Juan Vazquez & Julián Vilas – Tú a Barcelona y yo a Tejas, a patadas con mi SCADA! [Rooted CON 2014]
1. 1
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Tú a Boston Barcelona y yo a
California Tejas
A patadas con mi SCADA!
Juan Vazquez & Julian Vilas
2. 2
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Presentation
Juan Vazquez (@_juan_vazquez_) from Austin
(USA)
– Exploit developer at Metasploit (Rapid7)
Julian Vilas (@julianvilas) from Barcelona (Spain)
– Security analyst & researcher at Scytl
Bloggers of a non-too-much-regularly-updated blog
– testpurposes.net
3. 3
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Motivation
After being working side by side during years, we
decided to do something together! (Just when we’re
8.000 Km far)
What? Some SCADA research:
– No intro to SCADA.
– No compliance & regulation review.
– No paperwork research about its security in general.
– Just (in-depth) analysis of a big SCADA product.
Why?...
4. 4
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Index
Introduction
Organization
Platform Discovery
Vulnerabilities & Exploitation
Post Exploitation
Last topic
Conclusions
5. 5
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Introduction
Yokogawa CENTUM CS 3000 R3
“Yokogawa released CENTUM CS 3000 R3 in 1998 as the first Windows-based
production control system under our brand. For over 10 years of continuous
developments and enhancements, CENTUM CS 3000 R3 is equipped with functions
to make it a matured system. With over 7600 systems sold worldwide, it is a
field-proven system with 99.99999% of availability.”
6. 6
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Introduction
Why we selected this product?
First version achieved
– R3.02 (September 2001)
Finally, thanks to Russian & Vietnamese forums
(you rocks guys! ;P)
– R3.08.50 (October 2007)
7. 7
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Introduction
Since here, strange things started to happen...
8. 8
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Introduction. Basic elements.
FCS
HIS
Field elements
10. 10
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Introduction
Doesn’t look familiar?
11. 11
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Organization. Problems
Distance & Timezones (GMT +1 vs GMT - 6)
12. 12
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Organization. Problems
SCADA Software
– Closed Software
– Documentation and Training
– Deployment
– Development
Think: Mozilla Firefox vs Yokogawa Centum
CS3000
13. 13
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Organization. Solutions
Communications:
– Google Hangout / Google Chat
– Adium + OTR (mode paranoia /on)
Work & Collaboration Environment:
– Upgrade ADSL line + VPN
– Google Drive + Google Docs
– Confluence + Team Calendars
– VirtualBox
– GIT
– CollabREate
14. 14
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Organization. Solutions
Work methodology
– SCRUM based (just a little)
15. 15
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Organization. Our Environment
What exactly do we have?
Software with capabilities for:
– Operating & monitoring functions (HIS)
– Engineering
– FCS simulation & virtual testing
Tons of exe’s, dll’s, docs, installed on Windows
XP SP2 (SP3 support was added on R3.08.70
(November 2008)) ← Yes, WTF!
16. 16
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Platform Discovery
Work with the product
Discover the components
Discover the Real Attack Surface!
– Windows Services
– Application Network Services
– Application Local Services
– Application client components (ActvX).
17. 17
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Platform Discovery
Example: Initial Installation
18. 18
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Platform Discovery
Example: Basic Demo Project Running (I) /
Processes
19. 19
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Platform Discovery
Example: Basic Demo Project Running (II) /
Network
20. 20
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Vulnerabilities. Documentation.
First fails were discovered during installation
process
– User created: “CENTUM”
– Password: we’re sure you can guess it in your first try
;)
21. 21
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Vulnerabilities. Documentation.
– Program installed under “C:CS3000”
– Wait….
22. 22
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Vulnerabilities. Documentation.
WTF?
23. 23
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Vulnerabilities. Documentation.
WTF?
24. 24
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Vulnerabilities. Documentation.
WTF?
25. 25
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Vulnerabilities. Documentation.
WTF?
26. 26
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Vulnerabilities. Design.
Problems in typical SCADA protocols (like
MODBUS) have been widely discussed
Things are not so different here, even in the
application layers you can spot a set of protocols
with a lack of authentication, integrity checks,
etc.
27. 27
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Vulnerabilities. Design.
Example: BKBCopyD.exe
– Brief Description: Allows File Sharing, similarities with
FTP. No authentication
28. 28
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
RETR command STOR command
Vulnerabilities. Design.
29. 29
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Vulnerabilities. Design.
Metasploit DEMO.
– Using Auxiliary modules to download and upload files.
30. 30
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Vulnerabilities. Implementation...
5 Vulnerabilities Found
– Stack and Heap Based Buffer Overflows
– In different binaries (applications and protocols)
Disclosure
– Rapid7 Vulnerability Disclosure Policy
• https://www.rapid7.com/disclosure.jsp
– Contact with Vendor (15 days)
– Disclosure with CERT (45 days) (CERT and JPCERT
in our case)
– Public Disclosure (60 days)
31. 31
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Vulnerabilities. Implementation.
Today we make public details and exploits for
three vulnerabilities.
One disclosure has been delayed because the
vendor asked.
Last one is still in the disclosure process
explained.
32. 32
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Vulnerabilities. Implementation.
Summary
– Heap Buffer Overflow in
– Stack Buffer Overflow in
– It shouldn’t be readable
– Stack Buffer Overflow in
– It shouldn’t be readable
33. 33
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Vulnerabilities. Implementation.
Heap overflow in
34. 34
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Vulnerabilities. Implementation.
Buffer Overflow….
35. 35
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Vulnerabilities. Implementation.
Buffer Overflow in….
36. 36
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Vulnerabilities. Implementation.
How to find them? Semi Guided Dumb Fuzzing
1) Basic understanding of the Protocol
– Network Captures
– Reverse Engineering
2) Fuzz
3) Profit
37. 37
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Exploitation
Supported Operating Systems
38. 38
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Exploitation
Lack of Compilation Time Protections (stack
cookies)
Lack of Linking Time Protections (SAFESeh)
39. 39
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Exploitation
DEMO: Metasploit vs Yokogawa CENTUM
CS3000
– Exploits already landed in Metasploit.
– Free shells! we love shells!
– Check your installations! (more about that later…)
40. 40
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Post Exploitation
We got shells… now what?
41. 41
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Post Exploitation
We should have access to systems with highly
valuable data, get it!
Steal data in SCADA environments :?
– Meterpreter is a powerful payload!!
– OJ (TheColonial) is doing an awesome work with it!
– You definitely should read:
• http://buffered.io/posts/3-months-of-meterpreter/
42. 42
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Post Exploitation
The recent OJ’s work includes Window
Integration:
“The goal here was to make it possible to enumerate all the windows on the current
desktop to give you a clearer view of what the user is running, and to perhaps allow
for interaction with those Windows later via Railgun”
We have used it to enumerate interesting
windows, maximize and screenshot them!
43. 43
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Post Exploitation
We should have access to systems with the
power… to move things… move them!
Spend few hours reading documentation
– Wasn’t funny :(
Found utilities where design the operation &
monitoring graphics
45. 45
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Post Exploitation
Started playing with it
46. 46
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Post Exploitation
We realized we were totally lost
Who said 8 == D ?
47. 47
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Post Exploitation
OK, goto fail… mmm… no, go back to read
more doc we mean ;)
Some hours later, we knew a few more things…
48. 48
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Post Exploitation
Process Variable (PV)
Set Point Variable (SV)
Manipulated Variable (MV)
50. 50
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Post Exploitation
It means:
– FCS gets PVs from I/O modules
– FCS knows the SV value, and therefore if it should do
any correction operation (MV) to I/O modules
From the point of view of operating & monitoring
– HIS gets PVs from FCS
– HIS can set SVs to FCS
– HIS can get MVs from FCS
51. 51
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Post Exploitation
Our hello world: a loop between PV and MV
52. 52
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Post Exploitation
How does it look?
53. 53
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Post Exploitation
Code Injection to allow tampering of
communications between HIS and FCS
What to tamper?
– SV
Where?
– BKFSim_vhfd.exe
How?
– Uses ws2_32.dll and its API for TCP sockets.
54. 54
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Post Exploitation
How?
– File System: Just drop a trojanized DLL
– Memory:
• IAT hijack?
• Detours Hooks?
…
Metasploit Friendly :?:?
55. 55
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Post Exploitation
Reflective DLL Injection!
– Stephen Fewer
Integrated Into Metasploit / Meterpreter
– https://github.com/stephenfewer/ReflectiveDLLInjectio
n
56. 56
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Post Exploitation
Metasploit & Reflective DLL Injection
– Meterpreter & Extensions Loading
– Payload stage
• payload/windows/stage/dllinject
– Local Kernel Exploits
• Example: CVE-2013-3660 (pprFlattenRec)
– Post Exploitation
• post/windows/manage/reflective_dll_inject
57. 57
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Post Exploitation
DEMO
– Windows Screenshots with Metasploit
– Reflective DLL injection: Tamper communications for
manipulating the control processes!
58. 58
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Last topic
OK, the system is…
…but, it isn’t so important because these
systems live in isolated environments, right?...
59. 59
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Last topic
Shit! Let’s see again Yokogawa docs…
61. 61
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Last topic
Let’s see if we can find something out there…
UDP Services TCP Services
BKESysView 1057/UDP
BKERDBFlagSet 1059/UDP
BKHBos 1062/UDP
BKHOdeq 1064/UDP
BKHMsMngr 1065/UDP
BKHExtRecorder 1069/UDP
BKHClose 1070/UDP
BKHlongTerm 1071/UDP
BKHSched 1072/UDP
BKBBDFH 1074/UDP
BKBRECP 1075/UDP
BKHOpmp 1076/UDP
BKHPanel 1077-1082/UDP
BKHSysMsgWnd 1083/UDP
BKETestFunc 1084/UDP
BKFOrca 1085/UDP
BKHOdeq 20109/TCP
BKFSim_vhfd.exe 20110/TCP
BKBCopyD 20111/TCP
BKBBDFH 20153/TCP
BKHOdeq 20171/TCP
BKBBDFH 20174/TCP
BKHlongTerm 20183/TCP
62. 62
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Last topic
In addition we’ve a bunch of vulnerabilities which
worths to detect
– Metasploit isn’t a Vulnerability Scanner but...
...because some
probes/checks in exploits
are really good.
Writing good probes isn’t
easy indeed!
63. 63
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Last topic
With all this knowledge… wouldn’t be awesome
to know if all this research matters?
#ScanAllTheThings
64. 64
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
#ScanAllTheThings
Rapid7 - Project Sonar
– ZMAP
– Metasploit
Thanks to Rapid7 for helping us to
#ScanAllTheThings
– Specially to Tas Giakouminakis and Mark Schloesser
– Don’t lose the opportunity to attend BHUSA 2014!
65. 65
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
#ScanAllTheThings
Problems when #ScanAllTheThings:
– Internet is huge!
– We’ve just scanned for two vulnerable TCP services
– False positives
– Laws / Attorneys
66. 66
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
#ScanAllTheThings
Methodology:
– TCP Scan the Internet with ZMAP: 1,301,154
suspicious addresses
– Eliminate false positives (blacklists, plus tests to
discover addresses answering open to all): 56,911
suspicious addresses
– Use metasploit-framework to scan with the safe
probes
67. 67
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
#ScanAllTheThings
Results:
– 2 important universities around the world, conducting important
research projects with Yokogawa, are exposing CENTUM CS
3000 projects to the world
68. 68
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Conclusions
Goals
Difficulties
Final conclusions