Friday, February 8, 2013

2013 and the "Ping of Death"

It's been a while since I am in the computer security discipline and I remember the old Ping Of Death attack. How cool was it  ?! At that time breaking the stack was as simpe as breaking the modelling assumptions, for example breaking the stack in 1997 was as simple as sending to the target stack a unexpected lenght in the ICMP packet ! And, yes, I do remember the time being where a malformed source and destination address caused the smurf attack.  After those implementation mistakes, developers, engineers and the developing frameworks became more and more sophisticated, became more and more complete in term of security checking.

It is a long time since I saw another mistake like thise ! ... Untill today ! Today I've read a post talking about another implementation bug in the TCP/IP stack made by Intel enginners. The writer shows how the Intel card ( 82574L ) shouts down if a specific value (0x32) is placed into a specific address ( 0x47F). Which basically means if the ASCII "2" is into a specific address in the sent stream.

Let's take a closer look to the bytesteram:

Image From here

Shutting down an ethernet card could be pretty annoying for a system, in fact you need to reboot your entire machine before getting the card workgin bback. Further analysis showed that different values placed into the same address, change the card behavior.

So hard to find so easy to test. When you play with networks captures and/or with networks crafters the big amount of data let the bug hunter's work be pretty difficult and annoying. Contrary a lot of tools have been developed for testing the network behavior so once you found the bug to reproduce it would be pretty easy as simple as:  "ping -p 32 -s 1110 x.x.x.x"

Another fun story to tell, another good example showing why there is the need of security evangelists to increse the security awareness, another good example showing that bugs and eventually vulnerabilities are always "behind the corner" :D. It is worthy to remember.

Saturday, February 2, 2013

SCADA (in)Security

During the last weeks I've been involved in some SCADA systems testing. It has been quite a new world for me, no memory overflows or ROP, no specific deobfuscator  techniques;  just plain text analysis, sometimes even too easy old web style (in)security.

Sometimes the difficulty of the intrusion was just a matter of few minutes. For example in the following scenario the web server protection was based on .htaccess file holding a really insecure password (3 minutes of bruteforcing). The following images represent a supervisor (and controller) of an entire farm. Attackers could easily stop water services, power supplies and heaters.

Sometimes the entire system relizes on unsecure protocol (Telnet) and the bruteforce is just a metter of hours. In the specific case just 1.5h

Even more dangerous when you enter in a system able to control the electric power supply of a huge building and you discover that you were not the first one !!

Who put evil.exe there ?? This specific case was even not password protected ! WoW. (I feel a little bit lame at this moment...) And the list is just huge.

There are some "smarter" systems who calculates passwords on unescaped javascript:
Systems which lets open logs and open control panel because "hidden", and so secured enough ! (0_o!)

Or even who check the presence of a cookie to authorize to configure an entire Power Cell !

At this stage seems that SCADA security is at the very beginning of its history. Unfortunately SCADA systems are really important and might affect thousands, hundred thousands of people. I wont immage a nuclear station managed according to these security standards! It would be just scarry.

Since I am totally newbie on SCADA security, I started some research on my own and I found some interesting resources that shows more advance attacks techniques such as the following:

PLCScan: how to find out PLC and how to deal with them:  

Metasploit MOdule WinVNC Harvester:

How to recover S7 PLC/TIA portal password

 Hope this BLOG-POST helps to encrease security awareness on SCADA systems. They are huge, important and they can affect the real life of many citizens. Each water station, electric station, nuclear station, but also each airport, each industry owns a SCADA system to monitor and (sometime) to control machineries.