Saturday, December 28, 2013

Internet connected ICS/SCADA/PLC|30C3 release

Trying to find SCADA/PLC/HMI in Internet?
No success?

SCADAStrangeLove strike forces to the rescue!

With our Pretty Shiny Sparkly™ ICS/SCADA/PLC Cheat Sheet you will become real SCADAHacker and will search for SCADA for free! Special #30C3 release by Gleb Gritsai, Alexander Timorin, Alexander Zaitsev, Sergey Gordeychik, Valentin Shilnenkov.

Please enjoy responsible!

Friday, December 27, 2013

Hydra vs Siemens S7-300|30C3 release

Special release for Chaos Communication Congress: Hydra v7.6 with Siemens S7-300 PLC password bruteforce module and dictionary. Thanks to Alexander Timorin and Van Hauser.

Download and enjoy.

PS. More details tomorrow.

Saturday, December 14, 2013

SCADA hacking @30C3

Anniversary Chaos Communication Congress going to be awesome.
We cannot stand aside. SCADA StrangeLove crowd will rock there.
Gleb Gritsai and Sergey Gordeychik will talk about thing “We already know”, but a lot of thing “We don’t know yet…”.

Yury Goltsev and Alexander Zaitsev on Day 3 will speak about PHDays Labyrinth.
WTF PHDays Labyrinth? It is a magic. Hacker’s Disneyland. Here it is.

SCADA Explosure 2013 Report

Awesome report and ICS/SCADA/PLC Google/Shodanhq Cheat Sheet. Thanks to ISGroup SRL and Francesco Ongaro for reference.

http://www.scadaexposure.com/report/2013-11

Tuesday, November 12, 2013

SCADA Security Deep Inside

Members of SCADA StrangeLove Gleb Gritsai and Alexander Tlyapov gave a talk at Zeronights conference @Moscow. New slides were splitted into two parts:
- Industrial protocols (MMS and IEC 104) and how to act during a penetration testing of ICS enviroment with this protocols
- Patched WinCC vulnerabilities discovered by SCADA SL group including Alexander's results of deep reverse engineering of solution

We'd like to thank attendees for their questions and interest in topic. This year showed there is a room for organizational improvements, but the conference talks and the community compensate any negative impressions. Kudos to the organizers of the Zeronights conference for bringing up this international security event and giving us a chance to speak there.

Monday, November 11, 2013

What hack may come

Last week four guys of the SCADA StrangeLove team took part in Power of Community conference in Seoul, South Korea.
Alexander Timorin, Yuri Goltsev and Ilya Karpov run Choo Choo PWN challenge and workshop, and Sergey Gordeychik spoke on automatic exploit generation.

Choo Choo PWN challenge was built for PHDays III and it was the first time it was presented in Korea.

Power of Community 2013 special release of ICS/SCADA toolkit

Special release of ICS/SCADA toolkit for our speech and workshop at Power of Community conference. Lets play with industrial protocols: S7, Profinet, IEC-60870-5-104, iec-61850-8-1 !

Download

Enjoy...

Friday, October 25, 2013

ZeroDays vs ZeroNights

Alexander Timorin and Alexander Tlyapov from SCADA StrangeLove team will speak @ ZeroNights conference in Moscow, Russia. We will release protocol security analysis for IEC 61850-8-1 (MMS), IEC 61870-5-101/104, security features of “new another S7” for latest TIA Portal and S7-1500 PLC.
Following tradition, we will release information about new (but fixed) bugs in WinCC.

PS. Seems Alexander Timorin will be at Seoul/Power of Community at moment, so Gleb Gritsai will fix this issue and give a lecture @ ZN.

Monday, September 30, 2013

SCADA hacking @ Seoul

This year we will manage Choo Choo PWN ICS/SCADA/PLC hacking challange and workshop at Power of Community conference. http://www.powerofcommunity.net/

'Choo Choo Pwn' challenges the participants' skills in exploiting various vulnerabilities in industrial equipment which provides automation and control of technological processes. The contestants will be offered to choose from access to communication systems of industrial equipment or HMI systems access. The goal is to independently obtain access to a model of a system which controls a railroad and cargo loading by exploiting vulnerable industrial protocols or bypassing authentication of SCADA systems or industrial equipment web interfaces. The Industrial Control System (ISC) of the railroad will include video surveillance, and, as an additional task, the competitors will be offered to disable the surveillance system.

Hope to see you there.

Choo Choo PWN at 2:39.

Tuesday, September 10, 2013

XXE OOB strikes back

Microsoft just released patches MS13-072 and MS13-073 to fix CVE-2013-3159 and CVE-2013-3160 XML External Entities Resolution Vulnerability or XXE OOB issues. Details and tools for this and similar issues can be found at XML Out-Of-Band Data Retrieval Black Hat Talk by Timur Yunusov and Alexey Osipov.

So, hack XML, use XXOETA and be happy.

Thursday, August 8, 2013

WinCC Harvester Metasploit module is updated

New version of modules/ auxiliary /admin /scada /simatic_wincc_harvester.rb is released.

It's still in unstable but I hope it will be fixed in the nearest future

Credits

Dmitry Nagibin, Gleb Gritsai, Vyacheslav Egoshin

What's new

CVE-2013-0678 and http://scadastrangelove.blogspot.ru/2013/03/wincc-vulnerabilities-fresh-meat.html

+      # decrypt user password
+      prj[db]["users"] = prj[db]["users"].map do |usr|
+        usr_pass = decrypt usr[1].strip,usr[2]
+        usr.insert(3,usr_pass)
+      end

Download

Enjoy

Thursday, August 1, 2013

SSA-064884: WinCC/TIA Portal fixes

Siemens updates WinCC SCADA and TIA Portal to fix two minor issues in HMI panels discovered by our team:

CVE-2013-4911: CSRF (Cross-site request forgery) attacks, compromising integrity and availability of the system
CVE-2013-4912: URL redirection to untrusted websites

Thanks for Timur Yunusov and Sergey Bobrov for research and thanks for Siemens Product CERT for fix and collaboration.

Details

Siemens SSA-064884:

http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-064884.pdf

ICS-CERT ICSA-13-213-02:https://ics-cert.us-cert.gov/advisories/ICSA-13-213-02

Enjoy

Wednesday, July 24, 2013

SCADA (in)security in pictures #2

Short video about profinet_scanner.py released by Alexander Timorin at PHDays III.

Unbelievable?
Don't try this at home!

Thursday, June 27, 2013

Please update your plant. On recent WinCC fixes

Few days ago Siemens published update for WinCC 7.2 SCADA to fix several vulnerabilities discovered by SCADA StrangeLove team.
CVE-2013-3957 – most dangers one. Simple SQL Injection because some configuration and architectural issues an attacker can execute arbitrary code in context of SQL server. This vulnerability can be exploited not only via WebNavigator (e.g. HTTP), but via WinCC Runtime Client (e.g. OPC). So Cisco Applied Mitigation Bulletin 29768 should be fixed to filter OPC traffic also.

CVE-2013-3958 and CVE-2013-3959 is funny stuff because… Because ~~backdoors~~ hardcoded accounts are always funny.

Credits:
Alexander Tlyapov, Sergey Gordeychik and Timur Yunusov.

Links:

http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-345843.pdf

https://ics-cert.us-cert.gov/advisories/ICSA-13-169-02

Thanks to Siemens Product CERT for collaboration and fixes.
Special thanks to Dec for the slide 44

Enjoy.

Thursday, June 6, 2013

Invensys ICS/SCADA fixes

Invensys published updates to fix CVE-2013-0688/CVE-2013-0684/CVE-2013-0686/CVE-2013-0685 discovered by SCADA StrageLove team during assesment of ICS/SCADA based on ArchestrA System Platform. There are several trivial and some interesting bugs in Invensys Wonderware Information Server (WIS).
Patches (limited access): https://wdn.wonderware.com/sites/WDN/Pages/Downloads/Software.aspx
ICS-CERT advisory ICSA-13-113-01: https://ics-cert.us-cert.gov/advisories/ICSA-13-113-01\

SQLi ~10 instances
XSS ~30 instances
XXE/XXE OOB/“ADSI Injection” and other interesting stuff…

Credits:
Gleb Gritsai
Nikita Mikhalevsky
Timur Yunusov
Denis Baranov
Ilya Karpov
Vyacheslav Egoshin
Dmitry Serebryannikov
Alexey Osipov
Ivan Poliyanchuk
Evgeny Ermakov

Enjoy...

Thanks to Invensys security team for collaboration and rapid fixes.

Monday, May 27, 2013

SCADA StrangeLove @Positive Hack Days

At PHDays we has released two talks:
“How to build your own Stuxnet” by SCADA StrangeLove team
“Industrial protocols for pentesters” by Alexander Timorin and Dmitry Efanov. You can find slides for second one below.
To play with PROFINET DCP Alexander released two tools:

ICS Secuirty @phdays: not bad for a one year plan

Hi there. At PHDays III SCADA StrageLove will celebrate our anniversary! Yep, year ago we had started our mission.

70+ 0-days, 5+ talks, 10+ releases... Not bad for a one year plan.

We preparing a lot of awesome stuff!

ICSA-13-067-02—INVENSYS WONDERWARE WIN-XML EXPORTER IMPROPER INPUT VALIDATION VULNERABILITY

New XML/XXE OOB stuff. http://ics-cert.us-cert.gov/pdf/ICSA-13-067-02.pdf
Thanks to INVENSYS security team for quick fix.

Wednesday, March 20, 2013

WinCC vulnerabilities: fresh meat

New vulnerabilities/fixes in Siemens WinCC 7.0 SP3 Update 1

CVE-2013-0678/ MISSING ENCRYPTION OF SENSITIVE DATA

CVE-2013-0676 IMPROPER AUTHORIZATION
CVE-2013-0677 XXE OOB in project files

CVE-2013-0679 RELATIVE PATH TRAVERSAL

CVE-2013-0674, CVE-2013-0675 BUFFER OVERFLOW

+ lot of good stuff for WinCC Flexible in TIA Portal V11.

More details @infiltratecon and @phdays.

Thanks to Gleb Gritsai, Sergey Bobrov, Roman Ilin, Artem Chaykin, Timur Yunusov, Ilya Karpov, Alexey Osipov, Sergey Gordeychik, Dmitry Nagibin and Siemens CERT/Product team.