Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

RootedCON 2014 - Kicking around SCADA!

982 views

Published on

Slides of the SCADA security talk presented at RootedCON 2014 by Juan Vazquez (Rapid7) and Julian Vilas (independent security researcher): "Kicking around SCADA"

Published in: Technology
  • Be the first to comment

RootedCON 2014 - Kicking around SCADA!

  1. 1. 1 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Tú a Boston Barcelona y yo a California Tejas A patadas con mi SCADA! Juan Vazquez & Julian Vilas
  2. 2. 2 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Presentation !   Juan Vazquez (@_juan_vazquez_) from Austin (USA) –  Exploit developer at Metasploit (Rapid7) !   Julian Vilas (@julianvilas) (Redsadic) from Barcelona (Spain) –  Security analyst & researcher at Scytl !   Bloggers of a non-too-much-regularly-updated blog J –  testpurposes.net
  3. 3. 3 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Motivation !   After being working side by side during years, we decided to do something together! (Just when we’re 8.000 Km far) –  Handicap: Distance & Timezones (GMT +1 vs GMT - 6)
  4. 4. 4 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Motivation !   What? Some SCADA research: –  No intro to SCADA –  No compliance & regulation review –  No paperwork research about its security in general –  Just (in-depth) analysis of a big SCADA product !   Why?...
  5. 5. 5 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Index !   Introduction !   Platform Discovery !   Vulnerabilities & Exploitation !   Post Exploitation !   Last topic !   Conclusions
  6. 6. 6 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Introduction !   Yokogawa CENTUM CS 3000 R3 “Yokogawa released CENTUM CS 3000 R3 in 1998 as the first Windows-based production control system under our brand. For over 10 years of continuous developments and enhancements, CENTUM CS 3000 R3 is equipped with functions to make it a matured system. With over 7600 systems sold worldwide, it is a field-proven system with 99.99999% of availability.”
  7. 7. 7 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Introduction !   Present at oil&gas, refining, chemical, power, … –  Customers (all over the world) like: BP, Total, Chevron, Shell, Tamoil, Samsung, Bridgestone, Mitsubishi, PPT, …
  8. 8. 8 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Introduction !   Why we selected this product? –  Handicap: closed software, difficult to get access !   First version achieved –  R3.02 (September 2001) !   Finally, digging deeper into the Wild Wild Web, we found a more recently version –  R3.08.50 (October 2007)
  9. 9. 9 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Introduction. Basic elements. !   FCS (controller) !   HIS (operation&monitoring station) !   Field elements
  10. 10. 10 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Introduction. Topology.
  11. 11. 11 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Introduction. Our Environment !   What exactly do we have? !   Tons of exe’s, dll’s, docs, installed on Windows XP SP2 (SP3 support was added on R3.08.70 (November 2008)) ← Yes, WTF! !   Software with capabilities for: –  Operating & monitoring functions (HIS) –  Engineering –  FCS simulation & virtual testing
  12. 12. 12 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Introduction. Our Environment !   Spend lot of hours reading documentation –  Wasn’t funny :( !   Found utilities for designing the operation & monitoring graphics –  FYI the graphics can be viewed like logic circuits, interpretated by the controller
  13. 13. 13 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Introduction. Our Environment !   Started playing with it but soon realized we were totally lost Who said 8 == D ?
  14. 14. 14 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Introduction. Our Environment !   Process Variable (PV) !   Set Point Variable (SV) !   Manipulated Variable (MV)
  15. 15. 15 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Introduction. Our Environment
  16. 16. 16 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Introduction. Our Environment !   It means: –  FCS gets PVs from I/O modules –  FCS knows the SV value, and therefore if it should do any correction operation (MV) to I/O modules
  17. 17. 17 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Introduction. Our Environment !   From the point of view of operating & monitoring –  HIS gets PVs from FCS –  HIS can set SVs to FCS –  HIS can get MVs from FCS S V   P V  
  18. 18. 18 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Introduction !   Doesn’t look familiar?
  19. 19. 19 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Platform Discovery !   Work with the product !   Discover the components !   Discover the Real Attack Surface! –  Windows Services –  Application Network Services –  Application Local Services –  Application client components (ActvX).
  20. 20. 20 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Platform Discovery !   Example: Initial Installation
  21. 21. 21 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Platform Discovery !   Example: Basic Demo Project Running (I) / Processes
  22. 22. 22 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Platform Discovery !   Example: Basic Demo Project Running (II) / Network
  23. 23. 23 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Vulnerabilities. Documentation. !   First fails were discovered during installation process –  Windows user created: “CENTUM” –  Password: we’re sure you can guess it in your first try ;)
  24. 24. 24 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Vulnerabilities. Documentation. –  Program installed under “C:CS3000” –  Wait….
  25. 25. 25 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Vulnerabilities. Documentation. !   WTF?
  26. 26. 26 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Vulnerabilities. Documentation. !   WTF?
  27. 27. 27 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Vulnerabilities. Documentation. !   WTF?
  28. 28. 28 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Vulnerabilities. Documentation. !   WTF?
  29. 29. 29 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Vulnerabilities. Design. !   Problems in typical SCADA protocols (like MODBUS) have been widely discussed !   Things are not so different here, even in the application layers you can spot a set of protocols with a lack of authentication, integrity checks, etc.
  30. 30. 30 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Vulnerabilities. Design. !   Example: File Sharing protocol, similarities with FTP. No authentication
  31. 31. 31 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March RETR command STOR command Vulnerabilities. Design.
  32. 32. 32 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Vulnerabilities. Design. !   Metasploit DEMO. –  Using Auxiliary modules to download and upload files.
  33. 33. 33 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Vulnerabilities. Implementation... !   5 Vulnerabilities Found –  Stack and Heap Based Buffer Overflows –  In different binaries (applications and protocols) !   Disclosure –  Rapid7 Vulnerability Disclosure Policy •  https://www.rapid7.com/disclosure.jsp –  Contact with Vendor (15 days) –  Disclosure with CERT (45 days) (CERT and JPCERT in our case) –  Public Disclosure (60 days)
  34. 34. 34 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Vulnerabilities. Implementation. !   Summary –  Heap Buffer Overflow in BKCLogSvr.exe –  It shouldn’t be readable –  Stack Buffer Overflow in BKHOdeq.exe –  Stack Buffer Overflow in BKBCopyD.exe –  It shouldn’t be readable
  35. 35. 35 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Vulnerabilities. Implementation. !   How to find them? Semi Guided Dumb Fuzzing 1) Basic understanding of the Protocol –  Network Captures –  Reverse Engineering 2) Fuzz 3) Profit
  36. 36. 36 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Vulnerabilities. Implementation. !   Heap overflow in BKCLogSvr.exe –  Uninitialized stack data + memcpy
  37. 37. 37 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Vulnerabilities. Implementation. !   Buffer Overflow in BKHOdeq.exe –  Extracting lines from user data
  38. 38. 38 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Vulnerabilities. Implementation. !   Buffer Overflow in BKBCopyD.exe –  Use of dangerous functions vsprintf and strcpy in the same function. –  Used to parse commands and arguments… ooops!
  39. 39. 39 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Exploitation !   Supported Operating Systems
  40. 40. 40 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Exploitation !   Lack of Compilation Time Protections (stack cookies) !   Lack of Linking Time Protections (SAFESeh)
  41. 41. 41 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Exploitation !   DEMO: Metasploit vs Yokogawa CENTUM CS3000 –  Exploits will be landed in Metasploit. –  Free shells! we love shells! J –  Check your installations! (more about that later…)
  42. 42. 42 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Post Exploitation !   We got shells… now what?
  43. 43. 43 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Post Exploitation !   We should have access to systems with highly valuable data, get it! !   Steal data in SCADA environments :? –  Meterpreter is a powerful payload!! –  OJ (TheColonial) is doing an awesome work with it! –  You definitely should read: •  http://buffered.io/posts/3-months-of-meterpreter/
  44. 44. 44 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Post Exploitation !   The recent OJ’s work includes Window Integration: “The goal here was to make it possible to enumerate all the windows on the current desktop to give you a clearer view of what the user is running, and to perhaps allow for interaction with those Windows later via Railgun” !   We have used it to enumerate interesting windows, maximize and screenshot them!
  45. 45. 45 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Post Exploitation !   We should have access to systems with the power… to move things… move them! !   Code Injection to allow tampering of communications between HIS and FCS !   What to tamper? –  SV !   Where? –  BKFSim_vhfd.exe !   How? –  Uses ws2_32.dll and its API for TCP sockets.
  46. 46. 46 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Post Exploitation !   How to hijack? –  File System: Just drop a trojanized DLL –  Memory: •  IAT hijack? •  Detours Hooks? !   … !   Metasploit Friendly :?:?
  47. 47. 47 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Post Exploitation !   Reflective DLL Injection! –  Stephen Fewer !   Integrated Into Metasploit / Meterpreter –  https://github.com/stephenfewer/ ReflectiveDLLInjection
  48. 48. 48 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Post Exploitation !   Metasploit & Reflective DLL Injection –  Meterpreter & Extensions Loading –  Payload stage •  payload/windows/stage/dllinject –  Local Kernel Exploits •  Example: CVE-2013-3660 (pprFlattenRec) –  Post Exploitation •  post/windows/manage/reflective_dll_inject
  49. 49. 49 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Post Exploitation !   DEMO –  Windows Screenshots with Metasploit –  Reflective DLL injection: trojanizing comms for manipulating the control processes!
  50. 50. 50 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Last topic !   OK, looks that the system is… !   …but, it isn’t so important because these systems live in isolated environments, right?...
  51. 51. 51 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Last topic !   Shit! Let’s see again Yokogawa docs…
  52. 52. 52 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Last topic. #ScanAllTheThings !   With all this knowledge… wouldn’t be awesome to know if all this research matters? !   Rapid7 - Project Sonar –  ZMAP –  Metasploit !   Thanks to Rapid7 for helping us to #ScanAllTheThings –  Specially to Tas Giakouminakis‎ and Mark Schloesser –  Don’t lose the opportunity to attend BH ASIA 2014!
  53. 53. 53 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Last topic. #ScanAllTheThings !   Let’s see if we can find something out there… UDP  Services   TCP  Services   BKESysView                1057/UDP   BKERDBFlagSet    1059/UDP   BKHBos                                1062/UDP   BKHOdeq                            1064/UDP   BKHMsMngr                    1065/UDP   BKHExtRecorder    1069/UDP   BKHClose                            1070/UDP   BKHlongTerm                  1071/UDP   BKHSched                          1072/UDP   BKBBDFH                          1074/UDP   BKBRECP                          1075/UDP   BKHOpmp                            1076/UDP   BKHPanel                            1077-­‐1082/UDP   BKHSysMsgWnd      1083/UDP   BKETestFunc                1084/UDP   BKFOrca                              1085/UDP   BKHOdeq                  20109/TCP   BKFSim_vhfd.exe  20110/TCP   BKBCopyD                20111/TCP   BKBBDFH                  20153/TCP   BKHOdeq                  20171/TCP   BKBBDFH                  20174/TCP   BKHlongTerm          20183/TCP        
  54. 54. 54 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Last topic. #ScanAllTheThings !   Methodology: –  TCP Scan the Internet with ZMAP: 1,301,154 suspicious addresses –  Eliminate false positives (blacklists, plus tests to discover addresses answering open to all): 56,911 suspicious addresses –  Use metasploit-framework to scan with the safe probes
  55. 55. 55 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Last topic !   In addition we’ve a bunch of vulnerabilities which worths to detect –  Metasploit isn’t a Vulnerability Scanner but... ...because  some  probes/ checks  in  exploits  are  really   good.   WriXng  good  probes  isn’t   easy  indeed!  
  56. 56. 56 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Last topic !   Results: –  2 important environments around the world, conducting important research projects with Yokogawa, are exposing CENTUM CS 3000 projects to the world
  57. 57. 57 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Conclusions !   Goals –  Understand and minimal deploy of the product –  Dissect and pwn it –  Discover how does it affect to the world ! Problems –  Distance –  Resources –  Attorneys !   Final conclusions –  Severity –  White hat vs Black Hat
  58. 58. 58 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Questions? !   More info at –  Twitter •  @_juan_vazquez_ •  @julianvilas –  Testpurposes.net –  Rapid7 blog !   Released exploits at Metasploit THANKS!

×