hashdays 2011: felix 'fx' lindner - targeted industrial control system attacks - lessons...
DESCRIPTION
The talk will show you the techical details of Stuxnet in their full glory and make you appreciate this work of engineering more. Based on a code-level analysis of the Stuxnet PLC payload, the presentation will explain techniques therein that can be used for industrial espionage and sabotage by copycat attackers against competitor's production facilities. Currently recommended defenses, their shortcomings and alternative approaches will also be discussed.Bio: Felix 'FX' Lindner is founder and technical lead of the Recurity Labs GmbH consulting and research team. He is also the leader of the Phenoelit group and loves to hack pretty much everything with a CPU and some communication, preferably networked. He looks back at 15+ years of (legal) hacking with only a couple Cisco IOS and SAP remote exploits, tools for hacking HP printers and protocol attacks lining the road.TRANSCRIPT
Targeted Industrial Control
Process Attacks –
Lessons from Stuxnet
Felix ‘FX’ Lindner
About
Founder and technical lead of Recurity Labs GmbH
Over 20 years within the computer industry
Specialized in attack methodologies and techniques
Published first exploits against Cisco IOS and RIM BlackBerry
Reverse Engineer by heart
Agenda
Goals of attacks on ICS
Standard attack patterns
Technical review of Stuxnet
Stuxnet prerequisites
Reusable techniques and patterns
Current defense strategies
Alternative defense strategies
Goals of ICS Attacks
ICS attacks that where documented:
Demonstration purposes
Power grid
Chemical industry
Rail Road management
Detonating a Trans-Siberian natural gas
pipeline (disputed)
Delaying a Uranium enrichment program
suspected to be used for nuclear weapons
Goals of ICS Attacks
Goals of ICS Attacks
Commonly suspected goals in the future:
Harming the competition Delaying production of competing vendor
Primarily aimed at Just-in-Time suppliers
Blackmailing ICS owners Similar to documented cases of network blackmail,
e.g. City of San Francisco vs. Terry Childs
Industrial espionage Extraction of ICS programming in order to reverse
engineer recipes and algorithms
Challenges of ICS Security
Topic Office IT Control Systems
Availability Planned downtimes 24 x 7 x 365 x forever
Anti-Virus Widely used Uncommon / impossible
Lifetime 3-5 years Up to 20 years
Outsourcing Common Becomes common
Software patching Regular, scheduled Slow, vendor specific
Change management Common Rare
Real-time performance Best effort Critical (safety, process)
Security awareness Good Poor (only physical)
Security testing + audits Regular, scheduled None
Physical security Difficult Good if local
Hard if remote
Time / Log correlation Common Often ignored
STANDARD ATTACK PATTERNS
Internal Attack Patterns
Direct manipulation through means of subverted / bribed / disgruntled employees Removal of control system source codes from
site
Configuration of various access restrictions using passwords not communicated
Compromise of upstream management systems Preferred method for people without ICS
knowledge
SAP Plant Management and similar homegrown tools with no or very little access controls
External Attack Patterns
Pre-compromise of production components
Logic bombs or intentional vulnerabilities in components acquired by the victim
Recommending or providing software with “side effects” to suppliers Especially well-suited for expensive software
components
Method occasionally used within the network community
External Attack Patterns
External Attack Patterns (cont.)
1. Compromise workstation computer in
office network of target
2. Compromise server with control systems
connection within target office network
3. Establish Man-in-the-Middle point of
control between operator and ICS
network
4. Modify control system
The State of the Art in 2005
Evolvement of Standard Patterns
Most ICS environments used to be equipment vendor specific In some industries, the production process is
completely dependent on the vendors
Solutions are homogeneous inside heterogeneous outside of a particular process
The landscape changes rapidly Component based procurement standardizes the
production equipment
Semi-standardized protocols are used to improve interoperability
Wireless protocols get introduced to improve flexibility
A TECHNICAL REVIEW OF STUXNET
Features of Stuxnet
Multiple spreading mechanisms: CVE-2010-2568 Windows LNK Vulnerability local code
execution
CVE-2010-3888 Windows Task Scheduler local privilege escalation
CVE-2010-2743 Windows Keyboard Layout local privilege escalation
CVE-2010-2729 Windows Print Spooler Service remote code execution
CVE-2008-4250 Windows Server Service RPC handling remote code execution
Self-copying to remote network shares
Self-copying to remote Siemens WinCC servers
Infection of Siemens STEP7 project files for automatic launch upon load
Features of Stuxnet (2)
Peer-to-peer updating mechanism in LANs
Contacting two predefined C&C (command and control) servers
Windows rootkit driver covering all Windows versions since 2000 Driver file is signed with valid Code Signing certificate
Circumvention and corruption of 10 different client security products Special treatment for 3 additional ones
DLL loading routine that fools behavior based HIDS detection mechanisms
Features of Stuxnet (3)
Fingerprinting an industrial control process through documented and undocumented data structures in programmable logic controllers (PLCs)
Backdoors all instances of Siemens WinCC and STEP7 through patching it’s communication DLL in order to hide its presence on the PLC
Virtualizes the PLC on the PLC itself, in order to modify input and output controls without the legitimate code on the PLC knowing
CVE-2010-2568: LNK
Uses a special feature of .LNK files
Explorer needs the icon of the target of the LNK file in order to render it
LNK uses “dynamic icons” when pointing to a control panel entry
Dynamic icons use an alternative handling where Explorer.exe will call the LoadLibrary API on the destination
LoadLibrary causes the DLL’s DllMain function to be executed during load
100% reliable code execution within the context of the user’s Explorer.exe
CVE-2010-3888: Task Scheduler
Uses CRC32 compensation attack to exploit design flaw in Task Scheduler
When creating a scheduled task, the scheduler creates an XML file for it The XML file contains the user the task is executed under
The XML file is writable to the user creating the task
Scheduler runs a CRC32 on it and stores the checksum in the registry When the execution time arrives, the CRC32 is validated against
the file
Stuxnet modifies the user context of the scheduled task and performs a CRC32 compensation
100% reliable code execution as LocalSystem on Windows Vista and above
CVE-2010-2743: Keyboard Layout
Windows XP and lower allows keyboard layouts to be loaded from anywhere
A (not validated) index is loaded from the layout file in Kernel mode and used as an index to a function pointer table with 3 entries
Exploit scans the memory past the function pointer table for DWORDs that are suitable memory addresses in userland When one is found (<0x80000000), allocates memory
there and triggers the vulnerability
100% reliable code execution as Kernel on Windows XP and below
CVE-2010-2729: Print Spooler
Enumerates printer spool shares on the network, connects as Guest account
Print job requests to print an EXE and MOF file, requesting to print to file in %SYSTEM32%
When printing for Guest, spooler does not impersonate the remote user but runs as System, so writing to %SYSTEM32% is allowed
MOF files are compiled scripts that are placed below %SYSTEM32% Windows monitors the creation and executes the MOF
file’s instructions, running the EXE file
100% reliable remote code execution as System
CVE-2008-4250: Server Service
Known vulnerability, found being exploited in the wild by W32/Gimmiv.A Interesting to note: Gimmiv.A reports installed security
products back to the C&C server
Exploits a vulnerability in the RPC path canonicalization within the remote service Patched since 2008 (MS08-067)
Actually turns out to be a sister vulnerability to MS06-040
Gains code execution as System
Widely used exploit in the Metasploit Framework, including a large number of target Windows versions and circumvention of DEP on Windows XP and 2003
Fair chance remote code execution as System
Special DLL Loading
Host IDS behavior monitoring usually looks at LoadLibrary API calls
Stuxnet hooks file handling routines in NTDLL.DLL in order redirect them into memory areas when special filenames are encountered
When Stuxnet uses LoadLibrary, the special filenames are invalid on the file system, so HIDS will ignore the call
Corrupting the Watchers
Security Software Infected Process
KAV v1 to v7 LSASS.EXE
KAV v8 to v9 KAV Process
McAfee Winlogon.exe
AntiVir LSASS.EXE
BitDefender LSASS.EXE
ETrust v5 to v6 (fail)
ETrust (Other) LSASS.EXE
F-Secure LSASS.EXE
Symantec LSASS.EXE
ESET NOD32 LSASS.EXE
Trend PC Cillin Trend Process
Siemens STEP7 Project Infection
Stuxnet patches the STEP7 project file handling routines to modify any project opened in the development or management IDE Ignores projects older than 3.5 years
Ignores projects that appear to be examples
A specific DLL is placed in the directory “hOmSave7” of the STEP7 project
STEP7 specific data in “Apilog\types” is modified that causes the DLL from “hOmSave7” to be loaded when the project file is opened The DLL is searched for in %SYSTEM32% and the STEP7
directories first, but when not found is loaded afterwards from the project’s directory
Siemens STEP7 Project Infection (2)
Similar to STEP7 project infections, Stuxnet also infects MCP files, used by Siemens WinCC WinCC databases are accessed through a
hardcoded username/password combination for an administrative user that cannot be changed
Stuxnet uses remote SQL commands to transfer itself to the server and execute there
Project files (even locally) are infected with itself and a cabinet file in “GracS\cc_tlg7.sav” Such projects, if loaded into a WinCC server
manually, may execute Stuxnet as well
Siemens PLC Infection
On Windows PCs with Siemens PLC software, the DLL “s7otbxdx.dll” is replaced by a wrapper The original version is kept for functionality
The wrapper ensures that: When writing to the PLC, the Stuxnet PLC payload is
added in transit
When reading from the PLC, the Stuxnet PLC payload is removed and hence hidden from view
An additional thread runs, monitoring the PLC and verifying target properties
A second additional thread controls a Data Block on the PLC, remotely managing its behavior
Siemens PLC Infection (2)
Before infecting any PLC, the injected code
on the Windows PC verifies properties
PLC CPU type 6ES7-417 or 6ES7-315-2
CP 342-5 Profibus interface module is present
At least 33 devices with Profibus identification
number 0x7050 or 0x9500 are present
Identification numbers are assigned globally unique by
vendors and Profinet International, comparable to IANA
The devices are Variable Frequency Drives (VFDs)
from Fararo Paya (Iran), and Vacon (Finland)
Stuxnet MC7 Payload
Three payloads are delivered with Stuxnet Two almost identical payloads for 315-2 CPUs
Called Block A and B by Symantec
One larger payload for 417 CPUs Called Block C by Symantec
Replacement of DP_RECV DP_RECV is responsible for the processing of received Profibus
messages on the PLC
Original Function Code is moved and a malicious replacement is embedded
Organizational Block (OB) 1 (cyclic execution) is patched with call to Stuxnet MC7 payload
OB35 (timed execution) is patched with call to Stuxnet MC7 payload (watchdog function)
Binary Comparison of Block A and B
Stuxnet MC7 Payload (2)
Block A/B implement a state machine 1. Record frames via DP_RECV and monitor values of the
VFD, until enough events are recorded
2. Wait 2 hours
3. Send bursts of Profibus frames to the VFDs (Phase I) 145 or 127 frames (Vacon VFDs)
34 or 32 frames (Fararo Paya VFDs)
4. Send bursts (Phase II) 2 or 36 frames (Vacon VFDs)
23 or 27 (Fararo Paya VFDs)
5. Reset internal values and reinitialize internal structures
State 0 is the global error handler.
Stuxnet MC7 Payload Code ADD_AC: // CODE XREF: S7_LV+94p OPN DB888 L DBW10h // word 888.16 L W#16#3 // word 3 <I // ACCU2 is less than ACCU1 // 3 > 888.16 JC loc_2840 // jump if RLO=1 (DW888.16 < 3) // (do not jump if DW888.16 is 3 or more) TAK // exchange ACCU1 and ACCU2 L W#16#4 // ACCU1 = 4 >I // ACCU2 is greater than ACCU1 // 4 < 888.16 JC loc_2840 // jump if RLO=1 (DW888.16 > 4 ) // (do not jump if DW888.16 is 4 or less) L DW#16#0DEADF007h PUSH // copy ACCU1 into ACCU2 BE loc_2840: // CODE XREF: ADD_AC+Ej // ADD_AC+1Aj L DW#16#0 PUSH // copy ACCU1 into ACCU2 BE
Timing of the MC7 Payload
Recording takes place for 13 days
Wait 2 hours (fixed)
Pause after first burst is 27 days
Pause after second burst is 27 days
67 days for one cycle of attack
Wearing out was the goal, not destruction
The product of the attacked process was the
target, not the production equipment
PLC Virtualization / Decoupling
PLCs, including Siemens S7, execute in cycles Read all input signals and set input table
Execute OB1
Write all output Bits to output table and generate signals
Stuxnet disables the automatic update of the Process Image Input and Output Table Essentially decoupling the entire PLC from its sensor
array, virtualizing it
Allows the Stuxnet payload to modify input and output Bits (corresponding to signals) so the original code doesn’t notice any changes
No explicit operator spoofing required! This method may even fool people manually debugging the PLC.
PLC Input / Output Decoupling L LW0 BLD +7 = L 14h.0 L B#16#0 T LB15h UC SFC1Ah // Update Process Image Input Table JU loc_24 (arg) P# L 15h.0 (arg) P# L 0.0 (arg) P# L 0.0 loc_24: BLD +8 BLD +7 = L 14h.0 L B#16#0 T LB15h UC SFC1Bh // Update Process Image Ouput Table JU loc_46 (arg) P# L 15h.0 (arg) P# L 0.0 (arg) P# L 0.0 loc_46: BLD +8 T LW0
BLD: A Trick Not Used
STEP7 engineers frequently use a simple trick to hide code
The BLD instruction is used as a marker around blocks of code The instruction has no effect on the PLC, but is interpreted by
the Siemens editors. Known combinations are: BLD 1 / 2 (FC with parameters)
BLD 3 / 4 (FB with parameters)
BLD 7 / 8
BLD 14 / 15 (FC without parameters)
BLD 103 / 104
BLD 130 / 131 / 132 / 133 / 255
The STUXNET code does not make use of this trick It actually keeps the original BLD instructions, wasting space
and simplifying analysis using Siemens tools
BLD Hiding
BLD +7 A "Always ON" // When being nasty, use this snippet JC Run UC SFC 46 // Stops the CPU Run: NOP 0 ... your code ... CC or UC of your FC's BLD +8
Call SFC46
REUSABLE TECHNIQUES AND PATTERNS
How Much Was Required?
Attack Capability Required for Targeted Attack?
CVE-2010-2568 LNK No
CVE-2010-3888 Task Scheduler No
CVE-2010-2743 Keyboard Layout No
CVE-2010-2729 Print Spooler No
CVE-2008-4250 Server Service RPC No
Self-copying to network share No
Peer-to-peer updating No
C&C Servers No
Windows rootkit & certificates No
10 AV product circumventions No
Behavioral detection evasion No
How Much Was Required?
Attack Capability Required for Targeted Attack?
Self-copying to WinCC Optional
STEP7 project file infection Yes
ICS process fingerprinting Yes
STEP7 DLL Backdoor Optional
PLC Virtualization Yes
Relevant Techniques
Most of Stuxnet’s functionality is spreading, survival and persistence oriented The measures taken are extreme
Targeted attacks on an industrial process only need a few key technologies
If the infection can be accomplished by human means, only the PLC payload stays relevant Stuxnet demonstrates how it is done
There is still significant room for advancements, considering the complexity of Siemens S7
Similar attacks are very likely to be possible with any other PLC vendor’s equipment
Only In Siemens-Land
Dillon Beresford showed another way at BlackHat USA 2011:
Username: basisk
Password: basisk
Compromised OS below the MC7 layer is obviously a game over scenario for any security within the PLC network.
CURRENT AND FUTURE DEFENSES
Current Defenses
Siemens still postulates it’s the customer’s job to secure its automation process Code execution upon STEP7 project loading not considered a
vulnerability. No fix.
Code execution through fixed passwords on WinCC servers not fixed. The password is publicly known since 2008.
At least the fixed username and password in PLC OS is supposedly removed since 2009
Air gaps? Don’t help, don’t exist. Infected consultants and service engineers
Process performance dashboards for management
Agile production environments in supplier fabs
Virus scanners? Have not protected anything since 1970.
Future Defenses
Frequent reprogramming of the entire automation environment Proposed by process engineers
May actually be the best option today
Langner Controller Integrity Checker (CIC) Developed as response to Stuxnet
Promising first attempt on solving some of the problems Evasion obviously possible, as it suffers from the detection
paradigm (AV software) problem
Siemens specific, doesn’t help with other automation environments
Both don’t help when the underlying OS is infected
Future Defenses
Future defenses can only get developed with a better understanding of the offense Stuxnet targets a very specific environment
Currently flourishing research is completely utility centric (power, water, waste, railway)
Industrial Control Systems are extremely environment specific by nature
The best protection is to evaluate your own environment’s vulnerability Based on a solid threat model, developed around your
business and your likely adversaries
The only approach that has been shown to work in other emerging threat areas before
Thank You!
Felix ´FX´ Lindner Head
Recurity Labs GmbH, Berlin, Germany http://www.recurity-labs.com