Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security mechanisms, software architecture

All pictures are taken from Dr StrangeLove movie

by Gleb Gritsai (as Alexander Timorin) and Alexander Tlyapov

Group of security researchers focused on ICS/SCADA

to save Humanity from industrial disaster and to keep Purity Of Essence

Sergey Gordeychik Gleb Gritsai Denis BaranovRoman Ilin Ilya Karpov Sergey BobrovArtem Chaykin Yuriy Dyachenko Sergey DrozdovDmitry Efanov Yuri Goltsev Vladimir KochetkovAndrey Medov Sergey Scherbel Timur YunusovAlexander Zaitsev Dmitry Serebryannikov Dmitry NagibinDmitry Sklyarov Alexander Timorin Vyacheslav EgoshinRoman Ilin Alexander Tlyapov Evgeny ErmakovKirill Nesterov

Gleb Gritsai

Penetration tester @ptsecurity

ICS researcher and expert

Member of @scadasl

Alexander Tlyapov

Reverse engineer @ptsecurity

ICS researcher

Member of @scadasl

ICS 101

This 101 is useless

Industrial protocols (Gleb Gritsai)

Functions and weakness of protocols

Penetration tester’s view

WinCC architecture (Alexander Tlyapov)

Internal protocols

Authorization process

And how no to pay attention and get to serious stuff

HMI Human Machine Interface

PLC Programmable Logic Controller

RTU Remote Telemetry Unit

IED, SCADA,

DSC, Sensor,

Actuator, …

Movinged from Serial to Ethernet Sometimes to Radio (GSM, ZigBee, WiFi, etc)

Actually five senses of ICS by Controlling physical processes Delivering feedback

Available starting from OSI/ISO layer 3 Industry and application specific

Delivering real time data from sensor or configuring network settings of PLC or reflashing RTU

Operating in one subnet or providing remote telemetry and supervisory

Developed without security in mind and in coders “Times they are a changin‘”, but slowly

Manufacturing Message Specification A protocol, but more a specification for messaging

Originally developed at 1980

“Heavy” See MODBUS packet: [gw_unit; function; register; value]

Applications IED, PLC, SCADA, RTU

Vendors GE, Siemens, Schneider, Daimler, ABB

Domains Named memory regions for managing data/code blobs Abstraction for devices

Program invocations Journals Files (Yes, files) Named variables and lists (groups of vars) Events

State machines for alarms and events

Operators station (HMI) Init semaphores

Concurrent access

IEC 62351-4 is security for IEC 61850-8-1 IEC 61850-8-1 is MMS

Application level ACSE AARQ and AARE PDUs

Transport level – TLS (62351-3)

Access Control Lists

Original port 102 to 3782 if secured

Application security is in ACSE layer (i.e. Association

Control Service Element) which is rarely implemented

No password requirements defined for software Welcome to the “123”

Application security is plain password Bruteforce

Just try to keep port alive as no locking exist

Interception

Simple ARP spoofing is still a kill switch for ICS networks (do this in labs or disconnected SCADAs if you care)

Access must be defined to every object (according to standard)

Kind of: read, write, delete

Optional

TLS, srsly?

No options to set it up seen in products

Not supported (not even with stubs in code)

Discovery & Fingerprint Port 102 is also S7 and … - COTP (Connection Oriented

Transport Protocol) & TPKT (Transport packet)

“Identify” request for Vendor, Model and Version

Enumeration of objects Enumerate everything: Domains, Variables, Files, etc

Good thing – named variables (no need for db with tags/registers/etc description) for understanding logic

Domains: IEDInverter, IEDBattery, IEDPhysical_Measurements

Variables for IEDBattery: ZBAT1$MX$Vol, ZBAT1$MX$Amp, ZBAT1$ST$Health

Better than WriteCoil(coil=X, value=Y)

Open source libs - easy to extract API for better code coverage while fuzzing PLCs, IEDs, RTUs, … Ain’t it fun fuzzing embedded devices

Lot’s of open source libs, single DLL APIs and simulators libiec61850 is C and free

http://libiec61850.com

openmuc is java and free http://openmuc.org/

Smartgridware and others non free, but trial http://www.smartgridware.com/

http://nettedautomation.com/iec61850li/dll/index.html

Is actually IEC 61870-5-104 Master, Slave, Master-Slave No security mechanisms in standard and in

implementations Except the IP addresses of Masters defined on Slaves

Extensible and vice versa by design Vendors publish checklists with supported functions

Mainly for gathering telemetry in electricity distribution and power system automation interrogations

Can feature control functions write, command, execute

Discovery

TCP port 2404

Application level ASDU broadcast address

As soon as RTU receives broadcast to enumerate IEC 104 endpoints it sends broadcast itself

If there is an RTU nearby you’ll get infinite broadcast

BCR (Binary Counter Reading) hack with frozen binary counter can mitigate this

Do it at home unless … don’t do it

Reading data

Done by interrogations which provides set of controlled data

Writing data

Inspect vendor document on supported protocol features

Simulators, libraries and fingerprint tool https://github.com/atimorin/PoC2013/blob/master/i

ec-60870-5-104/iec-60870-5-104.py

https://code.google.com/p/mrts-ng/

https://code.google.com/p/sim104/

IEC 104 travels

over dedicated

network

Power plant 1 Power plant 2 Power Plant N

Remote Control

IEC

10

4

Power plant 1

office.pp1.company.loc

RTU

SCADA Server

FW: IEC 104 port opened

FW: IEC 104 port opened

PLC

Open/Close the Door

IEC 104 flows through

RTU to SCADA Server

SCADA Server

reads/writes data

as requested

corp.company.loc

Power plant 1 Power plant 2 Power Plant N

Remote Control

IEC

10

4, S

MB

, H

TTP

, etc

office.pp1.company.loc office.pp2.company.loc office.ppN.company.loc

corp.company.loc

Power plant 1 Power plant 2 Power Plant N

Remote Control

IEC

10

4, S

MB

, H

TTP

, etc

office.pp1.company.loc office.pp2.company.loc office.ppN.company.loc

Internets

E-mailSharepoint

Remote applicationsWeb sites

Now this does

look like

typical pentest

corp.company.loc

Power plant 1 Power plant 2 Power Plant N

Remote Control

IEC

10

4, S

MB

, H

TTP

, etc

office.pp1.company.loc office.pp2.company.loc office.ppN.company.loc

Internets

E-mailSharepoint

Remote applicationsWeb sites

Now this does

look like one of the

pentest attack

vectors

Internal protocols

Authorization process

And how no to pay attention and get to serious stuff

PLC1 PLC2 PLC3

Some networks

WinCCWeb-Client

WinCCSCADA-Clients

WinCCSCADA-Client +Web-Server

WinCCDataMonitor

WinCCWeb-Client

WinCCDataMonitor

WinCCServers

LAN

PROFINET

PROFIBUS

Internet, corp lan,

vpn’s

Engineering station(TIA portal/PCS7)

ActiveX components for communication and rendering of

HMI

IIS extension SCSWebBridgex.dll

Manages SCS connection and

converts data to PAL

CCEServer.exe

WinCC core:Manages requests of

components

WebNavigatorRT.exe

Rendering HMI and command

transmission

CCEServer.exe

Yep-Yep, again)

Another component of WinCC.

For example, forwarding

commands to the PLC via the S7

protocol

• The POST requests from the client contains the binary data of SCS

protocol

• Basic-authorization

• Authorization is “two-stage” (we’ll cover this later)

• For the real identification of client a specially “generated” ID is

used

SQL query to database (using COM objects)

Verification "special" Windows User

The "hardcode" and etc.

For successful authentication any path will do

Authentication of user in the database through the COM

object on the server

Getting ServerIDand the “magic” activity for the

password to WebBridge

Using received "magic" password to

work with SCSWebBridgeX

Oh! En/c(r)ypt[10]n!

ServerID = Base64(RC2(pass, key)), where key = MD5(dll hardcode)

Not my department password!

And forget that before we entered a another

password...

Sql injection in Basic-authorization.

It is too hard for me.

CVE-2013-0676

Passwords in database is not plaintext…

CVE-2013-0678

But, it’s just XOR with very secret string.

This is my encryptionkey

So, we have another way to get ServerID and later access

SCSWebBridgex.dll

Still not quite ...

"Magic" password = MD5(WNUSR_DC92D7179E29.WinPassword)

Stored in the registry and encrypted with DPAPI. But with no luck.

Wrong flag allows any users (including Guest) on this host to get password for special Siemens user. BTW, this user is local admin.

Password generation features very good charset, but chars used uniquely and length is 12 to 14 chars which is not making cracking MD5 harder

All further communications authorized with this password

For dispatching requests a special ID is used that is generated ... in some weird and funny way

Offset Description Size

0 AlwaysNULL 4

4 dwCode 4

8 Unknown 4

12 DataLen 4

16 ID 4

20 DataChunkNum 4

24 CRC 4

28 ChuckLen 4

32 DataChunkStart …

Transmitted ID represents index and identifier inthe pool of objects which is responsible for storingthe data and dispatching requests

Offset Description Size

0 PoolID 2

2 PoolIndex 2

CCEServer

HMI

PLC Communication

Licenseserver

Other components

To start communication components must call CAL_StartListen in the service

CCEServer. This function is passing all the necessary information about the

component. Such as:

• Component’s GUID

• His PID• Required callbacks• Etc

During initial communications SCS packet is transmitted with GUID

describing target component

According to received identifier component's object is looked up

Further communication occurs in the context of an established connection, through a protocol called CAL

The mechanism of data transmission in the CAL protocol is based on a global MappedSections

For sending data:

Section = ("Global\\SCS%08X%04X%04X%04XSAM", PID, SomeW, MapKey, Null);

ReadyEvent = ("Global\\SCS%08X%04X%04X%04XSAN", PID, SomeW, MapKey, Null);

SendEvent = ("Global\\SCS%08X%04X%04X%04XSAF", PID, SomeW, MapKey, Null);

For receiving data:

Section = ("Global\\SCS%08X%04X%04X%04XASM", PID, SomeW, MapKey, Null);

ReadyEvent = ("Global\\SCS%08X%04X%04X%04XASN", PID, SomeW, MapKey, Null);

ReciveEvent = ("Global\\SCS%08X%04X%04X%04XASF", PID, SomeW, MapKey, Null);

SQLi for retrieving HMI user passwords from db And XOR decryption tool

Hardcoded credentials for retrieving ServerID

Crack ServerID for Siemens windows user

Use ServerID for communication WebBridge

Session hijacking for privilege escalation on HMI

Exploiting architecture weakness to use arbitrary components of WinCC (like PLC comms)

Contact despair:

Gleb Gritsai Alexander Tlyapov

ggritsai@ptsecurity.com atlyapov@ptsecurity.com

@repdet @Rigros1