Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security mechanisms, software architecture
1 like1,390 views
The document discusses the architecture and security of WinCC SCADA software. It describes how WinCC uses various components like CCEServer and WebNavigatortRT to manage requests and render human-machine interfaces. Authentication is performed through a two-stage process involving a SQL database and generated credentials. Internal protocols like CAL are used to transmit data between components via shared memory sections. Security issues include hardcoded passwords, weak encryption, and lack of access controls.
![
Manufacturing Message Specification
A protocol, but more a specification for messaging
Originally developed at 1980
“Heavy”
See MODBUS packet: [gw_unit; function; register; value]
Applications
IED, PLC, SCADA, RTU
Vendors
GE, Siemens, Schneider, Daimler, ABB](https://image.slidesharecdn.com/alexandertimorinalexandertlyapov-scadadeepinsideprotocolssecuritymechanismssoftwarearchitecture-131119052529-phpapp02/85/Alexander-Timorin-Alexander-Tlyapov-SCADA-deep-inside-protocols-security-mechanisms-software-architecture-8-320.jpg)
![Oh! En/c(r)ypt[10]n!
ServerID = Base64(RC2(pass, key)), where key
= MD5(dll hardcode)](https://image.slidesharecdn.com/alexandertimorinalexandertlyapov-scadadeepinsideprotocolssecuritymechanismssoftwarearchitecture-131119052529-phpapp02/85/Alexander-Timorin-Alexander-Tlyapov-SCADA-deep-inside-protocols-security-mechanisms-software-architecture-30-320.jpg)
Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security mechanisms, software architecture
- 1. All pictures are taken from Dr StrangeLove movie by Gleb Gritsai (as Alexander Timorin) and Alexander Tlyapov
- 2. Group of security researchers focused on ICS/SCADA to save Humanity from industrial disaster and to keep Purity Of Essence Sergey Gordeychik Roman Ilin Artem Chaykin Dmitry Efanov Andrey Medov Alexander Zaitsev Dmitry Sklyarov Roman Ilin Kirill Nesterov Gleb Gritsai Ilya Karpov Yuriy Dyachenko Yuri Goltsev Sergey Scherbel Dmitry Serebryannikov Alexander Timorin Alexander Tlyapov Denis Baranov Sergey Bobrov Sergey Drozdov Vladimir Kochetkov Timur Yunusov Dmitry Nagibin Vyacheslav Egoshin Evgeny Ermakov
- 3. Gleb Gritsai Penetration tester @ptsecurity ICS researcher and expert Member of @scadasl Alexander Tlyapov Reverse engineer @ptsecurity ICS researcher Member of @scadasl
- 4. ICS 101 Industrial protocols (Gleb Gritsai) This 101 is useless Functions and weakness of protocols Penetration tester’s view WinCC architecture (Alexander Tlyapov) Internal protocols Authorization process And how no to pay attention and get to serious stuff
- 6. HMI PLC Programmable Logic Controller RTU Human Machine Interface Remote Telemetry Unit IED, SCADA, DSC, Sensor, Actuator, …
- 7. Movinged from Serial to Ethernet Actually five senses of ICS by Sometimes to Radio (GSM, ZigBee, WiFi, etc) Controlling physical processes Delivering feedback Available starting from OSI/ISO layer 3 Industry and application specific Delivering real time data from sensor or configuring network settings of PLC or reflashing RTU Operating in one subnet or providing remote telemetry and supervisory Developed without security in mind and in coders “Times they are a changin‘”, but slowly
- 8. Manufacturing Message Specification A protocol, but more a specification for messaging Originally developed at 1980 “Heavy” See MODBUS packet: [gw_unit; function; register; value] Applications IED, PLC, SCADA, RTU Vendors GE, Siemens, Schneider, Daimler, ABB
- 9. Domains Named memory regions for managing data/code blobs Abstraction for devices Program invocations Journals Files (Yes, files) Named variables and lists (groups of vars) Events State machines for alarms and events Operators station (HMI) Init semaphores Concurrent access
- 10. IEC 62351-4 is security for IEC 61850-8-1 IEC 61850-8-1 is MMS Application level ACSE AARQ and AARE PDUs Transport level – TLS (62351-3) Access Control Lists Original port 102 to 3782 if secured
- 11. Application security is in ACSE layer (i.e. Association Control Service Element) which is rarely implemented No password requirements defined for software Welcome to the “123” Application security is plain password Bruteforce Just try to keep port alive as no locking exist Interception Simple ARP spoofing is still a kill switch for ICS networks (do this in labs or disconnected SCADAs if you care)
- 12. Access must be defined to every object (according to standard) Kind of: read, write, delete Optional TLS, srsly? No options to set it up seen in products Not supported (not even with stubs in code)
- 13. Discovery & Fingerprint Port 102 is also S7 and … - COTP (Connection Oriented Transport Protocol) & TPKT (Transport packet) “Identify” request for Vendor, Model and Version Enumeration of objects Enumerate everything: Domains, Variables, Files, etc Good thing – named variables (no need for db with tags/registers/etc description) for understanding logic Domains: IEDInverter, IEDBattery, IEDPhysical_Measurements Variables for IEDBattery: ZBAT1$MX$Vol, ZBAT1$MX$Amp, ZBAT1$ST$Health Better than WriteCoil(coil=X, value=Y)
- 14. Open source libs - easy to extract API for better code coverage while fuzzing PLCs, IEDs, RTUs, … Ain’t it fun fuzzing embedded devices Lot’s of open source libs, single DLL APIs and simulators libiec61850 is C and free http://libiec61850.com openmuc is java and free http://openmuc.org/ Smartgridware and others non free, but trial http://www.smartgridware.com/ http://nettedautomation.com/iec61850li/dll/index.html
- 15. Is actually IEC 61870-5-104 Master, Slave, Master-Slave No security mechanisms in standard and in implementations Extensible and vice versa by design Vendors publish checklists with supported functions Mainly for gathering telemetry in electricity distribution and power system automation Except the IP addresses of Masters defined on Slaves interrogations Can feature control functions write, command, execute
- 16. Discovery TCP port 2404 Application level ASDU broadcast address As soon as RTU receives broadcast to enumerate IEC 104 endpoints it sends broadcast itself If there is an RTU nearby you’ll get infinite broadcast BCR (Binary Counter Reading) hack with frozen binary counter can mitigate this Do it at home unless … don’t do it
- 17. Reading data Writing data Done by interrogations which provides set of controlled data Inspect vendor document on supported protocol features Simulators, libraries and fingerprint tool https://github.com/atimorin/PoC2013/blob/master/i ec-60870-5-104/iec-60870-5-104.py https://code.google.com/p/mrts-ng/ https://code.google.com/p/sim104/
- 18. IEC 104 travels over dedicated network Remote Control IEC 104 Power plant 1 Power plant 2 Power Plant N
- 19. IEC 104 flows through RTU to SCADA Server SCADA Server reads/writes data as requested Power plant 1 FW: IEC 104 port opened RTU FW: IEC 104 port opened SCADA Server Open/Close the Door PLC
- 20. Remote Control IEC 104, SMB, HTTP, etc corp.company.loc Power plant 1 Power plant 2 Power Plant N office.pp1.company.loc office.pp2.company.loc office.ppN.company.loc
- 21. corp.company.loc Now this does look like typical pentest Remote Control IEC 104, SMB, HTTP, etc Internets E-mail Sharepoint Remote applications Web sites Power plant 1 Power plant 2 Power Plant N office.pp1.company.loc office.pp2.company.loc office.ppN.company.loc
- 22. corp.company.loc Now this does look like one of the pentest attack vectors Remote Control IEC 104, SMB, HTTP, etc Internets E-mail Sharepoint Remote applications Web sites Power plant 1 Power plant 2 Power Plant N office.pp1.company.loc office.pp2.company.loc office.ppN.company.loc
- 23. Internal protocols Authorization process And how no to pay attention and get to serious stuff
- 24. WinCC Web-Client Internet, corp lan, vpn’s WinCC DataMonitor Some networks WinCC SCADA-Clients LAN WinCC Web-Client WinCC SCADA-Client +Web-Server WinCC Servers Engineering station (TIA portal/PCS7) PROFINET PROFIBUS PLC1 PLC2 WinCC DataMonitor PLC3
- 25. ActiveX components for communication and rendering of HMI Another component of WinCC. For example, forwarding commands to the PLC via the S7 protocol IIS extension SCSWebBridgex.dll Manages SCS connection and converts data to PAL CCEServer.exe Yep-Yep, again) CCEServer.exe WinCC core: Manages requests of components WebNavigatorRT.exe Rendering HMI and command transmission
- 26. • • • • The POST requests from the client contains the binary data of SCS protocol Basic-authorization Authorization is “two-stage” (we’ll cover this later) For the real identification of client a specially “generated” ID is used
- 27. SQL query to database (using COM objects) Verification "special" Windows User The "hardcode" and etc. For successful authentication any path will do
- 29. Authentication of user in the database through the COM object on the server Getting ServerID and the “magic” activity for the password to WebBridge Using received "magic" password to work with SCSWebBridgeX
- 30. Oh! En/c(r)ypt[10]n! ServerID = Base64(RC2(pass, key)), where key = MD5(dll hardcode)
- 31. And forget that before we entered a another password... Not my department password!
- 32. Sql injection in Basic-authorization. It is too hard for me.
- 33. Passwords in database is not plaintext… CVE-2013-0676
- 34. But, it’s just XOR with very secret string. CVE-2013-0678
- 36. So, we have another way to get ServerID and later access SCSWebBridgex.dll
- 37. Still not quite ...
- 38. "Magic" password = MD5(WNUSR_DC92D7179E29.WinPassword) Stored in the registry and encrypted with DPAPI. But with no luck. Wrong flag allows any users (including Guest) on this host to get password for special Siemens user. BTW, this user is local admin. Password generation features very good charset, but chars used uniquely and length is 12 to 14 chars which is not making cracking MD5 harder
- 39. All further communications authorized with this password For dispatching requests a special ID is used that is generated ... in some weird and funny way
- 41. Transmitted ID represents index and identifier in the pool of objects which is responsible for storing the data and dispatching requests Offset Description Size 0 PoolID 2 2 PoolIndex 2
- 43. HMI Other components CCEServer PLC Communication License server To start communication components must call CAL_StartListen in the service CCEServer. This function is passing all the necessary information about the component. Such as: • Component’s GUID • His PID • Required callbacks • Etc
- 44. During initial communications SCS packet is transmitted with GUID describing target component
- 45. According to received identifier component's object is looked up Further communication occurs in the context of an established connection, through a protocol called CAL The mechanism of data transmission in the CAL protocol is based on a global MappedSections
- 47. For sending data: Section = ("GlobalSCS%08X%04X%04X%04XSAM", PID, SomeW, MapKey, Null); ReadyEvent = ("GlobalSCS%08X%04X%04X%04XSAN", PID, SomeW, MapKey, Null); SendEvent = ("GlobalSCS%08X%04X%04X%04XSAF", PID, SomeW, MapKey, Null); For receiving data: Section = ("GlobalSCS%08X%04X%04X%04XASM", PID, SomeW, MapKey, Null); ReadyEvent = ("GlobalSCS%08X%04X%04X%04XASN", PID, SomeW, MapKey, Null); ReciveEvent = ("GlobalSCS%08X%04X%04X%04XASF", PID, SomeW, MapKey, Null);
- 48. SQLi for retrieving HMI user passwords from db And XOR decryption tool Hardcoded credentials for retrieving ServerID Crack ServerID for Siemens windows user Use ServerID for communication WebBridge Session hijacking for privilege escalation on HMI Exploiting architecture weakness to use arbitrary components of WinCC (like PLC comms)
- 49. Contact despair: Gleb Gritsai ggritsai@ptsecurity.com @repdet Alexander Tlyapov atlyapov@ptsecurity.com @Rigros1