380 likes | 569 Views
Tomer Teller , DC9723, 18/1/11. Stuxnet: How to take over a (nuclear) power plant. Who Am I ?. A Black Hat gone good (courier -> cracker) Security Evangelist at Check Point Specialize in network hacking & reversing Finished all levels of Angry Birds (3 stars!). Why are we here ?.
E N D
Tomer Teller , DC9723, 18/1/11 Stuxnet: How to take over a (nuclear) power plant
Who Am I ? • A Black Hat gone good (courier -> cracker) • Security Evangelist at Check Point • Specialize in network hacking & reversing • Finished all levels of Angry Birds (3 stars!)
Why are we here ? • We like Malware • Stuxnet is a Malware! • Iran is involved • Microsoft got pwn'd • Learn new techniques • See some DEMO’s (hopefully)
Terminology • SCADA/ICS - stands for Supervisory Control and Data Acquisition. It generally refers to Industrial Control Systems (ICS): computer systems that monitor and control industrial, infrastructure, or facility-based processes. • PLC - A Programmable Logic Controller (PLC) – Control of machinery on factory assembly lines. • Field PG - used to program PLCs. • Wincc/Step7–SIEMENS application used to program PLC (IDE/Compiler) and is installed on a Field PG.
Threat Overview • Architecture • Single DLL • Resource containing payloads • Component based • Exploits • 4 un-disclosed vulns! • Techniques • “cunning” hack • LoadLibrary() maneuver
Statistics This is not normal… ref: Symantec dossier paper
What’s going to happen? Nuclear Reactor Gas pipeline Water Pipe
Mission Objectives Introduce Threat to Target Propagate inside the network Infect Field PG machines GOAL: Reprogram ICS machines
The First Infection • An Insider • A Contractor • A Scada Confrence USB Give-away • Super Sheep over the fence
Removable Drive Propagation Okay, now what ? • LNK auto-execution (MS10-046) • Autorun.inf Technique
LNK Auto-Execution (MS10-046) • Design-Level flaw when parsing LNK files (i.e. shortcut file) • File format can store links to control panel applet (CPL) DLL • Vulnerable code processes these links like it processes icons. • Problem: System does not check if the DLL is in SYSTEM32 or part of a white list (registered) • The Result: Arbitrary DLLs can be loaded via a shortcut.
LNK Binary Format (DIY) Control Items OffsetSizeField 0x0000 2 itemIDSize0x0002 2 wDummy . . . 0x0018 n Path LNK Binary Format OffsetSizeField 0x0000 4 HeaderSize 0x0004 16 LinkCLSID 0x0014 4 LinkFlags (optional structure) . . 0x0042 4 (reserved)
Autorun.inf Technique • We all know AutoRun.inf File & Dialog • The code that parses that file is very “flexible” • How flexible ?
Autorun.inf Technique cont. EXE AutoRun
The LoadLibrary() Technique • Whenever stuxnet needs to load a DLL (including itself), it uses a special method to bypass anti-virus behavior blocking detection. • Stuxnet calls LoadLibrary() with a special crafted name that does not exist and causes LoadLibrary() to fail. • NTdll.dll was hooked to monitor for request to load specially crafted file names • These filename are mapped to a different location – specified by Stuxenet. • File name example: KERNEL32.DLL.ASLR.[ADDRESS]
User/Kernel Space rootkits • User Space Rootkit • Hide files by hooking Kernel32 & NTDLL • FindFirstFileW ,FindNextFileW • NTQueryDirectoryFile, ZwQueryDirectoryFile • Kernel Space Rootkit • Register a device driver (MrxNet.sys) to intercept I/O Request Packets (IRP) • Monitor Directory Control & Query (read/write) • Detect & Infect Removable Devices
Compromised Certificates • Driver was digitally signed by a legitimate certificate that is trusted by Windows. • Both companies seem to have offices in the Hsinchu Science and Industrial Park (Taiwan)
No Admin?! No Problem! (Vista+ Style) • Privilege Escalation in Task Scheduler.20-11-2010www.exploit-db.com/exploits/15589 • Task file’s is hashed by CRC32 • Modify the original task to run under localSystem • Fix the CRC checksum by “padding”<-Collision
No Admin?! No Problem! (XP Style) Copy bad code to that address. Change layout to point at index #5 Load the keyboard layout • Privilege Escalation in Keyboard Layout (MS10-073) • Keyboard layout can be loaded from any where in the system • Out of bound index into an array of function pointers in win32k.sys cf12fa38 cf933423 win32k!KbdNlsFuncTypeDummy [index 0]cf12fa3c cf93342e win32k!KbdNlsFuncTypeNormal [index 1]cf12fa40 cf933474 win32k!KbdNlsFuncTypeAlt [index 2]cf12fa44 ff496867 [index 3]cf12fa48 ff466564 [index 4]cf12fa4c 60636261<- user space address [index 5]cf12fa50 0000006e .
Demo(s) Time • Autorun.inf • LNK vulnerability (MS10-046) • User Space RootKit (source available)
Mission #1 Completed Here
Recap Introduce Threat to Target Propagate inside the network Infect Field PG machines GOAL: Reprogram ICS machines
MS08-067 – Server Service Vulnerability Search For ‘\’ Search For ‘\’ Search For ‘\’ Search For ‘\’ NetprPathCanonicalize() \share\path1\path2/../../../../buff \share\path1/../../../buff \share/../../buff /../buff • SRVSVC is an RPC interface which controls shares and files. • Binding to this interface via SMB and calling one of its functions -- NetprPathCanonicalize() with a malformed path string: • e.g. /<name>/../../<rest of string> • Results in a buffer overflow • Successful exploitation can lead to code execution with System level privileges. Buffer Overflow
MS10-061 – Printer Spooler Vulnerability • Released in 2009 in a hacker magazine • Allows a file to be written to the %System% folder by printing a document into a file. • Stuxnet “prints” 2 files • A Managed object format (MOF) file – use for windows events • The Stuxnet worm itself • Once the MOF file is detected by the OS in a specific directory (C:\windows\system\wbem\mof\<file>) • Executes the event which is to run the executable file.
Network Shares Infection • Stuxnet enumerates all users accounts of the computer and the domain • Try all available network resources • Using the user credential • Drop Stuxnet Executable on the remote share • Schedule a network job to run 2 min after NetScheduleJobAdd()
P2P Communication Component • Stuxnet installs an RPC Client / Server. • Compromised computers can connect and ask for the latest version Infected machine acting as Server Infected machine acting as Client RPC Server Routines:0: Return Current Ver1: Inject & Execute2: Load module3: Inject to lsass.exe4: Send Current Version 5: Create Process 6: Read File Get Version (0) Send Version Request Update (4) Send Update ref: Symantec dossier paper
Command & Control Component • Stuxnet communicates back using an HTTP C&C backdoor and encrypted data. Command And Control Server Infected Machine GET www.msn.com 200 OK GET Index.php?data=[encrypted] Command X Command Y ref: Symantec dossier paper
Alive Mission #2 Completed Ping Here
Recap Introduce Threat to Target Propagate inside the network Infect Field PG machines GOAL: Reprogram ICS machines
PLC RootKit • On the Field PG, Stuxnet will look for: • Specific version STEP7/WinCC • Specific Network card • Specific PLC model & version connected • Stuxnet will replace a DLL file that is in-charge of communicating with the PLC on the Field PG. • After replacement Stuxnet will be able to: • Monitor PLC commands being written to and read from • Infect a PLC by inserting bad commands • Mask the fact the PLC is infected
Infected PLC Example (READ/WRITE) Step7/WinCC Original DLL New DLL PLC ? ? ? Read() Read() Modified Data 500 5 500 Original Data Data New DLL Original DLL Field GP 5 5 500 Write() Write() Modified Data 5 5 500 Wrote Data
Recap Introduce Threat to Target Propagate inside the network Infect Field PG machines GOAL: Reprogram ICS machines
Who’s Behind It ? • Some say Israel: • b:\myrtus\src\objfre_w2k_x86\i386 \guava.pdb • myrtus -> myrtle -> Hadassah -> Queen Esther • My-RTUs -> Remote Terminal Unit -> Control SCADA Systems • 0x19790509 • May 09, 1979. That date coincides with the Iranian's execution of Habib Elghanian, a prominent Jewish businessman in Iran • Some say Germany • Some say USA
kthxbye Tomer Teller tomert@checkpoint.com