:10651
• If
you
contact
me
in
personal
,
I
can
share
vulnerability
signatures
that
you
can
use
in
your
IDS/IPS
(snort
etc.)

35. Case-­‐3:
CoDeSys
WebVisu
• CodeSys
WebVisu
uses
a
webserver
which
is
usually
open
to
Internet
for
visualizaGon
of
PLC
• Discovered
by
me
• Status:
Patched

36. Case-­‐3:
CoDeSys
Vulnerability
• Buffer
overflow
vulnerability
when
parsing
long
h^p
requests
due
to
an
unsafe
funcGon.
• It
uses
“vsprinv”
to
print
which
file
is
requested.

37. Case-­‐4:
Schneider
IGSS
Vulnerability
• Gas
DistrubuFon
in
Europe
• Airport
in
Asia
• Traffic
Control
Center
in
Europe

38. Case-­‐4:
Schneider
IGSS
Vulnerability
• Discovered
by
me
• Status:
Patched
• IGSS
listens
12399
and
12397
ports
in
runGme
• A
simple
bunch
of
code
causes
to
DoS
use
IO::Socket;
$host
=
"localhost";
$port
=
12399;
$port2
=
12397;
$first
=
"x01x01x00x00";
$second
=
"x02x01x00x00";

39. Case-­‐5:
Schneider
Electric
Accutech
Heap
Overflow
Vulnerability
Buffer
overflow
vulnerability
when
parsing
long
h^p
requests
due
to
an
unsafe
funcGon
Status:
Patched

40. Case-­‐5:
Schneider
Electric
Accutech
Heap
Overflow
Vulnerability

41. Case-­‐3:
Schneider
Electric
Accutech
Heap
Overflow
Vulnerability

42. Case-­‐6:
Pwning
the
Operator

43. Case-­‐6:
Invensys
Wonderware
System
Plavorm
Vulnerability
• Discovered
by
me
• Status:
Patched
• Killing
five
birds
with
one
stone
☺

44. Case-­‐6:
Invensys
Wonderware
System
Plavorm
Vulnerability
• An
AcGveX
Buffer
Overflow
vulnerability
• Just
found
by
AcGveX
fuzzing...
• Send
the
exploit
URL
to
HMI
Operator
• Click
and
pwn
!

45. Case-­‐7:
InduSo'
HMI
Bugs

46. Case-­‐7:
InduSo'
HMI
Bugs
• This
is
really
creepy!
• This
so'ware
doesn’t
check
even
any
“magic”
value
of
incoming
packets.
There
is
no
custom
packet
structure!
• Sending
1
byte
to
TCP:4322
is
enough
to
jump
a
switch
case

47. Case-­‐7:
InduSo'
HMI
Exploit
☺

48. Finding
Targets
• Banner
InformaGon:
“3S_WebServer”
• Let’s
search
it
on
SHODAN!
☺

49. CoDeSys
WebServer
on
SHODAN
Server’s
Banner
:
“3S_WebServer”
Shodan
Results:
151

50. Demo
• DEMO

51.
Conclusion
• CriGcal
Infrastructures
are
juicy
targets!
• HackGvists
are
interested
in
SCADA
Hacking
too.
Not
only
government
intelligence
agencies.
• ApplicaFons
are
insecure!

52. D
Thank
you!
• Contact:
• cunuver@signalsec.com
• Twicer:
@celilunuver
• www.signalsec.com
• www.securityarchitect.org