Juan Vazquez & Julián Vilas – Tú a Barcelona y yo a Tejas, a patadas con mi SCADA! [Rooted CON 2014]

1
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Tú a Boston Barcelona y yo a
California Tejas
A patadas con mi SCADA!
Juan Vazquez & Julian Vilas

2
Presentation
Juan Vazquez (@_juan_vazquez_) from Austin
(USA)
– Exploit developer at Metasploit (Rapid7)
Julian Vilas (@julianvilas) from Barcelona (Spain)
– Security analyst & researcher at Scytl
Bloggers of a non-too-much-regularly-updated blog

– testpurposes.net

3
Motivation
After being working side by side during years, we
decided to do something together! (Just when we’re
8.000 Km far)
What? Some SCADA research:
– No intro to SCADA.
– No compliance & regulation review.
– No paperwork research about its security in general.
– Just (in-depth) analysis of a big SCADA product.
Why?...

4
Index
Introduction
Organization
Platform Discovery
Vulnerabilities & Exploitation
Post Exploitation
Last topic
Conclusions

5
Introduction
Yokogawa CENTUM CS 3000 R3
“Yokogawa released CENTUM CS 3000 R3 in 1998 as the first Windows-based
production control system under our brand. For over 10 years of continuous
developments and enhancements, CENTUM CS 3000 R3 is equipped with functions
to make it a matured system. With over 7600 systems sold worldwide, it is a
field-proven system with 99.99999% of availability.”

6
Introduction
Why we selected this product?
First version achieved
– R3.02 (September 2001)
Finally, thanks to Russian & Vietnamese forums
(you rocks guys! ;P)
– R3.08.50 (October 2007)

7
Introduction
Since here, strange things started to happen...

8
Introduction. Basic elements.
FCS
HIS
Field elements

9
Introduction. Topology.

10
Introduction
Doesn’t look familiar?

11
Organization. Problems
Distance & Timezones (GMT +1 vs GMT - 6)

12
Organization. Problems
SCADA Software
– Closed Software
– Documentation and Training
– Deployment
– Development
Think: Mozilla Firefox vs Yokogawa Centum
CS3000

13
Organization. Solutions
Communications:
– Google Hangout / Google Chat
– Adium + OTR (mode paranoia /on)
Work & Collaboration Environment:
– Upgrade ADSL line + VPN
– Google Drive + Google Docs
– Confluence + Team Calendars
– VirtualBox
– GIT
– CollabREate

14
Organization. Solutions
Work methodology
– SCRUM based (just a little)

15
Organization. Our Environment
What exactly do we have?
Software with capabilities for:
– Operating & monitoring functions (HIS)
– Engineering
– FCS simulation & virtual testing
Tons of exe’s, dll’s, docs, installed on Windows
XP SP2 (SP3 support was added on R3.08.70
(November 2008)) ← Yes, WTF!

16
Platform Discovery
Work with the product
Discover the components
Discover the Real Attack Surface!
– Windows Services
– Application Network Services
– Application Local Services
– Application client components (ActvX).

17
Platform Discovery
Example: Initial Installation

18
Platform Discovery
Example: Basic Demo Project Running (I) /
Processes

19
Platform Discovery
Example: Basic Demo Project Running (II) /
Network

20
Vulnerabilities. Documentation.
First fails were discovered during installation
process
– User created: “CENTUM”
– Password: we’re sure you can guess it in your first try
;)

21
– Program installed under “C:CS3000”
– Wait….

22
WTF?

23
WTF?

24
WTF?

25
WTF?

26
Vulnerabilities. Design.
Problems in typical SCADA protocols (like
MODBUS) have been widely discussed
Things are not so different here, even in the
application layers you can spot a set of protocols
with a lack of authentication, integrity checks,
etc.

27
Example: BKBCopyD.exe
– Brief Description: Allows File Sharing, similarities with
FTP. No authentication

28
RETR command STOR command

29
Metasploit DEMO.
– Using Auxiliary modules to download and upload files.

30
Vulnerabilities. Implementation...
5 Vulnerabilities Found
– Stack and Heap Based Buffer Overflows
– In different binaries (applications and protocols)
Disclosure
– Rapid7 Vulnerability Disclosure Policy
• https://www.rapid7.com/disclosure.jsp
– Contact with Vendor (15 days)
– Disclosure with CERT (45 days) (CERT and JPCERT
in our case)
– Public Disclosure (60 days)

31
Vulnerabilities. Implementation.
Today we make public details and exploits for
three vulnerabilities.
One disclosure has been delayed because the
vendor asked.
Last one is still in the disclosure process
explained.

32
Summary
– Heap Buffer Overflow in
– Stack Buffer Overflow in
– It shouldn’t be readable
– Stack Buffer Overflow in
– It shouldn’t be readable

33
Heap overflow in

34
Buffer Overflow….

35
Buffer Overflow in….

36
How to find them? Semi Guided Dumb Fuzzing
1) Basic understanding of the Protocol
– Network Captures
– Reverse Engineering
2) Fuzz
3) Profit

37
Exploitation
Supported Operating Systems

38
Exploitation
Lack of Compilation Time Protections (stack
cookies)
Lack of Linking Time Protections (SAFESeh)

39
Exploitation
DEMO: Metasploit vs Yokogawa CENTUM
CS3000
– Exploits already landed in Metasploit.
– Free shells! we love shells! 
– Check your installations! (more about that later…)

40
Post Exploitation
We got shells… now what?

41
Post Exploitation
We should have access to systems with highly
valuable data, get it!
Steal data in SCADA environments :?
– Meterpreter is a powerful payload!!
– OJ (TheColonial) is doing an awesome work with it!
– You definitely should read:
• http://buffered.io/posts/3-months-of-meterpreter/

42
Post Exploitation
The recent OJ’s work includes Window
Integration:
“The goal here was to make it possible to enumerate all the windows on the current
desktop to give you a clearer view of what the user is running, and to perhaps allow
for interaction with those Windows later via Railgun”
We have used it to enumerate interesting
windows, maximize and screenshot them!

43
Post Exploitation
We should have access to systems with the
power… to move things… move them!
Spend few hours reading documentation
– Wasn’t funny :(
Found utilities where design the operation &
monitoring graphics

44
Post Exploitation

45
Post Exploitation
Started playing with it

46
Post Exploitation
We realized we were totally lost
Who said 8 == D ?

47
Post Exploitation
OK, goto fail… mmm… no, go back to read
more doc we mean ;)
Some hours later, we knew a few more things…

48
Post Exploitation
Process Variable (PV)
Set Point Variable (SV)
Manipulated Variable (MV)

49
Post Exploitation

50
Post Exploitation
It means:
– FCS gets PVs from I/O modules
– FCS knows the SV value, and therefore if it should do
any correction operation (MV) to I/O modules
From the point of view of operating & monitoring
– HIS gets PVs from FCS
– HIS can set SVs to FCS
– HIS can get MVs from FCS

51
Post Exploitation
Our hello world: a loop between PV and MV

52
Post Exploitation
How does it look?

53
Post Exploitation
Code Injection to allow tampering of
communications between HIS and FCS
What to tamper?
– SV
Where?
– BKFSim_vhfd.exe
How?
– Uses ws2_32.dll and its API for TCP sockets.

54
Post Exploitation
How?
– File System: Just drop a trojanized DLL
– Memory:
• IAT hijack?
• Detours Hooks?
…
Metasploit Friendly :?:?

55
Post Exploitation
Reflective DLL Injection!
– Stephen Fewer
Integrated Into Metasploit / Meterpreter
– https://github.com/stephenfewer/ReflectiveDLLInjectio
n

56
Post Exploitation
Metasploit & Reflective DLL Injection
– Meterpreter & Extensions Loading
– Payload stage
• payload/windows/stage/dllinject
– Local Kernel Exploits
• Example: CVE-2013-3660 (pprFlattenRec)
– Post Exploitation
• post/windows/manage/reflective_dll_inject

57
Post Exploitation
DEMO
– Windows Screenshots with Metasploit
– Reflective DLL injection: Tamper communications for
manipulating the control processes!

58
Last topic
OK, the system is…
…but, it isn’t so important because these
systems live in isolated environments, right?...

59
Last topic
Shit! Let’s see again Yokogawa docs…

60
Last topic

61
Last topic
Let’s see if we can find something out there…
UDP Services TCP Services
BKESysView 1057/UDP
BKERDBFlagSet 1059/UDP
BKHBos 1062/UDP
BKHOdeq 1064/UDP
BKHMsMngr 1065/UDP
BKHExtRecorder 1069/UDP
BKHClose 1070/UDP
BKHlongTerm 1071/UDP
BKHSched 1072/UDP
BKBBDFH 1074/UDP
BKBRECP 1075/UDP
BKHOpmp 1076/UDP
BKHPanel 1077-1082/UDP
BKHSysMsgWnd 1083/UDP
BKETestFunc 1084/UDP
BKFOrca 1085/UDP
BKHOdeq 20109/TCP
BKFSim_vhfd.exe 20110/TCP
BKBCopyD 20111/TCP
BKBBDFH 20153/TCP
BKHOdeq 20171/TCP
BKBBDFH 20174/TCP
BKHlongTerm 20183/TCP

62
Last topic
In addition we’ve a bunch of vulnerabilities which
worths to detect
– Metasploit isn’t a Vulnerability Scanner but...
...because some
probes/checks in exploits
are really good.
Writing good probes isn’t
easy indeed!

63
Last topic
With all this knowledge… wouldn’t be awesome
to know if all this research matters?
#ScanAllTheThings

64
#ScanAllTheThings
Rapid7 - Project Sonar
– ZMAP
– Metasploit
Thanks to Rapid7 for helping us to
#ScanAllTheThings
– Specially to Tas Giakouminakis and Mark Schloesser
– Don’t lose the opportunity to attend BHUSA 2014!

65
#ScanAllTheThings
Problems when #ScanAllTheThings:
– Internet is huge!
– We’ve just scanned for two vulnerable TCP services
– False positives
– Laws / Attorneys

66
#ScanAllTheThings
Methodology:
– TCP Scan the Internet with ZMAP: 1,301,154
suspicious addresses
– Eliminate false positives (blacklists, plus tests to
discover addresses answering open to all): 56,911
suspicious addresses
– Use metasploit-framework to scan with the safe
probes

67
#ScanAllTheThings
Results:
– 2 important universities around the world, conducting important
research projects with Yokogawa, are exposing CENTUM CS
3000 projects to the world

68
Conclusions
Goals
Difficulties
Final conclusions

Juan Vazquez & Julián Vilas – Tú a Barcelona y yo a Tejas, a patadas con mi SCADA! [Rooted CON 2014]

Recommandé

Recommandé

Contenu connexe

En vedette

En vedette (20)

Similaire à Juan Vazquez & Julián Vilas – Tú a Barcelona y yo a Tejas, a patadas con mi SCADA! [Rooted CON 2014]

Similaire à Juan Vazquez & Julián Vilas – Tú a Barcelona y yo a Tejas, a patadas con mi SCADA! [Rooted CON 2014] (20)

Plus de RootedCON

Plus de RootedCON (20)

Dernier

Dernier (20)

Juan Vazquez & Julián Vilas – Tú a Barcelona y yo a Tejas, a patadas con mi SCADA! [Rooted CON 2014]