Juan Vazquez & Julián Vilas – Tú a Barcelona y yo a Tejas, a patadas con mi SCADA! [Rooted CON...

1Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

Tú a Boston Barcelona y yo a California Tejas

A patadas con mi SCADA!

Juan Vazquez & Julian Vilas


Presentation

Juan Vazquez (@_juan_vazquez_) from Austin (USA)– Exploit developer at Metasploit (Rapid7)

Julian Vilas (@julianvilas) from Barcelona (Spain)– Security analyst & researcher at Scytl

Bloggers of a non-too-much-regularly-updated blog – testpurposes.net


Motivation

After being working side by side during years, we decided to do something together! (Just when we’re 8.000 Km far)

What? Some SCADA research:– No intro to SCADA.– No compliance & regulation review.– No paperwork research about its security in

general.– Just (in-depth) analysis of a big SCADA product.

Why?...


Index

Introduction

Organization

Platform Discovery

Vulnerabilities & Exploitation

Post Exploitation

Last topic

Conclusions


Introduction

Yokogawa CENTUM CS 3000 R3“Yokogawa released CENTUM CS 3000 R3 in 1998 as the first Windows-based production control system under our brand. For over 10 years of continuous developments and enhancements, CENTUM CS 3000 R3 is equipped with functions to make it a matured system. With over 7600 systems sold worldwide, it is a field-proven system with 99.99999% of availability.”


Introduction

Why we selected this product?

First version achieved– R3.02 (September 2001)

Finally, thanks to Russian & Vietnamese forums (you rocks guys! ;P)– R3.08.50 (October 2007)


Introduction

Since here, strange things started to happen...


Introduction. Basic elements.

FCS

HIS

Field elements


Introduction. Topology.


Introduction

Doesn’t look familiar?


Organization. Problems

Distance & Timezones (GMT +1 vs GMT - 6)


Organization. Problems

SCADA Software– Closed Software– Documentation and Training– Deployment– Development

Think: Mozilla Firefox vs Yokogawa Centum CS3000


Organization. Solutions

Communications:– Google Hangout / Google Chat– Adium + OTR (mode paranoia /on)

Work & Collaboration Environment:– Upgrade ADSL line + VPN– Google Drive + Google Docs– Confluence + Team Calendars– VirtualBox– GIT– CollabREate


Organization. Solutions

Work methodology– SCRUM based (just a little)


Organization. Our Environment

What exactly do we have?

Software with capabilities for:– Operating & monitoring functions (HIS)– Engineering– FCS simulation & virtual testing

Tons of exe’s, dll’s, docs, installed on Windows XP SP2 (SP3 support was added on R3.08.70 (November 2008)) ← Yes, WTF!


Platform Discovery

Work with the product

Discover the components

Discover the Real Attack Surface!– Windows Services– Application Network Services– Application Local Services– Application client components (ActvX).


Platform Discovery

Example: Initial Installation


Platform Discovery

Example: Basic Demo Project Running (I) / Processes


Platform Discovery

Example: Basic Demo Project Running (II) / Network


Vulnerabilities. Documentation.

First fails were discovered during installation process– User created: “CENTUM”– Password: we’re sure you can guess it in your

first try ;)



– Program installed under “C:\CS3000”– Wait….



WTF?



WTF?



WTF?



WTF?


Vulnerabilities. Design.

Problems in typical SCADA protocols (like MODBUS) have been widely discussed

Things are not so different here, even in the application layers you can spot a set of protocols with a lack of authentication, integrity checks, etc.



Example: BKBCopyD.exe– Brief Description: Allows File Sharing,

similarities with FTP. No authentication


RETR command STOR command




Metasploit DEMO.– Using Auxiliary modules to download and

upload files.


Vulnerabilities. Implementation...

5 Vulnerabilities Found– Stack and Heap Based Buffer Overflows– In different binaries (applications and

protocols)

Disclosure– Rapid7 Vulnerability Disclosure Policy

• https://www.rapid7.com/disclosure.jsp

– Contact with Vendor (15 days)– Disclosure with CERT (45 days) (CERT and

JPCERT in our case)– Public Disclosure (60 days)

https://www.rapid7.com/disclosure.jsp

https://www.rapid7.com/disclosure.jsp


Vulnerabilities. Implementation.

Today we make public details and exploits for three vulnerabilities.

One disclosure has been delayed because the vendor asked.

Last one is still in the disclosure process explained.



Summary– Heap Buffer Overflow in

– Stack Buffer Overflow in

– It shouldn’t be readable

– Stack Buffer Overflow in

– It shouldn’t be readable



Heap overflow in



Buffer Overflow….



Buffer Overflow in….



How to find them? Semi Guided Dumb Fuzzing

1) Basic understanding of the Protocol– Network Captures– Reverse Engineering

2) Fuzz

3) Profit


Exploitation

Supported Operating Systems


Exploitation

Lack of Compilation Time Protections (stack cookies)

Lack of Linking Time Protections (SAFESeh)


Exploitation

DEMO: Metasploit vs Yokogawa CENTUM CS3000– Exploits already landed in Metasploit.– Free shells! we love shells! – Check your installations! (more about that

later…)


Post Exploitation

We got shells… now what?


Post Exploitation

We should have access to systems with highly valuable data, get it!

Steal data in SCADA environments :?– Meterpreter is a powerful payload!!– OJ (TheColonial) is doing an awesome work

with it!– You definitely should read:

• http://buffered.io/posts/3-months-of-meterpreter/

http://buffered.io/posts/3-months-of-meterpreter/


Post Exploitation

The recent OJ’s work includes Window Integration:

“The goal here was to make it possible to enumerate all the windows on the current desktop to give you a clearer view of what the user is running, and to perhaps allow for interaction with those Windows later via Railgun”

We have used it to enumerate interesting windows, maximize and screenshot them!


Post Exploitation

We should have access to systems with the power… to move things… move them!

Spend few hours reading documentation– Wasn’t funny :(

Found utilities where design the operation & monitoring graphics


Post Exploitation


Post Exploitation

Started playing with it


Post Exploitation

We realized we were totally lost

Who said 8 == D ?


Post Exploitation

OK, goto fail… mmm… no, go back to read more doc we mean ;)

Some hours later, we knew a few more things…


Post Exploitation

Process Variable (PV)

Set Point Variable (SV)

Manipulated Variable (MV)


Post Exploitation


Post Exploitation

It means:– FCS gets PVs from I/O modules– FCS knows the SV value, and therefore if it

should do any correction operation (MV) to I/O modules

From the point of view of operating & monitoring– HIS gets PVs from FCS– HIS can set SVs to FCS– HIS can get MVs from FCS


Post Exploitation

Our hello world: a loop between PV and MV


Post Exploitation

How does it look?


Post Exploitation

Code Injection to allow tampering of communications between HIS and FCS

What to tamper?– SV

Where?– BKFSim_vhfd.exe

How?– Uses ws2_32.dll and its API for TCP sockets.


Post Exploitation

How?– File System: Just drop a trojanized DLL– Memory:

• IAT hijack?• Detours Hooks?

…

Metasploit Friendly :?:?


Post Exploitation

Reflective DLL Injection!– Stephen Fewer

Integrated Into Metasploit / Meterpreter– https://github.com/stephenfewer/ReflectiveDLLI

njection

https://github.com/stephenfewer/ReflectiveDLLInjection

https://github.com/stephenfewer/ReflectiveDLLInjection


Post Exploitation

Metasploit & Reflective DLL Injection– Meterpreter & Extensions Loading

– Payload stage• payload/windows/stage/dllinject

– Local Kernel Exploits• Example: CVE-2013-3660 (pprFlattenRec)

– Post Exploitation• post/windows/manage/reflective_dll_inject


Post Exploitation

DEMO– Windows Screenshots with Metasploit– Reflective DLL injection: Tamper

communications for manipulating the control processes!


Last topic

OK, the system is…

…but, it isn’t so important because these systems live in isolated environments, right?...


Last topic

Shit! Let’s see again Yokogawa docs…


Last topic


Last topic

Let’s see if we can find something out there…UDP Services TCP Services

BKESysView 1057/UDPBKERDBFlagSet 1059/UDPBKHBos 1062/UDPBKHOdeq 1064/UDPBKHMsMngr 1065/UDPBKHExtRecorder 1069/UDPBKHClose 1070/UDPBKHlongTerm 1071/UDPBKHSched 1072/UDPBKBBDFH 1074/UDPBKBRECP 1075/UDPBKHOpmp 1076/UDPBKHPanel 1077-1082/UDPBKHSysMsgWnd 1083/UDPBKETestFunc 1084/UDPBKFOrca 1085/UDP

BKHOdeq 20109/TCPBKFSim_vhfd.exe 20110/TCPBKBCopyD 20111/TCPBKBBDFH 20153/TCPBKHOdeq 20171/TCPBKBBDFH 20174/TCPBKHlongTerm 20183/TCP


Last topic

In addition we’ve a bunch of vulnerabilities which worths to detect– Metasploit isn’t a Vulnerability Scanner but...

...because some probes/checks in exploits are really good.Writing good probes isn’t easy indeed!


Last topic

With all this knowledge… wouldn’t be awesome to know if all this research matters?

#ScanAllTheThings


#ScanAllTheThings

Rapid7 - Project Sonar– ZMAP– Metasploit

Thanks to Rapid7 for helping us to #ScanAllTheThings– Specially to Tas Giakouminakis and Mark

Schloesser– Don’t lose the opportunity to attend BHUSA

2014!


#ScanAllTheThings

Problems when #ScanAllTheThings:– Internet is huge!

– We’ve just scanned for two vulnerable TCP services

– False positives

– Laws / Attorneys


#ScanAllTheThings

Methodology:– TCP Scan the Internet with ZMAP: 1,301,154

suspicious addresses

– Eliminate false positives (blacklists, plus tests to discover addresses answering open to all): 56,911 suspicious addresses

– Use metasploit-framework to scan with the safe probes


#ScanAllTheThings

Results:– 2 important universities around the world, conducting

important research projects with Yokogawa, are exposing CENTUM CS 3000 projects to the world


Conclusions

Goals

Difficulties

Final conclusions

Date post:	18-Nov-2014
Category:	Technology
Upload:	rootedcon
View:	638 times
Download:	4 times

Juan Vazquez & Julián Vilas – Tú a Barcelona y yo a Tejas, a patadas con mi SCADA! [Rooted CON...

Technology