Saturday, December 28, 2013

Internet connected ICS/SCADA/PLC|30C3 release

Trying to find SCADA/PLC/HMI in Internet?
No success?

SCADAStrangeLove strike forces to the rescue!

With our Pretty Shiny Sparkly™ ICS/SCADA/PLC Cheat Sheet you will become real SCADAHacker and will search for SCADA for free! Special #30C3 release by Gleb Gritsai, Alexander Timorin, Alexander Zaitsev, Sergey Gordeychik, Valentin Shilnenkov.

Please enjoy responsible!


Friday, December 27, 2013

Hydra vs Siemens S7-300|30C3 release

Special release for Chaos Communication Congress: Hydra v7.6 with Siemens S7-300 PLC password bruteforce module and dictionary. Thanks to Alexander Timorin and Van Hauser.

Download and enjoy.

PS. More details tomorrow.

Saturday, December 14, 2013

SCADA hacking @30C3

Anniversary Chaos Communication Congress going to be awesome.
We cannot stand aside. SCADA StrangeLove crowd will rock there.
Gleb Gritsai and Sergey Gordeychik will talk about thing “We already know”, but a lot of thing “We don’t know yet…”.

Yury Goltsev  and Alexander Zaitsev  on Day 3 will speak about PHDays Labyrinth.
WTF PHDays Labyrinth? It is a magic. Hacker’s Disneyland. Here it is.


Tuesday, December 3, 2013

SCADA Explosure 2013 Report

Awesome report and ICS/SCADA/PLC Google/Shodanhq Cheat Sheet. Thanks to ISGroup SRL and Francesco Ongaro for reference.

http://www.scadaexposure.com/report/2013-11

Tuesday, November 12, 2013

SCADA Security Deep Inside

Members of SCADA StrangeLove Gleb Gritsai and Alexander Tlyapov gave a talk at Zeronights conference @Moscow. New slides were splitted into two parts:
 - Industrial protocols (MMS and IEC 104) and how to act during a penetration testing of ICS enviroment with this protocols
- Patched WinCC vulnerabilities discovered by SCADA SL group including Alexander's results of deep reverse engineering of solution

We'd like to thank attendees for their questions and interest in topic. This year showed there is a room for organizational improvements, but the conference talks and the community compensate any negative impressions. Kudos to the organizers of the Zeronights conference for bringing up this international security event and giving us a chance to speak there.

Monday, November 11, 2013

What hack may come



Last week four guys of the SCADA StrangeLove team took part in Power of Community conference in Seoul, South Korea.
Alexander Timorin, Yuri Goltsev and Ilya Karpov run Choo Choo PWN challenge and workshop, and Sergey Gordeychik spoke on automatic exploit generation.






Choo Choo PWN challenge was built for PHDays III and it was the first time it was presented in Korea.




Monday, November 4, 2013

Friday, October 25, 2013

ZeroDays vs ZeroNights

Alexander Timorin and Alexander Tlyapov from SCADA StrangeLove team will speak @ ZeroNights conference in Moscow, Russia. We will release protocol security analysis for IEC 61850-8-1 (MMS), IEC 61870-5-101/104, security features of “new another S7” for latest TIA Portal and S7-1500 PLC.
Following tradition, we will release information about new (but fixed) bugs in WinCC.

PS. Seems Alexander Timorin will be at Seoul/Power of Community at moment, so Gleb Gritsai will fix this issue and give a lecture @ ZN. 

Monday, September 30, 2013

SCADA hacking @ Seoul

This year we will manage Choo Choo PWN ICS/SCADA/PLC hacking challange and workshop at Power of Community conference. http://www.powerofcommunity.net/


'Choo Choo Pwn' challenges the participants' skills in exploiting various vulnerabilities in industrial equipment which provides automation and control of technological processes. The contestants will be offered to choose from access to communication systems of industrial equipment or HMI systems access. The goal is to independently obtain access to a model of a system which controls a railroad and cargo loading by exploiting vulnerable industrial protocols or bypassing authentication of SCADA systems or industrial equipment web interfaces. The Industrial Control System (ISC) of the railroad will include video surveillance, and, as an additional task, the competitors will be offered to disable the surveillance system.

Hope to see you there.

Choo Choo PWN at 2:39.



Tuesday, September 10, 2013

XXE OOB strikes back

Microsoft just released patches MS13-072 and MS13-073 to fix CVE-2013-3159 and CVE-2013-3160 XML External Entities Resolution Vulnerability or XXE OOB issues. Details and tools for this and similar issues can be found at XML Out-Of-Band Data Retrieval Black Hat Talk by Timur Yunusov and Alexey Osipov.

So, hack XML, use XXOETA and be happy.


Thursday, August 8, 2013

WinCC Harvester Metasploit module is updated

New version of modules/ auxiliary /admin /scada /simatic_wincc_harvester.rb is released.

It's still in unstable but I hope it will be fixed in the nearest future


Credits 

Dmitry Nagibin, Gleb Gritsai, Vyacheslav Egoshin

What's new
 

CVE-2013-0678 and  http://scadastrangelove.blogspot.ru/2013/03/wincc-vulnerabilities-fresh-meat.html

+      # decrypt user password
+      prj[db]["users"] = prj[db]["users"].map do |usr|
+        usr_pass = decrypt usr[1].strip,usr[2]
+        usr.insert(3,usr_pass)
+      end

Download

Enjoy

Thursday, August 1, 2013

SSA-064884: WinCC/TIA Portal fixes



Siemens updates WinCC SCADA and TIA Portal to fix two minor issues in HMI panels discovered by our team:

  • CVE-2013-4911: CSRF (Cross-site request forgery) attacks, compromising integrity and availability of the system
  • CVE-2013-4912: URL redirection to untrusted websites

Thanks for Timur Yunusov and Sergey Bobrov for research and thanks for Siemens Product CERT for fix and collaboration.

Details

Siemens SSA-064884:


ICS-CERT ICSA-13-213-02:https://ics-cert.us-cert.gov/advisories/ICSA-13-213-02

Enjoy

Wednesday, July 24, 2013

Thursday, June 27, 2013

Please update your plant. On recent WinCC fixes

Few days ago Siemens published update for WinCC 7.2 SCADA to fix several vulnerabilities discovered by SCADA StrangeLove team.
CVE-2013-3957 – most dangers one. Simple SQL Injection because some configuration and architectural issues an attacker can execute arbitrary code in context of SQL server. This vulnerability can be exploited not only via WebNavigator (e.g. HTTP), but via WinCC Runtime Client (e.g. OPC). So Cisco Applied Mitigation Bulletin 29768 should be fixed to filter OPC traffic also.

CVE-2013-3958 and CVE-2013-3959 is funny stuff because… Because backdoors hardcoded accounts are always funny.

Credits:
Alexander Tlyapov, Sergey Gordeychik and Timur Yunusov.

Links:

http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-345843.pdf

https://ics-cert.us-cert.gov/advisories/ICSA-13-169-02

Thanks to Siemens Product CERT for collaboration and fixes.
Special thanks to Dec for the slide 44

Enjoy.

Thursday, June 6, 2013

Invensys ICS/SCADA fixes

Invensys published updates to fix CVE-2013-0688/CVE-2013-0684/CVE-2013-0686/CVE-2013-0685 discovered by SCADA StrageLove team during assesment of ICS/SCADA based on ArchestrA System Platform. There are several trivial and some interesting bugs in Invensys Wonderware Information Server (WIS).
Patches (limited access): https://wdn.wonderware.com/sites/WDN/Pages/Downloads/Software.aspx
ICS-CERT advisory ICSA-13-113-01: https://ics-cert.us-cert.gov/advisories/ICSA-13-113-01\


  • SQLi ~10 instances
  • XSS ~30 instances
  • XXE/XXE OOB/“ADSI Injection” and other interesting stuff…


    Credits: 
    Gleb Gritsai
    Nikita Mikhalevsky
    Timur Yunusov
    Denis Baranov
    Ilya Karpov
    Vyacheslav Egoshin
    Dmitry Serebryannikov
    Alexey Osipov
    Ivan Poliyanchuk
    Evgeny Ermakov
     

      Enjoy...

    Thanks to Invensys security team for collaboration and rapid fixes.

    Monday, May 27, 2013

    SCADA StrangeLove @Positive Hack Days

    At PHDays we has released two talks:
    “How to build your own Stuxnet” by SCADA StrangeLove team
    “Industrial protocols for pentesters” by Alexander Timorin and Dmitry Efanov.  You can find slides for second one below.
    To play with PROFINET DCP Alexander released two tools:

    Saturday, May 18, 2013

    ICS Secuirty @phdays: not bad for a one year plan


    Hi there. At PHDays III SCADA StrageLove will celebrate our anniversary! Yep, year ago we had started our mission.

    70+ 0-days, 5+ talks, 10+ releases... Not bad for a one year plan.

    We preparing a lot of awesome stuff!

    Wednesday, March 20, 2013

    WinCC vulnerabilities: fresh meat


    New vulnerabilities/fixes in Siemens WinCC 7.0 SP3 Update 1

    CVE-2013-0678/ MISSING ENCRYPTION OF SENSITIVE DATA
    CVE-2013-0676 IMPROPER AUTHORIZATION
    CVE-2013-0677  XXE OOB in project files
    CVE-2013-0679 RELATIVE PATH TRAVERSAL
    CVE-2013-0674, CVE-2013-0675 BUFFER OVERFLOW

    + lot of good stuff for WinCC Flexible in TIA Portal V11.

    More details @infiltratecon and @phdays.

    Thanks to Gleb Gritsai, Sergey Bobrov, Roman Ilin, Artem Chaykin, Timur Yunusov, Ilya Karpov, Alexey Osipov, Sergey Gordeychik, Dmitry Nagibin and Siemens CERT/Product team. 

    SSA-212483
    http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-212483.pdf

    SSA-714398
    http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-714398.pdf

    ICSA-13-079-02
    http://ics-cert.us-cert.gov/pdf/ICSA-13-079-02.pdf

    Enjoy!

    PS. Exploits for WinCC? No way! This is Out Of Band.

    Friday, February 15, 2013

    Not by SCADA alone: ATM Hacking Video

    By Dmitry Evteev, Olga Kochetova, Timur Yunusov, Alexey Osipov, Yuri Goltsev, Alexander Zaitsev .


    Angry Birds on a hacked ATM

     

     

     

    Unrestricted rightclick on ATM

       

     

     

    Thursday, January 31, 2013

    SCADA (in)security in pictures #1

    How to find an HMI in the Internet



    How to hack WinCC 



     How to find an PLC in (your) network



    How to recover S7 PLC/TIA portal password



    Don’t try this at home.

    And don't panic. ICS (in)security so young...