SCADA Software or Swiss Cheese Software?　 by Celil UNUVER

SCADA So'ware or Swiss Cheese So'ware?

Code Blue 2014 , Tokyo Celil ÜNÜVER, SignalSEC Ltd.

Agenda

•  About me •  How it started? •  Why are SCADA apps so BUGGY? •  HunGng SCADA vulnerabiliGes •  Analysis of the vulnerabiliGes

About me

•  Co-‐founder and Researcher @ SignalSEC Ltd.

•  Organizer of NOPcon Hacker Conference (Istanbul,Turkey)

•  Interested in vulnerability research , reversing •  Hunted a lot of bugs affect Adobe, IBM, Microso',

Facebook, Novell , SCADA vendors etc.

•  Has been a speaker at CONFidence, Swiss Cyber Storm, c0c0n etc.

How it started?

•  SCADA systems are in our daily life for long years!

•  There was not too much interest in SCADA Security

Milestone

•  Stuxnet and Duqu aâcks in 2010 – 2011

•  SCADA systems got aênGon of hackers and researchers a'er these aâcks.

•  CriGcal systems , fame, profit etc.. •  They are all JUICY target •  Lots of SCADA systems are open to INTERNET

No more stuxnet •  Sure , all of us know about stuxnet!

SCADA Overview

ICS VulnerabiliGes

•  Hardware/Firmware VulnerabiliGes: Vulns in PLC & RTU devices

•  So'ware VulnerabiliGes:

Vulns in Control System So'ware(HMI) but also affects PLC/RTU devices

TWO DOZEN BUGS IN A FEW HOURS

Trust me , it’s easy!

Actually, it’s really easy to hunt SCADA BUGS!!!

Why it’s easy?

There wasn’t a real threat for SCADA soEware unFll 2010

So the developers were not aware of SECURE

Development

HunGng VulnerabiliGes

•  Simple reversing rocks! •  1-‐) Analyze the target so'ware (PotentaGal

inputs; communicaGon protocols, acGvex etc.)

•  2-‐) Discover & trace the input

•  3-‐) Hunt the bugs.

HunGng VulnerabiliGes

“You must understand that there is more than one path to the top of the mountain.”

-‐ Miyamoto Musashi -‐

Case-‐1: CoDeSys Gateway Vuln

•  CoDeSys is development environment for industrial control systems used by lots of manufacturers.

•  Aaron Portnoy from Exodus discovered these vulnerabiliGes.

•  Status: Patched

Case-‐1 : CoDeSys -‐ RECON

•  Listening PORT

Case-‐1: CoDeSys -‐ Debug

•  Breakpoint on recv() •  Send junk bytes

•  Breapoint Access on recv’s ‘buf’ parameter

Case-‐1: CoDeSys -‐ Debug

•  Comparing

Case-‐1: CoDeSys – Switch Cases / Opcodes

•  A'er we pass the comparison

Case-‐1: CoDeSys – Switch Cases

•  Let’s find the bugs

Case-‐1: CoDeSys – Delete File •  Opcode : 13

Case-‐1: CoDeSys – Upload File •  Opcode: 6

Case-‐1: RecommendaGon

•  Actually, file remove / upload bugs are ‘feature’ of this applicaGon ☺

•  But there is no authenGcaGon for these operaGons. Somebody can reverse the packet structure and use these features for evil!

•  To solve this kind of bugs, developers should add an “authenGcaGon” step before execuGg opcodes.

•  Patched in 2013

An InteresGng Story: Progea MOVICON Vulnerability – sGll 0day

“When a patch doesn’t patch anything!”

•  23 Nov 2013: I’ve discovered some vulnerabiliGes on the latest version of Progea MOVICON HMI so'ware

•  24 Nov 2013: We’ve published a short analysis on Pastebin •  3 Dec 2013: ICS-‐CERT contacted us about the post on

Pastebin. They asked details , we sent informaGon etc.

An InteresGng Story: Progea MOVICON Vulnerability – 0day

•  5 Dec 2013:

•  from ICS-‐CERT to me;


•  THEY SAY : The bugs you discovered are SIMILAR to a bunch of OLDER BUGS and PATCHED IN 2011.

•  ICSA-‐11-‐056;

•  My findings looks exactly same!!!! But I am able to reproduce on the latest version!!


•  These bugs are similar to the bugs that we analyzed in Case-‐1:CoDeSys

•  There is NO authenGcaGon to call some funcGons , operaGons in the so'ware. Somebody can reverse the packet structure and use these features for evil!

•  A"er a conversa,on with Code Blue staff, we have decided to mask some details of this zero-‐day vulnerability.



•  Remote InformaGon Disclosure: opcode [-‐censored-‐]


•  Opcode [-‐censored-‐] calls GetVersionExA API and sends output to the client


•  Here is a simple PoC for this bug;


•  When we run it and call opcode [-‐censored-‐]:

•  6th byte in printed data is "dwMajorVersion" which is a return value of GetVersionExA and gives informaGon about the OS.

•  Status: PATCHED(!) in 2011 but we are able to exploit it in 2014!


•  So what is the problem? Why old bugs are sGll there !? •  A'er comparing the older version and the latest version ,

I understood that actually vendor didn’t patch anything. •  Instead of fixing vulnerabiliGes, they just changed

“opcodes” of the funcGons in new version! •  Older version: Opcode 7 causes info disclosure

vulnerability by calling GetVersionEx API •  New version: They just changed opcode “7” to “X” for

calling GetversionEx API

PROGEA, your fail is unbelievable!

Temporary soluGon

•  Block remote connecGons to TCP:10651

•  If you contact me in personal , I can share vulnerability signatures that you can use in your IDS/IPS (snort etc.)

Case-‐3: CoDeSys WebVisu

•  CodeSys WebVisu uses a webserver which is usually open to Internet for visualizaGon of PLC

•  Discovered by me •  Status: Patched

Case-‐3: CoDeSys Vulnerability

•  Buffer overflow vulnerability when parsing long h^p requests due to an unsafe funcGon.

•  It uses “vsprinv” to print which file is requested.

Case-‐4: Schneider IGSS Vulnerability •  Gas DistrubuFon in Europe

•  Airport in Asia •  Traffic Control Center in Europe

Case-‐4: Schneider IGSS Vulnerability •  Discovered by me •  Status: Patched •  IGSS listens 12399 and 12397 ports in runGme •  A simple bunch of code causes to DoS

use IO::Socket; $host = "localhost"; $port = 12399; $port2 = 12397; $first = "\x01\x01\x00\x00"; $second = "\x02\x01\x00\x00";

Case-‐5: Schneider Electric Accutech Heap Overflow Vulnerability

Buffer overflow vulnerability when parsing long h^p requests due to an unsafe funcGon

Status: Patched



Case-‐6: Pwning the Operator

Case-‐6: Invensys Wonderware System Plavorm Vulnerability

•  Discovered by me

•  Status: Patched •  Killing five birds with one stone ☺

Case-‐6: Invensys Wonderware System Plavorm Vulnerability

•  An AcGveX Buffer Overflow vulnerability

•  Just found by AcGveX fuzzing... •  Send the exploit URL to HMI Operator •  Click and pwn !

Case-‐7: InduSo' HMI Bugs

Case-‐7: InduSo' HMI Bugs

•  This is really creepy! •  This so'ware doesn’t check even any “magic”

value of incoming packets. There is no custom packet structure!

•  Sending 1 byte to TCP:4322 is enough to jump a switch case

Case-‐7: InduSo' HMI Exploit ☺

Finding Targets

•  Banner InformaGon: “3S_WebServer” •  Let’s search it on SHODAN! ☺

CoDeSys WebServer on SHODAN

Server’s Banner : “3S_WebServer” Shodan Results: 151

Demo

•  DEMO

Conclusion

•  CriGcal Infrastructures are juicy targets! •  HackGvists are interested in SCADA Hacking

too. Not only government intelligence agencies.

•  ApplicaFons are insecure!

D Thank you! •  Contact: •  [email protected]

•  Twicer: @celilunuver

•  www.signalsec.com

•  www.securityarchitect.org

Technology

SCADA Software or Swiss Cheese Software? by Celil UNUVER

SCADA Software or Swiss Cheese Software?　 by Celil UNUVER