Hacker-Machine Interface

Video in TIB AV-Portal: Hacker-Machine Interface

Formal Metadata

Hacker-Machine Interface
State of the Union for SCADA HMI Vulnerabilities
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
Over the last year, synchronized and coordinated attacks against critical infrastructure have taken center stage. Remote cyber intrusions at three Ukrainian regional electric power distribution companies in December 2015 left approximately 225,000 customers without power. Malware, like BlackEnergy, is being specially developed to target supervisory control and data acquisition (SCADA) systems. Specifically, adversaries are focusing their efforts on obtaining access to the human-machine interface (HMI) solutions that act as the main hub for managing the operation of the control system. Vulnerabilities in these SCADA HMI solutions are, and will continue to be, highly valuable as we usher in this new era of software exploitation. This talk covers an in-depth analysis performed on a corpus of 200+ confirmed SCADA HMI vulnerabilities. It details out the popular vulnerability types discovered in HMI solutions developed by the biggest SCADA vendors, including Schneider Electric, Siemens, General Electric, and Advantech. It studies the weaknesses in the technologies used to develop HMI solutions and describes how critical vulnerabilities manifest in the underlying code. The talk will compare the time-to-patch performance of various SCADA vendors along with a comparison of the SCADA industry to the rest of the software industry. Finally, using the data presented, additional guidance will be provided to SCADA researchers along with a prediction on what we expect next in attacks that leverage SCADA HMI vulnerabilities. Bio: Brian Gorenc is the senior manager of Vulnerability Research with Trend Micro. In this role, Gorenc leads the Zero Day Initiative (ZDI) program, which represents the world’s largest vendor-agnostic bug bounty program. His focus includes analyzing and performing root-cause analysis on hundreds of zero-day vulnerabilities submitted by ZDI researchers from around the world. The ZDI works to expose and remediate weaknesses in the world’s most popular software. Brian is also responsible for organizing the ever-popular Pwn2Own hacking competitions. Fritz Sands is a security researcher with Trend Micro’s Zero Day Initiative. In this role, he analyzes and performs root-cause analysis on vulnerabilities submitted to the ZDI program, which is the world’s largest vendor-agnostic bug bounty program. Fritz also focuses on writing tools to perform static and dynamic analysis for discovering vulnerabilities. Prior to joining the ZDI in 2014, Sands was in Microsoft’s Trustworthy Computing and Secure Windows Initiative operations where he audited Windows code and developed dynamic analysis tools, and before that he was a system developer for multiple iterations of Microsoft Windows.
Slide rule User interface Code State of matter Multiplication sign State of matter Mathematical analysis Virtual machine Software industry Exploit (computer security) Computer programming Virtual machine Type theory Software Hacker (term) User interface User interface Hacker (term) Vulnerability (computing)
Point (geometry) Code Mathematical analysis Proper map Computer programming Twitter Neuroinformatik Software bug Causality Root Operator (mathematics) System programming Information security Vulnerability (computing) Vulnerability (computing) Dependent and independent variables Software developer Surface Mathematical analysis Exploit (computer security) Data management Root Process (computing) Software Self-organization User interface Information security Hacker (term)
Presentation of a group User interface Code State of matter INTEGRAL Multiplication sign 1 (number) Set (mathematics) Food energy Semantics (computer science) Machine code Computer programming Traverse (surveying) Software bug Web 2.0 Malware Component-based software engineering Different (Kate Ryan album) Visualization (computer graphics) Information Förderverein International Co-Operative Studies Office suite Information security Vulnerability (computing) Control system Cybersex Service (economics) Real number Software developer Bit Control flow Type theory Process (computing) Malware Telecommunication System programming Configuration space Self-organization User interface Remote procedure call Information security Spacetime Point (geometry) Slide rule Implementation Server (computing) Sequel Link (knot theory) Dependent and independent variables Authentication .NET Framework Spyware Mathematical analysis Product (business) Power (physics) Architecture Goodness of fit Operator (mathematics) Software Computer hardware User interface System programming Energy level Integrated development environment Traffic reporting Condition number Self-organization User interface Authentication Operations research Vulnerability (computing) Focus (optics) Dependent and independent variables Information Operator (mathematics) Computer network Division (mathematics) Incidence algebra Cartesian coordinate system SQL Server Uniform resource locator Software Visualization (computer graphics) Integrated development environment Personal digital assistant
User interface Multiplication sign Water vapor Food energy Data management Malware Mathematics Logic Information Förderverein International Co-Operative Studies Information security Vulnerability (computing) Remote administration Bit Control flow Flow separation Virtual machine Connected space Data mining Internetworking Frequency Malware System programming MiniDisc Self-organization Website Resultant Reading (process) Dataflow Link (knot theory) Power (physics) Twitter Prime ideal Frequency Profil (magazine) Internetworking Operator (mathematics) Software Data mining System programming Utility software MiniDisc Traffic reporting Routing Game controller Dependent and independent variables Focus (optics) Information Computer program Water vapor Mikroblog Client (computing) Incidence algebra Power (physics) Similarity (geometry) Software Personal digital assistant
Mobile app Implementation User interface Software developer State of matter Code Transport Layer Security Stack (abstract data type) Type theory Integrated development environment Information security HTTP cookie Vulnerability (computing) Vulnerability (computing) Military base Software developer State of matter Computer network Stack (abstract data type) Evolute Compiler Type theory Software Time evolution Optics Video game HTTP cookie Cycle (graph theory) Information security Electric current
Slide rule User interface Observational study Code Software bug Usability Number Pie chart Data management Read-only memory Semiconductor memory Personal digital assistant Authorization Vulnerability (computing) Default (computer science) Area Authentication Default (computer science) Observational study Library catalog Cartesian coordinate system Cross-site scripting Web application Type theory Data management Personal digital assistant Password User interface Resultant
Classical physics Asynchronous Transfer Mode Server (computing) Scripting language Sequel Code Machine code Computer programming Software bug Web 2.0 Explosion Type theory Gamma function Vulnerability (computing) Scripting language Vulnerability (computing) Observational study Gamma function Server (computing) State of matter Type theory Process (computing) Software Problemorientierte Programmiersprache Asynchronous Transfer Mode
Slide rule Scripting language User interface Code Range (statistics) Public domain Food energy Formal language Latent heat Performance appraisal Internetworking System programming Gamma function Scripting language Touchscreen Validity (statistics) Gamma function Software developer Expression Code Range (statistics) Funktionalanalysis Control flow Cartesian coordinate system Computer programming Formal language Similarity (geometry) Visualization (computer graphics) Software System programming Problemorientierte Programmiersprache Library (computing)
Greatest element Server (computing) Regulärer Ausdruck <Textverarbeitung> System call Scripting language Code Zoom lens Machine code Shareware Software bug Revision control Performance appraisal System programming Cuboid Flag Gamma function Scripting language Touchscreen Information Gamma function Expression System call Exploit (computer security) Shareware Proof theory Process (computing) Error message Calculation Right angle Library (computing)
Point (geometry) Server (computing) Code Mathematical analysis Limit (category theory) Computer programming Software bug Web 2.0 Pointer (computer programming) Performance appraisal Network topology System programming Flag Execution unit Linear regression Server (computing) Software developer Expression Code Menu (computing) Computer network Cartesian coordinate system System call Error message Software Series (mathematics) String (computer science) Right angle
Game controller Statistics Proxy server View (database) System administrator Authentication Sheaf (mathematics) Password Zugriffskontrolle Data management Type theory Authorization Limit of a function System programming Information Category of being Proxy server Descriptive statistics Authentication Scripting language Vulnerability (computing) Observational study Information View (database) Web page Projective plane State of matter System administrator Open source Login Type theory Data management Uniform resource locator Personal digital assistant Password Authorization Quicksort Limit of a function
System administrator Password Software testing Shareware Shareware Leak
Uniform resource locator Open source System administrator Password Software testing Login Complete metric space Digital object identifier Error message Shareware
Web page Default (computer science) Vulnerability (computing) Game controller Observational study Scripting language Information Open source Control flow Shareware Machine code Web 2.0 Type theory Semiconductor memory Internetworking Encryption Configuration space Information Encryption Quicksort Spacetime Default (computer science)
Windows Registry Scripting language Dynamical system Game controller Scripting language Run time (program lifecycle phase) User interface Information Digitizing State of matter Menu (computing) Color management Control flow Product (business) Shareware User interface System programming Flag User interface Fuzzy logic Default (computer science) Salem, Illinois
Web page Pulse (signal processing) Vulnerability (computing) Game controller Observational study Code File format 1 (number) .NET Framework Password Shareware Machine code 2 (number) Data management Data management Type theory Semiconductor memory Internetworking Password Buffer solution MiniDisc Buffer overflow Spacetime Proof theory
Personal identification number Sequel Information System administrator State of matter Database Water vapor Database Food energy Product (business) Emulation Data management Data management Software Hash function Telecommunication Operator (mathematics) Password System programming Right angle MiniDisc
Computer program Service (economics) Binary code 1 (number) Password Directory service Login Existence Shareware Shareware Password System programming Energy level Right angle Default (computer science)
Vulnerability (computing) Service (economics) Observational study State of matter 1 (number) Stack (abstract data type) Bound state Machine code Software bug Process (computing) Type theory Read-only memory Semiconductor memory Drill commands Memory management Core dump Buffer solution Buffer overflow Buffer overflow Window
Web page Game controller Context awareness Service (economics) User interface Link (knot theory) System administrator Parameter (computer programming) Web 2.0 Remote procedure call Communications protocol Local ring Default (computer science) Context awareness Service (economics) System call Type theory Hexagon Function (mathematics) Buffer solution User interface Internet der Dinge Prototype Buffer overflow Local ring
Point (geometry) Statistics Computer file Bit Calculus System call 10 (number) Shareware Compiler Linker (computing) Chain Configuration space Video game User interface Quicksort HTTP cookie Address space Window
Point (geometry) Intel Mobile app Code Cellular automaton 1 (number) Letterpress printing Mathematical analysis Software bug Latent heat String (computer science) Window Rule of inference Metre Electronic data interchange Length Mathematical analysis Electronic mailing list Code Coma Berenices Parameter (computer programming) Annulus (mathematics) Oval Convex hull User interface Musical ensemble Buffer overflow Data buffer
Point (geometry) Installation art Process (computing) User interface Sequel Mapping Semiconductor memory File format Web page Mathematical analysis Software framework
Surface Execution unit Game controller Table (information) Information Surface Coma Berenices Computer network Lace Content (media) Windows Registry Revision control Explosion Software Object (grammar) ActiveX Steuerelement System programming Configuration space Remote procedure call Information Object (grammar) Information security Information security
Surface Server (computing) Context awareness System call User interface Open source Computer file ACID Directory service Drop (liquid) Revision control Web 2.0 Writing Root Object (grammar) Library (computing) World Wide Web Consortium Run time (program lifecycle phase) Surface Computer file Computer program Code Directory service Group action Explosion Function (mathematics) User interface Musical ensemble Information security
Vulnerability (computing) Software Multiplication sign User interface Denial-of-service attack Statistics Computer programming Vulnerability (computing) Software bug
Multiplication sign Dependent and independent variables Multiplication sign System call Twitter Software bug Product (business) Type theory Process (computing) Software Personal digital assistant Information security Pairwise comparison Information security Vulnerability (computing)
Vulnerability (computing) User interface Military base Code Multiplication sign Feedback Computer programming Software bug Proof theory Malware Malware Internet service provider Energy level Vulnerability (computing) Proof theory
alright so this is hacker machine interface state of the union for scada HMI vulnerabilities it's not at you know I don't want to the title slide here to indicate that this is about stuffy shirts and racks I mean this is about hardcore exploitation in this talk we're going to cover an in-depth analysis of a corpus of 200 plus confirmed hm I vulnerabilities that have come through the zero day initiative program we're going to detail out the popular vulnerability types that have been discovered in these HMI solutions and we're going to talk about how they're developed and how the weaknesses actually manifests in the underlying code we're going to talk about some of the biggest skata vendors that exist on the planet including Schneider Electric General Electric and advantech but that all of the vulnerabilities that were going to be talking about can be applied to pretty much every skater vendor that's out there today this talk will also cover and compare a time to patch performance for the various skata vendors in the industry and will also compare the skating industry itself against the other software other entities in the software industry and finally we're going to use the data that we presented to provide you additional guidance on what skater researchers should be looking for in HMI solutions and what we can expect in future attacks against SCADA HMI solutions but first
let me let's introduce ourselves so you know we are well Fritz introduced
himself good day my name is Fritz sands my Twitter handles for its hands because I'm occasionally boring I was a longtime developer Microsoft 25 years in the Windows operating system and then I joined the trustworthy computing and secure windows initiative in 2001 when the big security push happened to Microsoft I left Microsoft in 2014 and joined the zero day initiative where I have been investigating software in the real world which has given me a deep appreciation for the code quality at Microsoft which I did not have when I was there so I'm the senior manager of vulnerability research in trend micro's tipping point organization my primary responsibility in this job is to actually run and manage the zero day initiative program which represents the world's largest vendor agnostic bug bounty program we've been in operation for 10 years we spent over 13 million dollars on vulnerabilities over those years we do a lot of root cause analysis working with researchers around the world to buy bugs define how they actually fire and help the vendors get them fixed in a proper way i'm also the organizer of the ever-popular pone to own hacking competition where i spend a probably of a half a million dollars this year just on exploits against the hardest attack surfaces in the world so
before we get started we want to give you kind of an overview and level set everybody in the audience about what we're talking about here what the skated industry is what HMI is and who are the heavy hitters in this industry a lot of the marketplace if you look at it is really focused on developing hardware and seller and control systems and not so much focused on the selling of the HMI solution itself in fact many of them are freely downloadable which makes them good good targets for auditing so in this case they kind of focus on hardware hardware software their software that runs on hardware and less on Windows applications and that really shows and the type of vulnerabilities that we're seeing come through the 02 initiative program it is a highly regionalised market so there are vendors in China that specifically developed SCADA software and hardware for Chinese Chinese implementation there's also ones in Germany and we've even seen code developed by China by Italian developers so it's a very active market and if you if you are focusing on skate of products in one region it will be completely different in another region as you can see on the slide we've got a bunch of big names on there that week on brand is the one that is actually for China and we found I personally found a dozen bugs in their in their HMI solutions and submitted them and have them fixed Siemens is also a major brand and NGE electric or General Electric advantech which we'll talk heavily in this presentation now there is also a lot of mergers and acquisitions in this space it's very much like the rest of the software market lots of buying lots of selling but and the one interesting thing that we find is when we buy a vulnerability and some of the mom and pop skated developed HMI shops which there are a lot of them will see that by the time the patch comes out they've actually been acquired by one of the bigger companies like schneider electric or semen so there is a lot of merger and acquisition that goes on which makes the disclosure pasta process a little bit more complicated if we look at the human machine interface what exactly is it what's primary job is to provide status of the critical infrastructure things like alarms notifications they also provide highly advanced and customizable visualizations that give operators insight into what is going on in their critical infrastructure in a lot of these you know there you can kind of develop these and customize these visualizations for different components in your actual infrastructure now they're supposed to be air-gapped and run on isolated and trusted networks but this is really not always the case and we'll talk about attacks here in a couple minutes where they took advantage of HM eyes that were not on isolated networks now even isolation is not guaranteeing security if he asked the Iranians back when sucks then came out the air gap network didn't really provide them much value when they were being exploited using USB link vulnerabilities that existed so if the developers are actually spending the time and and and and thinking that the fact that their HMI solutions are going to be used in air gap networks and not putting security in that's what we're seeing in the code that's what it feels like they're not actually spending a lot of time implementing best practices of the industry so why would you target an HMI solution as an attacker well it's because it controls the infrastructure you can actually see and get configuration configuration information about devices on the network and it can actually be used by itself without a vulnerability to shut down and out which has shut down a critical infrastructure this is the this is the case in the Ukrainian attack that happened at the end of last year the Ukrainian attackers who are going after the Ukrainian power companies just use the HMI solution by itself to trip rakers and shut the power and we're not actually exploiting HMI vulnerabilities but they were using the HMI system to actually take take the system's down now it can also be used you can actually attack these to deceive and disable alarm systems in the in the control system itself and this is the case in Stuxnet where they actually deceive the operators and about the state of the center features of that they were controlling and actually send it send commands to trigger self self destruction conditions in the actual control systems themselves so there are active attacks in HMI solutions if we look at you know sucks net is obviously the most popular one that we talked about everybody knows about this one but it did leverage vulnerabilities in HMI solutions and including siemens semantic step 7 DLL hijacking vulnerability along with a sequel server authentication bug right so these are really simple bugs very common bugs and HMI solutions and it leverage those to deceive the operators are about the state of the centrifuge now black energy is an ongoing sophisticated malware campaign against ICS environments and it actually does target HMI vulnerabilities the GE simplicity path traversal vulnerability it's used it's it's we believe it to have used the vulnerabilities and Siemens 1cc an advantage at a remote web access so quite famously in the CDI program the GE simplicity vulnerability is actually one that we purchased from an anonymous researcher and disclose the ics-cert and it turned out that that was actively being used by black energy so it's kind of interesting to see that happening in the wild now another big
player in the industry is ics-cert and as a researcher you need to understand who this organization is and where they sit in the government so I'll rattle off the title and their location in the government they're the industrial control system cyber emergency response team which operates within the national cybersecurity and integration Center a division of Department of Homeland Security's office of cybersecurity and communication I mean that's a long name I almost getting paid by letter there so but in reality they a very important organization and people and who are researching in hm I need to know who they are and were and learn how to work with them we work with them every day in our jobs because we're purchasing a lot of vulnerabilities in HMI and they do a lot of things they actually release a report every year about all the stuff that they're doing and according to the 2015 report they actually responded to 295 incidences and handled a 486 at vulnerability disclosures and that's significant that's that's a lot of vulnerabilities passing through that organization every year because it's so regional it's often hard to get a hold of these mom and pop organizations when you find in a boner ability in their solution and at this point you come to programs like a zero day initiative or go to ics-cert to help you disclose those vulnerabilities and get them fixed so let's talk about
attacks that leveraged HMI features or vulnerabilities in in their active attacks if you read the verizon data
breach report they talk about an incident where their team went in and actually it was called in to analyze the security of a water utility now they don't give the name of the water utility but they do talk about their findings and in this case they found that there was an internet facing as/400 system responsible for HMI like capabilities like manipulating plcs but the system also did network routing and managed customer data I mean how ridiculous is that that all of that information is sitting on one system connected to the Internet critical infrastructure and billing systems this is kind of a an example prime example that there is no focus on the separation of responsibilities when they're architecting these critical networks now what they learned is what they discovered was there four separate connections to this to this as/400 over a 60-day period where the IPS were tied to activist activities and they actually altered the the water flow and the chemicals in in that system now according to the report they they say that the attackers really didn't understand what they were what they were working against and they didn't couldn't really didn't do a lot of damage but they could have done a lot of damage by that by accessing that system at the most recent example of a really high profile SCADA attack was the UK was in the Ukraine where there are several York Ukrainian companies that experienced unscheduled power outage which witch is which affect almost a quarter million people these were caused by malicious actors and there's actually a really great report on the ICS website ics-cert website that describes all the details about that attack well that are unclassified so and they talk about how the attack was coordinated and after and they all attacked within 30 minutes and in this case they didn't use HMI vulnerabilities but they leverage that HMI solution because they were because there's no isolation they were able to VPN into the into the network and get access to the HMI solutions and use remote administration tools which dost the operators from making any changes and they actually just tweaked the the knobs in the HMI solution to turn them off and tripped breakers and as a result the power went out they also put kill disk malware on the windows-based HMI systems which which basically brought them to their knees and really hurt the restoration efforts now this is obviously used to destabilize Ukraine a little bit I don't think they've actually attributed the attack but there is a lot of political stuff going on in that region so you can imagine now there's also some interesting report some interesting research that came out of a sister organization here inside of our company where they actually looked at the malware that was used in the Ukrainian attack and actually found links to malware's and other companies in the Ukraine including a rail company and a mining company around the same time now black energy was supposedly not used in the attacks against the Ukrainian power company but it did exist in that Network so you can imagine that the attackers who were going after those are probably the same attackers who had access to some rail and mining companies in the Ukraine as well either they had how did our the our sister organization that notice they looked at the infrastructure of the malware and the naming conventions that were used and they released a white paper on it and it's actually really really interesting and it's worth a read on the it's on the trend micro blog so let's let's talk
about the prevalent vulnerability types that exist in HMI solutions and what the current state really is so the reality
of the situation is the HMI solutions have not seen any benefits of the evolution of secure software development life cycles over the last 10 years we have looked at a lot of the code you know dozens and dozens of co bases we've analyzed and looked at vulnerabilities and confirm zero days and that's what we've learned there really is no security built into that software they haven't seen any any benefits of the secure development lifecycle that Microsoft Apple all these other companies have and this is actually a really scary thing in fact most of the solutions that were vetting bugs and do not have a SLR say f-86 safe seh or stack cookies enabled but just really really scary and we actually urge skata vendors to turn on all of these mitigations including things like building 64-bit apps and to make a SLR better and actually reducing the reliability of hue sprays and also turning on just the basic mitigations that are available by flipping a toggle in the compiler it's all that needs to be actually really embarrassing it's also there's also a lack of understanding of how these are really optic beasts solutions are actually run they they seem to think that they're going to be running that isolated environment and they're using that as a way to not implement security mitigations but they are continually being integrated and you've seen attacks in the wild that leveraged interconnected HMI solutions to take down critical infrastructure so this is
probably the only pie chart that you're going to see a Def Con and I'm actually really proud of that because I did a lot of work to generate this pie chart but in a what we ended up doing was we pulled all the 2016 and 2015 ics-cert advisories and identified all of the HMI solutions that had bugs fixed over the last two years we cross-referenced that with our 250 plus zero-day vulnerabilities that we've purchased in HMI solutions to come up with what the most popular lunar most common vulnerability types are in HMI solutions we also catalog the CW ease to kind of get an idea of what vulnerabilities existed and they're here they are listed on side so the number one is memory corruption followed by credential management usually hard coded passwords insecure defaults authentication and authorization and in code injection issues now what about cross-site scripting what about cross-site request forgery but most of these are windows based applications there are some web-based applications but most of them are windows and as a result you're not going to see a lot of that cross-site scripting stuff but there are some in that gray area on the slide so what we're going to do is let know let's
let's get down a dirty with this let's look at every single one of those categories and we're going to give you case studies of what these look like so you can understand how terrible this code base really is and what you need to understand to actually go find these bugs and to protect yourself against these bugs and that's the most important part so first we're going to talk about
code injection vulnerabilities this makes up about nine percent of the comic vulnerability types that exist in these products and that you know it's the classic soft sequel injection code injection OS command injection but there's other other domain-specific languages that exist in this software and that's what we're going to talk about today I we didn't want to cover like stuff you guys already know this is we're going to talk about gamma code injection right so this is a domain-specific language that that's used in this industry specifically we're
going to talk about cogent data hub and we're going to talk about cve 2015 3789 now this allows this vulnerability actually allows an attacker to turn on an insecure processing mode in the web server which allows the attacker to send arbitrary scripts to the server and execute arbitrary code this was discovered by anonymous researcher and explode and purchased by us disclosed to ics-cert and fixed now we do offer the ability for people to submit bugs to us in an ons an anonymous fashion and we get a lot of that actually through our program so what is cogent data hub well
that's what you see on the screen here that's one of those visualizations that I was talking about cogent data hub is a real-time middleware solution that is deployed across several sectors including chemical commercial critical manufacturing energy financial etc and it's used around the world it offers the end you the ability to create those really intense advanced visualizations at which you see on the slide here customize those that so they can monitor their their underlying network so what is
gamma strip well gamma script is a domain-specific language specifically designed for the use within within data hub it's a dynamically typed interpreted programming language specifically designed for a rapid application development it looks like C and i'll show you some here in a second and it has a range of built-in features about libraries and everything it actually has a fully documented API that you can read on the internet and it's actually pretty full featured for those application developers now the attack itself is a flaw in a valid expression method and it allows an attacker to execute arbitrary code on the system it actually sits and is accessible through an ajax facility on port 80 and you simply supply a well formatted gamma script which allows the underlying code execution now the interesting thing about this is this domain specific so there's a lot of functionality in gamma that's specifically used for developing that stuff but unfortunately it did have the aim at script the ability to execute system commands and so what is the
vulnerable code so right here on the screen is very very simple eval expression basically takes an expression and checks one flag am I allowed to have to execute this expression and it does if it does then it executes the expression right and this is whatever you want to send to the system now the question is how do you actually get that to load up and how do you change that value what also allows you to do that as well and the exploitation steps are you send a request an HTTP crest to the port 80 which will load the gamma script libraries then you go you call Ajax support that allow expressions and which will set allow any expression to true and then you call a Val expression with whatever script you want and you execute code so let's demo that exploit so what you see here is an installation of data hub you can see you kind of zoom in for the audience here yeah well forget that so what we're going to do is right here on the screen what's highlighted is cogent data hub version 7 and it's running and sitting on port 80 and what the first thing we're going to do is we're going to run a proof of concept here at the bottom that is it just basically a Python script that sends the three commands that we need and will actually disclose information on the server to actually is disclosing autoexec.bat on that box so then we're going to send another script which will actually execute calculate the evil evil calculator and you'll see here it's actually a very very reliable bug and a very reliable exploit you can just kind of send it over and over and over again and there's those evil calculators you know so that's a pretty fun bug really simple bug and they did
actually really do a really good job fixing it and you can see here all the calculators being spawned by the process
so now how do they patch the bug right
this is kind of one of the interesting things for the CDI program because when bugs get patched researchers will also submit bugs POCs that actually break their patches which is kind of interesting but here it's going to be kind of difficult so on your left is the old code and on your right is the new code and you can see up here that they actually removed allow expressions so you cannot access that at all so you can no longer turn toggle that flag in the system they also removed a vowel expression entirely and they actually let gave it a really great comment which is actually a best practice this method is dangerous it could allow somebody to execute arbitrary code by an HTTP call ya if you absolutely need it create a script and define it and then make sure that your web server is on a trusted network so that code is buried in the application itself so it's highly unlikely that developers going to go look at that but they're just going to call the api's but it is good the fact that they actually documented that so they won't regress that bug at some point so that's how that bug actually works so I'm going to turn it over to
fritz and he's going to cover the rest of the prevalent types and then we'll talk about some some disclosure statistic hello again so the next section we're going to look at is authentication and authorization problems and authentication bypass improper access control of improper privilege management bad authentication and what we're going to focus on is an advantage case and you're going to hear advantech a lot and this is actually pretty fun one its information disclosure and this is CBE 2016 5810 and
ics-cert says a properly authenticated minister can view passwords for other administrators but the terminologies a little unfortunate here because this is not a system administrator this is an administrator of a given SCADA solution a given project and so that is sort of akin to unprivileged users of the system so this is a nasen saying one user can extract the password of another user and this was discovered by Zhu Yu and disclosed by the zero day initiative and it's sort of fun and basically they have a script in ASP script that allows you to change your username your password your description and this is great but it can be abused and the way you do it is you login to the account you have so this is not anonymous you have to have an account on the system but then you can change the URL to give any other name and then pass that in and it will bring you back the password of the second account now you can't see the password because it's got asterisks in front of it yeah
so here's the demo showing it so first log in as the admin and by the way you
can also get the full system administrator account this way and you can see that there's a test one and a test tube user so now you log in as test one and put in your password for test
one and that's all great now if you try
to change you change to test two using the UI it will quite properly give you
an error saying you can't do that but if
you change to a user name of test two in the URL it will pop it back but it's got those Astor's so we got to fix that so
you view the source and there's the password and then you can use that password of course and login as anyone else and including of course the complete system administrator of all of the solutions and there you got it and
you're logged in and what okay here it goes
so that one was sort of fun and there's
also a lot of insecure defaults in the space add transmission of information missing encryption unsaved activex control yes we're back to activex controls so the one we're going to focus on here is the schneider electric vs MBS and this is a bad activex control with memory corruption now even those memory corruption we put it in here because this activex control well first it was set as safe for scripting from untrusted source and but what's also interesting is it was never meant as a control to be used in internet explorer in a web web page so it should have been configured as automatically killed bitted so it's really bad configuration so it was wide open to Internet Explorer when it should not have been and this is CBE 2015 09 82
and the Schneider Electric pelco here is an HMI for digital sentry video surveillance systems so it's really great you can use this to you know get information on video surveillance systems which is always fun well I
wanted to do show this for people who are going and auditing looking for activex controls it might be vulnerable this shows an interesting second step you often need to take there are two ways to tell the system that an activex control is not safe for scripting the standard way the pathway is statically in the registry the market is not safe for scripting but if you note is it to turn it on to make it safer scripting is to flag it is safe for scripting but if it's not marked in the registry is safer scripting it can instant it can then use the interface I optic safety and in dynamic runtime assert that it is safer scripting so even though it's in the registry not marked as safe for scripting it still is potentially vulnerable so you've got to look at the dynamic situation as well as the static situation is so you can't just do one and here's just the demo of how the
memory corruption works which is you use Internet Explorer and you go to an attacking web page which invokes the control in IE and it does a stack buffer
overflow and fills everything with your classic 40 ones that we all know and love let's talk about some credential
management problems this actually I was really shocked when I ran into this because it's like you're kidding right there this happens a lot that they hard code credentials in the code hard coded passwords you know I thought we'd gone rid of that 15 years ago with iis but well it's we're in in SCADA space you're hacking like it's 1999 it's it's awesome it's awesome we're back then so this is the one we're going to look at is GE MDS pulse net and it's got a hidden support account and this is really fun so this
is used to monitor devices and industrial communication networks and it's deployed in energy water and waste water sectors and used worldwide this is CBE 2015 64-56 so if you take a look at
the user management panel using the UI you see that there are exactly two accounts in the system there's an admin and an operator well if that lies if you
at go in and use I used Heidi sequel but if you use anything that extracts information from the database you see that there are not two account there are three there's a hidden account called GE support now now it's really super subtle because it only stashes the md5 hash of the password not the password itself you certainly no one here could crack an md5 hash right it
turns out that the password is actually postnet but they made it leet by changing the l2 a1 and here's the demo
you can see on the right the two users that are officially there and on the left we will log in as the user that isn't there and what I think is is really cool is that even after you log in as the user that isn't there as your login is the user that isn't there it tells you that that user is still not there which we just sort of slick i think there's also a lot of other misconfigurations one of the other ones that we see a lot is where companies decide to roll their own apples and they decide they don't want to put things under program files as Microsoft intended and so they create their own top level directory with their company name under the C Drive and they often put in a world has full access and then they put their service binaries in there so any local user can drop new binaries in and they will run as as a system service so this is very standard now we
get to to the joy of memory corruption stack-based buffer overflows heat-based buffer overflows out of bound read/write that just the classic ones and the advantage is are are whipping boy here because they did a awesome job here we got a hundred bugs in one day from an anonymous researcher this was like this this data dump from heaven and we analyzed them and passed them on and they were all buffer overflows and it was quite impressive and I'll go drill into one in particular this is CVE 2016 08 56 and it
was an anonymous researcher and disclosed by us and this is their
webpage and what's really interesting about web access is that the skate a solution but they also advertised as you can see in here that this is for Internet of Things so this is widely deployable and it's awesomely vulnerable
it launches a service web vrp see in the context of local administrator and listens on 49 52 and the web the service calls are configured to look like microsoft io access control calls so they've got an AI octal value and they do jump tables off of that to perform hundreds and hundreds of types of services for this particular one the parameter that's past is a window name which is then copied using us print out to a stack buffer that is hex 80 characters and as you can see in this packet the link is Tex HC so it copies hex 8c bites into a hex 80 byte buffer on the stack with predictable consequences and so inside you've got this and the flaw is the stack-based buffer overflow here's the classic s
printf call you know nothing of a surprise there here is the stack layout and this is sort of fun because you can tell the windows name is at minus 80 and then 0 is your return address no stack cookie why no stat cookie they didn't flip the bit in the compiler and linker probably because they first built this 20 years ago and they never changed their configuration to handle to add a SLR to handle safe seh to handle stack cookies so all you have to do is overwrite the return address point it to the first of your op you can handle the rap chain well because there's no way SLR life is good life is really good so you can see is jumping to an address and here i will
pop the glorious calc and this was fun to do bingo and that's running at high privilege life is good let's talk about
the patch analysis but s printf Microsoft published the band API list a decade ago and there's a reason why Microsoft published the band API list and so what they did when we reported this is they changed s printf into SN
printf now SN printf is also in the band API list now it's a better band API because it won't buffer overflow but if you give it too many characters it also will not null terminate so if the stack is not pre cleaned out and it isn't it is possible for you to then use stirring manipulations on this window name where you think it's hex 80 characters long where it may be longer because it didn't null terminate with the copy so there still may be problems as I said a hundred bugs came in a hundred bucks advantech fixed 75 of them we have disclosed the other 25 as not fixed you guys can enjoy there are also when they did fix they did not do any kind of global replace they did specific point fixes of the ones that they fixed there are thousands of string copies s print apps etc in the code base and I would not bet ten cents that none of those can be reached by attacker supply data so have fun guys have lots of fun
oh yes researcher guidance so what do
you people want to do well the first things to do is fuss right these things are easy to fuzz they don't have crcs most of these file formats are wide open just do bit flipping remember to turn pay chief on on the process that's being attacked that's a great way to find memory corruption because then it breaks at the corruption point not later on when it's being used use your tools that you've got for fuzzing use your tools for analysis sequel map is great for finding sequel injection possibilities one of my favorite tools is attack
surface analyzer by Microsoft one of the reasons is one of my favorite tools as I helped write it microsoft released a public version is in 2012 it creates a snapshot before and after the installation of your target software and then it will highlight security problems in the configuration and it will highlight increases in a tax surface soto you your new comm objects your new activex controls your new RPC endpoints
here's an example it shows you for example on the advantage software of the new RPC information here is attack
surface analyzer telling you that the web root directory which is you know where files are going to go that are being executed in the high privileged web server context that this entire directory has has can be as right accessed by the world what could possibly go wrong so at asset is a great great tool to use now if anybody in here has pull at Microsoft we need a new version drop of asset because it doesn't work on Windows 10 and if Microsoft wants to be really cool they could the source of acid because I know what needs to do to fix it so works on Windows 10 and would take me about an hour of Microsoft would please release the source also audit for band api's go
look for the S printouts go look for the stir copies yous Ida to trace the tainted data back and see if you can get to the source of these unsafe copy api's if you can get to those from attackers apply data aight is great just give its wide open people and now back to Brian
for more the corporate things yes yes so we wanted to give you an understanding of how when you find a vulnerability how long it will actually take to fix kind of talk about the vulnerability exposure window so what we did is we actually
took all of the HMI vulnerabilities that we've received in the zero day initiative program again over 250 now and looked at how long they actually took an if you look at the last four years it's not exactly trending down it's pretty consistently about a hundred and forty days from the time that we disclose a bug to when the patch comes out and the thing about the I skated industry is that when they're applying those patches if the patch is bad or there's an issue will actually denial of service the critical infrastructure as well which is not good but that means that hatching actually takes a really long time it's almost you could imagine almost twice as long so that leaves you know almost through probably around three hundred days when there's when the patches are not being applied so you know that's how long the bug is our existing in the software even after you find them so we wanted to do is actually
call out a couple vendors who who disclose who we've disposed won't abilities to because that's what we'd like to do and so what you see here is all of the vendors over those years and cogent data hub I want to call out as being one of the better skata vendors for doing patching I'm and in fact one of the first bugs we disclosed to cogent data hub their CEO actually emailed us and and work with us on the fix and they fixed in like six days it was amazing and they've continued that trend you know we've still purchasing bugs and coded data hub and they're fixing them relatively fast but if you look at the big vendors out there you see you know ABB GE you know induce off those over 200 days to release a fix for a zero-day vulnerability that we purchased that is known so it's kind of interesting you know it averages out about 150 days for bug fixes a lot of these are going through ics-cert and so just to kind of call that out now if you
look at the skating industry and how it compares to other industries you know my craft league in the highly deployed software we consider that Microsoft Apple Oracle the big name vendors there do a decent job it's about 120 days for them to fix a bug when it's disclosed and scada and security products are kind of battling out for second and third with skata coming into in third and kind of worse all of them is business software things like HP you know the end and other big-name businesses like IBM takes him a long time to fix vulnerabilities so you know we were almost 200 days for those types of vulnerabilities so just you know as you find bugs and you and you you know work with CDI to get a fixed or disclose them directly to vendor it does take a significant amount of time but in certain cases it does take more than just 180 days so kind of wrap things up
we give we present at these conferences and provide this level of detail because we want you to go find bugs we want you to work with with the vendors to get them fixed we want you to work with bug bounty programs like the zero day initiative to get compensated for your research and so we're we are definitely interested in buying vulnerabilities and that's why we provide this detail there is ICS you know focused malware that is actively exploiting HMI vulnerabilities this boner of these code bases are plagued with vulnerabilities and you can use those simple techniques to actually find them it does take a long time for them to fix but they do end up fixing them and so we're going to be continuing this research and we're actually going to be releasing a white paper in a couple months we're going to release some proof of concepts and all of our disclosure data is publicly available on our website zero day initiative calm for you to analyze yourself and draw your own conclusions again we are the zero
day initiative we buy bugs if you find 0 days we are white hat bug bounty program we've been doing this for 10 years we like to watch researchers grow and provide feedback make sure that they are finding better bugs and getting higher payouts and so if you are interested you know come up and talk to us we've got basically the whole team here in the front row and they've you know we do a lot of research and look forward to working with you thanks for coming and spending the time with this