SCADA StrangeLove 2: We already know

http://scadasl.org

*All pictures are taken from Dr StrangeLove movie and other Internets



Sergey Gordeychik


Positive Hack Days Director and
Scriptwriter, WASC board member
 http://www.phdays.com



Gleb Gritsai


Principal Researcher, Network security and
forensic researcher, member of PHDays
Challenges team
 @repdet



Group of security researchers focused on ICS/SCADA

to save Humanity from industrial disaster and to
keep Purity Of Essence
Sergey Gordeychik
Roman Ilin
Artem Chaykin
Dmitry Efanov
Andrey Medov
Alexander Zaitsev
Dmitry Sklyarov
Roman Ilin
Kirill Nesterov

Gleb Gritsai
Ilya Karpov
Yuriy Dyachenko
Yuri Goltsev
Sergey Scherbel
Dmitry Serebryannikov
Alexander Timorin
Alexander Tlyapov

Denis Baranov
Sergey Bobrov
Sergey Drozdov
Vladimir Kochetkov
Timur Yunusov
Dmitry Nagibin
Vyacheslav Egoshin
Evgeny Ermakov



Analytics “SCADA security in numbers”




Industrial Protocols




ICS systems on the internets
plcscan for S7 and modbus

Vulnerabilities



Siemens WinCC components and vulnerabilities
Lot’s of “We don’t know yet”



To find ICS system






To find vulnerable device





Get https://scans.io/ (~500 GB) = ~$60
Index by Elastic Search (3 cpu days) = $0
Grep it all!
It’s all vulnerable (for sure!) = $0
Put in Excel (I hate it!) = $9000

CoV


($60 + $0 +$0 + $9000)/68076 = $0.1330865503261061



Old, slow, boring




Google/Bing/Shodanhq/ERIPP

New, fast, easy to automate
ZMap, Masscan
 Homebrew scans of industrial ports
 Rapid7 Project Sonar
 Internet Census (not so new)
 + fast full-text search engines


Country Devices
US
31211
DE
3793
IT
2956
BR
2461
GB
2282
CA
2276
KR
1785
SE
1345
ES
1341
NL
1312
FR
1171
TW
1126
CN
891
JP
885

DATACOM, 945, 1%
Digi, 988, 1%
TAC AB, 1321, 2%
Siemens, 1322, 2%
Echelon, 1395, 2%

Other, 5933, 9%

Westermo, 1526, 2%
SAP, 1639, 2%

Tridium, 19490, 29%
Rabbit, 1958, 3%

Schneider
Electric, 2458,
4%
Generic, 2794, 4%

NRG Systems, 11715,
17%

Beck IPC, 3655, 5%
Moxa, 3949, 6%

Lantronix, 6988,
10%

Vendor
Devices
Tridium
NRG Systems
Lantronix
Moxa
Beck IPC
Generic
Schneider Electric
Rabbit
SAP
Westermo
Echelon
Siemens
TAC AB
Digi
DATACOM
Other

19490
11715
6988
3949
3655
2794
2458
1958
1639
1526
1395
1322
1321
988
945
5933

Lantronix
UDS1100, 1310,
5%

Westermo MRD-310,
1171, 5%

i.LON 600, 1395, 5%

Lantronix XPort AR,
1413, 5%

NetWeaver
Application Server,
1639, 6%

WindCube, 11715, 45%
PowerLogic ION,
1806, 7%

Lantronix SLS,
2204, 8%
IPC@CHIP, 3655, 14%

telnet
671
1%

ftp
604
1%

snmp
15253
23%
Industrial
1612
2%
http
49989
73%

dnp3, 155, 10%
iec104, 44, 3%

s7, 827, 53%
modbus, 532,
34%

Kudos to http://www.scadaexposure.com/
http://scadastrangelove.blogspot.com/2013/12/internet-connected-icsscadaplc30c3.html



What RDP/VNC/Radmin can hide?...

…we will never know

Computer Based
Interlocking

RBC
RBC
MMI

GSM-R

Fixed
Eurobalise
to peripherals:
signals, point
machines, etc.

Plain Line

Data
GSM-R

ETCS Onboard

GSM-R

Fixed
Eurobalise

Station

Onboard



Lot’s of new information coming up


Modbus (502)





DNP3 (20000)





http://scadastrangelove.blogspot.com/2012/11/plcscan.html

Profinet DCP




http://scadastrangelove.blogspot.com/2013/11/power-of-community-2013-special-release.html

S7 (102)




http://scadastrangelove.blogspot.com/2013/11/power-of-community-2013-special-release.html

MMS (102)




https://code.google.com/p/scadascan/
http://sourceforge.net/projects/dnp/

IEC104 (2404)




http://nmap.org/nsedoc/scripts/modbus-discover.html
http://scadastrangelove.blogspot.com/2012/11/plcscan.html

http://scadastrangelove.blogspot.com/2013/05/scada-strangelove-positive-hack-days.html

But some protocols still not researched

[kudos to Alexander Timorin @atimorin]



Native broadcast to identify all components





Resource index = 0x82
Resource name = 0x5345???????????? (SE??????)
Packet counter = 0x3ba1

https://www.thc.org/thc-hydra/

WinCC
Web-Client

Internet,
corp lan,
vpn’s

WinCC
DataMonitor

Some
networks
WinCC
SCADA-Clients

LAN

WinCC
Web-Client

WinCC
SCADA-Client
+Web-Server

WinCC
Servers

Engineering station
(TIA portal/PCS7)

PROFINET
PROFIBUS

PLC1

PLC2

WinCC
DataMonitor

PLC3

http://www.youtube.com/watch?v=bE2r7r7VVic

This is my
encryptionkey

Metasploit module

for harvesting data from WinCC project’s database and decrypting ciphertexts
http://scadastrangelove.blogspot.com/2013/08/wincc-harvester-metasploit-module-is.html

This is my
encryptionkey
is

AUHFPPCY PPCY POEK
LWUBWMKKEKJWVOPP
WLDZ
HSLWEK

This is SHA

"0xC280" x len(password)
+ "0xC280" x len(password)

ActiveX components
for communication
and rendering of
HMI

Another component
of WinCC.
For example,
forwarding
commands to the
PLC via the S7
protocol

IIS extension
SCSWebBridgex.dll
Manages SCS
connection and
converts data to PAL

CCEServer.exe
Yep-Yep, again)

CCEServer.exe
WinCC core:
Manages requests of
components

WebNavigatorRT.exe
Rendering HMI and
command
transmission

[kudos to Alexander Tlyapov @rigros1]

HMI

Other
components

CCEServer

PLC
Communication

License
server

To register component in the CCEServer call
CAL_StartListen(Component’s GUID, PID, Required callbacks, etc)

During initial communications SCS packet is sent
with GUID
describing target component

DTD Parsing,
SYSTEM
reading

Attacker

XML

Server

PROFIT!



What is Project?
Collection of ActiveX/COM/.NET objects
 Event Handlers and other code (C/VB)
 Configuration files, XML and other





Can Project be trusted?
Ways to spread malware with Project?



NO!
 Project

itself is dynamic code
 It’s easy to patch it “on the fly”
 Vulnerabilities in data handlers


How to abuse?
 Simplest

handlers

way – to patch event

Sub OnClick(Byval Item)
Dim tagName, tagValue, tagFilename
Dim strFilename, strLine
Dim fso, objFile, objTag
Set fso = CreateObject("Scripting.FileSystemObject")
Set objFile = fso.CreateTextFile("%WinCC%1.exe",True)
strLine = “malware code here"
objFile.WriteLine strLine
objFile.Close
End Sub

https://guardian.emersonprocess.com/Guardian/KbaArticleMail.aspx?artId=de1cdd600d56-47b4-b1cf-f6994d0b6fec&exp=164f16aa-ade7-4a64-8bf2-e32d80daa846

180

160

140

120

100

80

60

40

20

0

ABB

Emerson

Other
Sum

Total

Invensys
Fixed

Siemens

Self-written
HTTP server

Self written “pseudo” DNS

diagrams from http://cvedetails.com for Apache HTTP Server and ICS BIND

1000
899
900

800

700

600

500

400
285

300

200
73

100

0

1

2

9

7

6

10

11

14

100

96

94

135
81

17

1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013



Understand the components roles





Define entry points (input)




how they communicate (i.e. HMI-DCS-PLC)
how they store data (i.e. account/project data)
User input, IPC communications, command
protocols

Analyze code



Resurrect structures/classes used in entry points
Research initialization and processing

Regex
# grep recv <decompiled bin function>
ret = recv(s, buf, buf_len, flags)
# grep ‘buf|buf_len’ <decompiled bin
function>
ret = recv(s, buf2, buf[42], flags)




This not supposed to work in real world!




7 verified RCE vulnerabilities
4 verified DoS vulnerabilities (all NPD)

scadasl@December 04, 2012#ping vendor.ics.jp
Request timed out.
scadasl@January 18, 2013#traceroute vendor.ics.jp
1
2
3

3 days
5 days
*

S4.Conference
jpcert.or.jp
Request timed out.

scadasl@March 04, 2013#ping vendor.ics.jp
Reply from jpcert.or.jp: Destination host reachable!
scadasl@June 19, 2013#traceroute vendor.ics.jp
1
1 days jpcert.or.jp
Customer list complete!

scadasl#echo WTF?!

SCADA StrangeLove 2: We already know

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to SCADA StrangeLove 2: We already know

Similar to SCADA StrangeLove 2: We already know (20)

More from qqlan

More from qqlan (18)

Recently uploaded

Recently uploaded (20)

SCADA StrangeLove 2: We already know