Positive Technologies - S4 - Scada under x-rays

WINCC UNDER X-RAYS
Sergey Gordeychik
Denis Baranov
Gleb Gritsai

 Sergey Gordeychik
 Positive Technologies CTO, Positive Hack Days
Director and Scriptwriter, WASC board member
 Gleb Gritsai (@repdet)
 Principal Researcher, Network security and forensic
expert, head of PHDays Challenges team
 Denis Baranov
 Head of AppSec group, researcher, member of
PHDays Challenges team
http://www.phdays.com http://blog.ptsecurity.com
http://scadasl.org

 Group of security researchers focused on ICS/SCADA

to save Humanity from industrial disaster and to
keep Purity Of Essence
Sergey Gordeychik Gleb Gritsai Denis Baranov
Roman Ilin Ilya Karpov Sergey Bobrov
Artem Chaykin Yuriy Dyachenko Sergey Drozdov
Dmitry Efanov Yuri Goltsev Vladimir Kochetkov
Andrey Medov Sergey Scherbel Timur Yunusov
Alexander Zaitsev Dmitry Serebryannikov Dmitry Nagibin
Dmitry Sklyarov Alexander Timorin Vyacheslav Egoshin
Ilya Smith Roman Ilin Alexander Tlyapov

 Common target during pentests
 Most common platform (market, ShodanHQ)
 Largest number of published and fixed bugs

http://www.ptsecurity.com/download/SCADA_analytics_english.pdf

 Siemens ProductCERT
 Reallyprofessional team
 Quick responses
 Patches!

 You guys rock!

 Invensys Wonderware
 Yokogawa
 ICONICS
 ….

 Stay tuned!

 Goals
to automate security assessment of ICS
platforms and environment
 Objectives
to understand system
to assess built-in security features
to create security audit/hardening guides
to automate process

Vulnerabilities – waste production

Positive Technologies - S4 - Scada under x-rays

 WinCC Server
 Windows/MSSQL based SCADA
 WinCC Client (HMI)
 WinCC runtime + project
 WinCC Web Server (WebNavigator)
 IIS/MSSQL/ASP/ASP.NET/SOAP
 WinCC WebClient (HMI)
 ActiveX/HTML/JS

 Big Project
 Long History

 A lot of obsolete
 code
 features
 third parties
…

Remote management tool (FS/registry), HTTP
8080
Not started by default and shouldn't be running
ever

 No authentication at all
 XSSes
 Buffer overflow (GET /AAAAAA….AAAAA)

Function Encrypt (secret, PassWord)
' secret$ = the string you wish to encrypt or decrypt.
' PassWord$ = the password with which to encrypt the string.
dim L, X, s, Char
L = Len(PassWord)
For X = 1 To Len(secret)
Char = Asc(Mid(PassWord, (X Mod L) - L * ((X Mod L) = 0),
1))
'Mid(secret, X, 1) = Chr(Asc(Mid(secret, X, 1)) Xor Char)
s = s & Chr(Asc(Mid(secret, X, 1)) Xor Char)
Next
Encrypt = Escape(s)
End Function

Function Decrypt (secret, PassWord)
' PassWord$ = the password with which to encrypt the
string.
dim L, X, s, Char
secret = Unescape(secret)
L = Len(PassWord)
Char = Asc(Mid(PassWord, (X Mod L) - L * ((X Mod L) =
0), 1))
Next
Decrypt = s
End Function

Function EnDecrypt (secret, PassWord)
' PassWord$ = the password with which to encrypt the string.
dim L, X, s, Char
secret = Unescape(secret)
L = Len(PassWord)
Char = Asc(Mid(PassWord, (X Mod L) - L * ((X Mod L) = 0), 1))
Next
Encrypt = Escape(s)
Decrypt = s
End Function

To analyze:
- Files not changed for a while

- Third-party tools and libraries

To automate:
- Control of change/commit dates

- Host-level scanners/fingerprint tools

Processes:
- Know your third-party!

1000

899
900

800

700

600

500

400

285
300

200
135
100 94 81
73 96
100
14 17
1 2 9 7 6 10 11
0
1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013

CompanyName Adobe Systems Incorporated
CompanyName Blue Sky Software
CompanyName ClassWorks
CompanyName Datalogics, Inc.
CompanyName Free Software Foundation
CompanyName IBM Corporation and others
CompanyName InstallShield Software Corporation
CompanyName Microsoft Corporation
CompanyName OPC Foundation
CompanyName Rogue Wave Software
CompanyName Stingray Software Inc.
CompanyName Syncfusion Inc.
CompanyName The OpenSSL Project,
CompanyName VisualTools Inc.
CompanyName WexTech Systems, Inc.

 Available at /WebCenter/AutoComplete.asmx
 Well-documented

 Available at /WebCenter/AutoComplete.asmx
 Well Self-documented

 Undocumented method
Siemens.Simatic.WinCC.DataMonitor
/GetServerList

 SQL Servers in subnet enumeration
 SQL-type Injection

 XPath Injection (CVE-2012-2596)
 Path Traversal (CVE-2012-2597)
 XSS ~ 20 Instances (CVE-2012-2595)

Fixed in Update 2 for WinCC V7.0 SP3

http://support.automation.siemens.com/WW/view/en/60984587

 Can help to exploit server-side vulnerabilities
 Operator’s browser is proxy to SCADAnet!


?
Anybody works with SCADA and Internet
using same browser?

http://www.surfpatrol.ru/en/report

 A lot of “WinCCed” IE from
countries/companies/industries

 Special prize to guys from US for
WinCC 6.X at 2012

 Lot of XSS and CSRF
 CVE-2012-3031
 CVE-2012-3028
 Lot of arbitrary file reading
 CVE-2012-3030
 SQL injection over SOAP
 CVE-2012-3032
 Username and password disclosure via ActiveX
abuse
 CVE-2012-3034

Fixed in Update 3 for WinCC V7.0 SP3

http://support.automation.siemens.com/WW/view/en/63472422

 Interesting objects and methods
WebClientInstall.RegReader.RegRead
IsAdministrator()
IsPowerUser()
openConnection()

 Can’t use ShellExecute of something…
 Restricted but still exists for compatibility

 WinCCViewer ActiveX store credentials in innerHTML
 We can get it via XSS

 How this ActiveX gets Basic account plaintext?
 How to get Authorization header on Client?
 Why ActiveX need password?

 Lets check…

 ActiveX use hardcoded account to
communicate with OPC Web bridge
 Password for WNUSR_DC92D7179E29
generated during installation and probably
strong
 Encrypted password for WNUSR_DC* can be
obtained by request to WebBridge

 But WHY?

• Hardcoded accounts (fixed)
• MS SQL listening network from
the box*
• “Security controller” restricts to Subnet
• Two-tier architecture with
Windows integrated auth and
direct data access
• We don’t know how to make it secure

• First noticed in May 2005
• Published in April 2008
• Abused by StuxNet in 2010
• Fixed by Siemens in Nov 2010**
• Still works almost everywhere

*Just for history
**WinCC V7.0 SP2 Update 1

• {Hostname}_{Project}_TLG*
• TAG data

• СС_{Project}_{Timestamp}*
• Project data and configuration
• Users, PLCs, Privileges

 Other procedures with SQLi
 [dbo].[sp_CCAlg_CreateTempTable]
 [dbo].[sp_ccalg_PrepareDataList]
 [dbo].[sp_ccalg_PrepareTraceDataList]
 [dbo].[sp_ccalg_ReadAlgBySchema]
 [dbo].[sp_ccalg_ReadData]
 [dbo].[sp_ccalg_ReadDataAMTPreselect]
 No way to exploit
 Or we don’t know
 Yet

• Managed by PASSCS.EXE
• Stored in dbo.PW_USER

• Administrator:ADMINISTRATOR
• Avgur2 > Avgur

 Some restrictions for SQL roles
 OPENROWSET
 Extended Stored Procedures
 SQL Agent functions
…
 Not enough for distributed
architecture
 High privileged account for proxy is
used

 PdlRt.exe – graphic runtime
 CCRtsLoader.EXE – loader
 s7otbxsx.exe – network

 Inter process communication:
 RPC
 Sections (memory mapped files)

 BaseNamedObjectsTCPSharedMm and other
interesting stuff

 Detecting active project:
HKCUSoftwareSIEMENSWINCCControl
CenterDefault Settings
 LastOpenPath
 LastProject
 Detecting MS SQL database name (timestamp)
ArchiveManagerAlarmLogging
ArchiveManagerTagLogging*

Obtaining information from database and system
objects

 What is Project?
 Collection of ActiveX/COM/.NET objects
 Event Handlers and other code (C/VB)
 Configuration files, XML and other

 Can Project be trusted?
 Ways to spread malware via Project?

 NO!
 Project itself is dynamic code
 It’s easy to patch it “on the fly”
 Vulnerabilities in data handlers
 How to abuse?
 Simplest way – to patch event
handlers

 Firmware is in Intel HEX format
 Several LZSS blobs and ARM code
 Blobs contain file system for PLC
 Web application source code

… And ...

 ASCII armored certificate!
 For what?
 For built-in Certification Authority

?!?!??!!!??!

 Is there a private key?

 Hardcoded S7 PLC CA certificate (Dmitry Sklarov)

http://scadastrangelove.blogspot.com/2012/09/all-
your-plc-belong-to-us.html

 Multiple vulnerabilities in S7 1200 PLC Web
interface (Dmitriy Serebryannikov, Artem Chaikin,
Yury Goltsev, Timur Yunusov)

http://www.siemens.com/corporatetechnology/pool/
de/forschungsfelder/siemens_security_advisory_ssa-
279823.pdf

 MiniWeb WebServer and MWSL
scripting languages (similar to WinCC
Flexible)
 Ability to create and upload your own
Web-pages
 InterNiche TCP/IP stack

 Can be protected by password
 Authentication – simple challenge-
response
 Password hashed (SHA1) on client (TIA Portal)
 Server (PLC) provide 20 byte challenge
 Client calculate HMAC-SHA1(challenge,
SHA1(password) as response

 Hardcore mix of Windows and Custom
Authentication/Access Control
 Weak cryptography
 No AppSec at all (before us Siemens PCERT)
 Project is not trusted
 Some weakness in system-level design – no
quick patches

 TIA portal Security Hardening Guide
 S7 protocol password brute force tool
 WinCC Forensic checklist

http://scadastrangelove.blogspot.com/search/label/Releases

 Simatic WinCC Security Hardening Guide

http://scadastrangelove.blogspot.com/2012/12/siemens-simatic-wincc-7x-security.html

 PLCScan tool

http://scadastrangelove.blogspot.com/2012/11/plcscan.html

 ICS/SCADA/PLC Google/Shodan Cheat
Sheet
http://scadastrangelove.blogspot.com/2012/12/icsscadaplc-googleshodanhq-cheat-sheet.html

 New Siemens products (TIA Portal and 1500
PLC family)

 S7 protocol vivisection

 OPC/distributed architecture protocol analysis

SCADA UNDER X-RAYS
All pictures are taken from
Engineer Garin movie and Google

Positive Technologies - S4 - Scada under x-rays

More Related Content

What's hot (20)

Similar to Positive Technologies - S4 - Scada under x-rays (20)

More from qqlan (20)

Recently uploaded (20)

Positive Technologies - S4 - Scada under x-rays