RootedCON 2014 - Kicking around SCADA!

1
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Tú a Boston Barcelona y yo a
California Tejas
A patadas con mi SCADA!
Juan Vazquez & Julian Vilas

2
Presentation
!   Juan Vazquez (@_juan_vazquez_) from Austin (USA)
–  Exploit developer at Metasploit (Rapid7)
!   Julian Vilas (@julianvilas) (Redsadic) from Barcelona
(Spain)
–  Security analyst & researcher at Scytl
!   Bloggers of a non-too-much-regularly-updated blog J
–  testpurposes.net

3
Motivation
!   After being working side by side during years, we
decided to do something together! (Just when we’re
8.000 Km far)
–  Handicap: Distance & Timezones (GMT +1 vs GMT - 6)

4
Motivation
!   What? Some SCADA research:
–  No intro to SCADA
–  No compliance & regulation review
–  No paperwork research about its security in general
–  Just (in-depth) analysis of a big SCADA product
!   Why?...

5
Index
!   Introduction
!   Platform Discovery
!   Vulnerabilities & Exploitation
!   Post Exploitation
!   Last topic
!   Conclusions

6
Introduction
!   Yokogawa CENTUM CS 3000 R3
“Yokogawa released CENTUM CS 3000 R3 in 1998 as the first Windows-based
production control system under our brand. For over 10 years of continuous
developments and enhancements, CENTUM CS 3000 R3 is equipped with functions
to make it a matured system. With over 7600 systems sold worldwide, it is a
field-proven system with 99.99999% of availability.”

7
Introduction
!   Present at oil&gas, refining, chemical, power, …
–  Customers (all over the world) like: BP, Total, Chevron,
Shell, Tamoil, Samsung, Bridgestone, Mitsubishi, PPT, …

8
Introduction
!   Why we selected this product?
–  Handicap: closed software, difficult to get access
!   First version achieved
–  R3.02 (September 2001)
!   Finally, digging deeper into the Wild Wild Web, we
found a more recently version
–  R3.08.50 (October 2007)

9
Introduction. Basic elements.
!   FCS (controller)
!   HIS (operation&monitoring station)
!   Field elements

10
Introduction. Topology.

11
Introduction. Our Environment
!   What exactly do we have?
!   Tons of exe’s, dll’s, docs, installed on Windows XP
SP2 (SP3 support was added on R3.08.70
(November 2008)) ← Yes, WTF!
!   Software with capabilities for:
–  Operating & monitoring functions (HIS)
–  Engineering
–  FCS simulation & virtual testing

12
!   Spend lot of hours reading documentation
–  Wasn’t funny :(
!   Found utilities for designing the operation &
monitoring graphics
–  FYI the graphics can be viewed like logic circuits,
interpretated by the controller

13
!   Started playing with it but soon realized we were
totally lost
Who said 8 == D ?

14
!   Process Variable (PV)
!   Set Point Variable (SV)
!   Manipulated Variable (MV)

15

16
!   It means:
–  FCS gets PVs from I/O modules
–  FCS knows the SV value, and therefore if it should do any
correction operation (MV) to I/O modules

17
!   From the point of view of operating & monitoring
–  HIS gets PVs from FCS
–  HIS can set SVs to FCS
–  HIS can get MVs from FCS
S
V

P
V

18
Introduction
!   Doesn’t look familiar?

19
Platform Discovery
!   Work with the product
!   Discover the components
!   Discover the Real Attack Surface!
–  Windows Services
–  Application Network Services
–  Application Local Services
–  Application client components (ActvX).

20
Platform Discovery
!   Example: Initial Installation

21
Platform Discovery
!   Example: Basic Demo Project Running (I) /
Processes

22
Platform Discovery
!   Example: Basic Demo Project Running (II) / Network

23
Vulnerabilities. Documentation.
!   First fails were discovered during installation
process
–  Windows user created: “CENTUM”
–  Password: we’re sure you can guess it in your first try ;)

24
–  Program installed under “C:CS3000”
–  Wait….

25
!   WTF?

26
!   WTF?

27
!   WTF?

28
!   WTF?

29
Vulnerabilities. Design.
!   Problems in typical SCADA protocols (like MODBUS)
have been widely discussed
!   Things are not so different here, even in the
application layers you can spot a set of protocols
with a lack of authentication, integrity checks, etc.

30
!   Example: File Sharing protocol, similarities with FTP.
No authentication

31
RETR command STOR command

32
!   Metasploit DEMO.
–  Using Auxiliary modules to download and upload files.

33
Vulnerabilities. Implementation...
!   5 Vulnerabilities Found
–  Stack and Heap Based Buffer Overflows
–  In different binaries (applications and protocols)
!   Disclosure
–  Rapid7 Vulnerability Disclosure Policy
•  https://www.rapid7.com/disclosure.jsp
–  Contact with Vendor (15 days)
–  Disclosure with CERT (45 days) (CERT and JPCERT in our
case)
–  Public Disclosure (60 days)

34
Vulnerabilities. Implementation.
!   Summary
–  Heap Buffer Overflow in BKCLogSvr.exe
–  It shouldn’t be readable
–  Stack Buffer Overflow in BKHOdeq.exe
–  Stack Buffer Overflow in BKBCopyD.exe
–  It shouldn’t be readable

35
!   How to find them? Semi Guided Dumb Fuzzing
1) Basic understanding of the Protocol
–  Network Captures
–  Reverse Engineering
2) Fuzz
3) Profit

36
!   Heap overflow in BKCLogSvr.exe
–  Uninitialized stack data + memcpy

37
!   Buffer Overflow in BKHOdeq.exe
–  Extracting lines from user data

38
!   Buffer Overflow in BKBCopyD.exe
–  Use of dangerous functions vsprintf and strcpy in the
same function.
–  Used to parse commands and arguments… ooops!

39
Exploitation
!   Supported Operating Systems

40
Exploitation
!   Lack of Compilation Time Protections (stack
cookies)
!   Lack of Linking Time Protections (SAFESeh)

41
Exploitation
!   DEMO: Metasploit vs Yokogawa CENTUM CS3000
–  Exploits will be landed in Metasploit.
–  Free shells! we love shells! J
–  Check your installations! (more about that later…)

42
Post Exploitation
!   We got shells… now what?

43
Post Exploitation
!   We should have access to systems with highly
valuable data, get it!
!   Steal data in SCADA environments :?
–  Meterpreter is a powerful payload!!
–  OJ (TheColonial) is doing an awesome work with it!
–  You definitely should read:
•  http://buffered.io/posts/3-months-of-meterpreter/

44
Post Exploitation
!   The recent OJ’s work includes Window Integration:
“The goal here was to make it possible to enumerate all the windows on the current
desktop to give you a clearer view of what the user is running, and to perhaps allow
for interaction with those Windows later via Railgun”
!   We have used it to enumerate interesting windows,
maximize and screenshot them!

45
Post Exploitation
!   We should have access to systems with the power… to move
things… move them!
!   Code Injection to allow tampering of communications
between HIS and FCS
!   What to tamper?
–  SV
!   Where?
–  BKFSim_vhfd.exe
!   How?
–  Uses ws2_32.dll and its API for TCP sockets.

46
Post Exploitation
!   How to hijack?
–  File System: Just drop a trojanized DLL
–  Memory:
•  IAT hijack?
•  Detours Hooks?
!   …
!   Metasploit Friendly :?:?

47
Post Exploitation
!   Reflective DLL Injection!
–  Stephen Fewer
!   Integrated Into Metasploit / Meterpreter
–  https://github.com/stephenfewer/
ReflectiveDLLInjection

48
Post Exploitation
!   Metasploit & Reflective DLL Injection
–  Meterpreter & Extensions Loading
–  Payload stage
•  payload/windows/stage/dllinject
–  Local Kernel Exploits
•  Example: CVE-2013-3660 (pprFlattenRec)
–  Post Exploitation
•  post/windows/manage/reflective_dll_inject

49
Post Exploitation
!   DEMO
–  Windows Screenshots with Metasploit
–  Reflective DLL injection: trojanizing comms for
manipulating the control processes!

50
Last topic
!   OK, looks that the system is…
!   …but, it isn’t so important because these systems
live in isolated environments, right?...

51
Last topic
!   Shit! Let’s see again Yokogawa docs…

52
Last topic. #ScanAllTheThings
!   With all this knowledge… wouldn’t be awesome to
know if all this research matters?
!   Rapid7 - Project Sonar
–  ZMAP
–  Metasploit
!   Thanks to Rapid7 for helping us to
#ScanAllTheThings
–  Specially to Tas Giakouminakis‎ and Mark Schloesser
–  Don’t lose the opportunity to attend BH ASIA 2014!

53
!   Let’s see if we can find something out there…
UDP
Services
TCP
Services

BKESysView

1057/UDP

BKERDBFlagSet

1059/UDP

BKHBos

1062/UDP

BKHOdeq

1064/UDP

BKHMsMngr

1065/UDP

BKHExtRecorder

1069/UDP

BKHClose

1070/UDP

BKHlongTerm

1071/UDP

BKHSched

1072/UDP

BKBBDFH

1074/UDP

BKBRECP

1075/UDP

BKHOpmp

1076/UDP

BKHPanel

1077-‐1082/UDP

BKHSysMsgWnd

1083/UDP

BKETestFunc

1084/UDP

BKFOrca

1085/UDP

BKHOdeq

20109/TCP

BKFSim_vhfd.exe
20110/TCP

BKBCopyD

20111/TCP

BKBBDFH

20153/TCP

BKHOdeq

20171/TCP

BKBBDFH

20174/TCP

BKHlongTerm

20183/TCP

54
!   Methodology:
–  TCP Scan the Internet with ZMAP: 1,301,154
suspicious addresses
–  Eliminate false positives (blacklists, plus tests to discover
addresses answering open to all): 56,911 suspicious
addresses
–  Use metasploit-framework to scan with the safe probes

55
Last topic
!   In addition we’ve a bunch of vulnerabilities which
worths to detect
–  Metasploit isn’t a Vulnerability Scanner but...
...because
some
probes/
checks
in
exploits
are
really

good.

WriXng
good
probes
isn’t

easy
indeed!

56
Last topic
!   Results:
–  2 important environments around the world, conducting important
research projects with Yokogawa, are exposing CENTUM CS 3000
projects to the world

57
Conclusions
!   Goals
–  Understand and minimal deploy of the product
–  Dissect and pwn it
–  Discover how does it affect to the world
! Problems
–  Distance
–  Resources
–  Attorneys
!   Final conclusions
–  Severity
–  White hat vs Black Hat

58
Questions?
!   More info at
–  Twitter
•  @_juan_vazquez_
•  @julianvilas
–  Testpurposes.net
–  Rapid7 blog
!   Released exploits at Metasploit
THANKS!

RootedCON 2014 - Kicking around SCADA!

More Related Content

Similar to RootedCON 2014 - Kicking around SCADA! (20)

Recently uploaded (20)

RootedCON 2014 - Kicking around SCADA!