turning a scada vulnerability into a successful attack icsjwg 2011 spring conference dallas, texas...
TRANSCRIPT
Turning a SCADA Vulnerability into a Successful Attack
ICSJWG 2011 Spring ConferenceICSJWG 2011 Spring ConferenceDallas, TexasDallas, Texas
May 2-5, 2011May 2-5, 2011
SCADASCADAhackerhacker.com.comThink like a hacker …To secure industrial control systems and protect critical infrastructure
Think like a hacker … Proprietary property of SCADAhacker.com – All rights reserved.
Everyone’s Watching ICS
• In 2010, Stuxnet raised the awareness of the public and underground to the potential of an ICS compromise
• On March 21, an Italian security researcher “publically disclosed” 34 vulnerabilities covering 4 SCADA systems
• On March 22, another “public disclosure” was made targeting fifth SCADA system
• On March 23, yet another “responsible disclosure” was announced against sixth SCADA system
2
Think like a hacker … Proprietary property of SCADAhacker.com – All rights reserved.
Systems Targeted on March 21
• 7 Technologies IGSS (Denmark)‒ Version 9, 8, 7
• ICONICS GENESIS (USA)‒ Version 9.21 (32-bit), 10.51 (64-bit) and earlier
• RealFlex Technologies RealWin (USA)‒ Version 2.1 (build 6.1.1.10) and earlier
‒ “Demo” version only; “Commercial” version not vulnerable
• Siemens Tecnomatix FactoryLink (Germany)‒ Version 8.0.1.1473 and earlier
‒ USData-Technomatic(’03)-UGS(‘05)-Siemens(’07)
3
Think like a hacker … Proprietary property of SCADAhacker.com – All rights reserved.
• Co-authored with Eric Byres
• Coordinated with ICS-CERT and each Vendor
4
White Papers
Think like a hacker … Proprietary property of SCADAhacker.com – All rights reserved.
Details of the Disclosure
• Vulnerabilities could be classified as:‒ Arithmetic (Integer) OFs: 13‒ Buffer (Stack / Heap) OFs: 13‒ Memory Corruption: 2‒ Read Files: 2‒ Write Files: 1‒ Denial of Service: 1‒ Command Execution: 1‒ Miscellaneous: 1
• Proof-of-concept (PoC) only demonstrated control of memory and did not validate remote code could actually be executed
High Effort; High Impact
Low Effort; High Impact
5
Think like a hacker … Proprietary property of SCADAhacker.com – All rights reserved.
Proof-of-Concept
nc 172.16.252.137 12397 < igss_8b.dat6
Think like a hacker … Proprietary property of SCADAhacker.com – All rights reserved.
Turns to Exploit
nc 172.16.252.137 12397 < mypayload.dat7
Think like a hacker … Proprietary property of SCADAhacker.com – All rights reserved.
Pwned in 15 Minutes !!!
• Use MSF to create an attack payload and bundle in Windows executable (exe) format
• Use IGSS vulnerability to execute a TFTP GET command to download the payload
• Exploit fact that WinXP enables by default a TFTP Client on the target‒ Could use Luigi exploit to “enable” it if it was
disabled!
• Use same vulnerability to execute payload• System is completely compromised!
DEMO
8
Think like a hacker … Proprietary property of SCADAhacker.com – All rights reserved.
Create the Payload DEMO
9
Think like a hacker … Proprietary property of SCADAhacker.com – All rights reserved.
Create Data Files DEMO
10
Think like a hacker … Proprietary property of SCADAhacker.com – All rights reserved.
Launch Attack DEMO
11
Think like a hacker … Proprietary property of SCADAhacker.com – All rights reserved.
Control the Process DEMO
12
Think like a hacker … Proprietary property of SCADAhacker.com – All rights reserved.
Mitigation from Zero Days
• Most vendors rapidly issued patches:‒ IGSS: March 25 (Versions 9 and 8 only)
‒ FactoryLink: March 24 (8.0, 7.5, 6.6 only)
‒ RealWin: February 14 released 2.1.11
‒ ICONICS: April 8 (Versions 10.51 [64] and 9.21/9.13 [32])
• Emerging Threats Pro / NitroSecurity released 61 signatures to address multiple similar vulnerabilities‒ Supports SNORT and Suricata IDS platforms
‒ Incorporated into QuickDraw IDS signatures
• Industrial firewalls (Tofino Argon 20) with rulesets have been published, including demonstration video for FactoryLink
13
SCADAhacker.comThink like a hacker …