 We're ready to start now. We've got everything worked out. This is my presentation called Exploiting Skated Systems and brief background. My name is Jeremy Brown and I'm a vulnerability research engineer at Tenable. I like to play with skated software so the presentation is focused on vulnerabilities and skated software. So let's get started. So a lot of skated software runs on AIX, OS2, Linux but most of the modern software runs on Windows. So the framework that I'll be demoing later will show exploiting the skated software runs on Windows. So skated software, you can use it on workstations, you can use it on remote, they're even mobile apps to control remote aspects of skated and that's what the iPhone app shows. So tag vectors via software vulnerabilities. With skated software they're used the same programming languages, a lot of other applications, C, C++. So they share the same vulnerabilities as any other application. So whether that be client-side attacks from the web browsers, click on the malicious link, anything like that, whether it's not patched, email or even malicious servers attacking clients, skated clients and things like that. Also server-side attacks from the internet, if skated software is connected to the internet, it's vulnerable to anything else. Or the internal network, if it's firewalled or not accessible by the internet. I'm just going to skip through some of the brief introduction. Click jacking, thought that would be fun. You never know, maybe it's vulnerable to click jacking. So what's wrong? What's the problem with skated software? Well, security has been implemented as an add-on instead of being built around the product from the ground up, especially for a lot of the older versions of software. And skated plants and things, the security is kind of a hindrance. So it wasn't really built. Everything back then was kind of built just to be easy for the operators. So security wasn't really a priority until people figured out people were hacking into skated systems. And then systems typically are installed for long term and software upgrades may require a new hardware. So when skated systems are installed, they are put there for maybe a decade, five years, decade, two decades, something like that for a long term. So when they put everything together, they're not looking to make upgrades for a long time. So if vulnerabilities come out or patches or new versions, they may require a new hardware just to upgrade. And then just kind of the thing that I noticed that may be typical for a lot of skated systems, when they go into an audit or something like that, a lot of administrators are saying, you know, this isn't connected to the internet or they can't access this from this network because it's separated or on a different network or on a different subnet or something like that. But still, something somewhere is connected to something that may be connected to the internet. You know, the whole process of communication means you can communicate with things anywhere. You got to be able to communicate with, excuse me, to control it. So unless it's strictly physical access, something's got to be connected to something. And a lot of times it's also connected to a system that's connected to the internet. So attacker gets control of a system that has access to the internet. You know, you got access through the internet and got access to the internal network. So even though the system wasn't connected to the internet, it is now vulnerable to attack from the attacker. So and then vendors, vendors can take their time with updates and managers can take their time updating. Since they're going to be in place for a long term, a lot of the patches and a lot of the upgrades may not occur for a long time. So this, even if you find bugs in a SCADA software that is, it could be five, 10 years old or even the latest software, you still have a chance to attack something on the network because chances are they have upgraded for so long that it's still going to be vulnerable. And through my research, I found that there are a ton of vulnerabilities in SCADA software. It's just, I don't know if they're not, I guess a lot of the old programming practices have to do with this too. And it's just, they're not, the code is not secure. Plenty of these things, it's not. They should really do some in-house testing because you could simply, I mean, some of the vulnerabilities I found, I've opened up a hex editor of the file format that happened to be used in the SCADA software, looked at an interesting place and put a bunch of characters along string in there, closed it, saved it, closed it, ran it in the software, crashed. It's just, it's not stable in the security aspect. So just kind of, who may find the bugs? I mean, you never know who may be looking, but you never know who may come across the backs of them or anything else like any other software. So it could be employees, and I just had a couple of pictures there. That guy looks kind of curious what he's doing. Hackers, the ones up to no good, which, according to how you look at it, black hat, gray hat, whatever. But it's kind of the typical evil looking cartoonish evil hacker, I don't know. Kind of looks kind of cool to me, but security researchers, security professionals who are now you interpret it. We know everyone here has at least six or seven monitors in their workstation. So it's got a clean representation of all of us here. And then really, I found out, you don't even have to have a lot of experience with dealing with security vulnerabilities, you can come over, you know, you can find them by accident, a lot of people do, but anyone that cares a look could find vulnerabilities in SCADA software. It's insane. So I guess I kind of moved a little quick here, but just to kind of the middle of my presentation, what I wanted to do is splitware. Splitware is, well, I started out, I was finding all these vulnerabilities in SCADA software. And I was like, well, what am I going to do here? I kind of, and I thought about writing metasploit modules for them to deal with exploitation part, which is great. You can interchange payloads, you can host, you know, you guys familiar with metasploit, you know what it can do. But I was like, well, kind of bored. So maybe I want to start a project here. And never really wrote a framework before, not in this sense, not a penetration testing framework. So I was like, well, I had some code I could reuse and start on new project. And I was like, well, I want to learn some stuff too. So I just basically in my spare time created a splitware. And splitware is just a framework designed to specifically penetration tests, SCADA systems, more specifically the software side of SCADA systems. And I've used it. And in my, I haven't used it, you know, of course, of any protection systems I just used in my lab with my test systems. But I found you can get reliable exploitation just by, I mean, even reusing payloads and things like that. But I just, I mean, it was, it was pretty easy to design the framework. And I just kind of put some things like it's similar to concept of metasploited canvas, but it's focused on SCADA software. And, you know, I wouldn't dare to say it's anything close to metasploited or canvas, but that was my original idea when I wrote it, something that I could use to check SCADA systems for vulnerabilities. It was pretty nice to do. It can check the systems for the potentially vulnerable software, you know, I've written some local checks. It can test remotely. You know, if there's any version strings to come up or it can detect the headers in the request. It can, exploitation is optional but readily available. Like I said, the point of the framework is not just exploitation. That's what kind of metasploit was, I mean, metasploit can check with them too, but it's kind of just, you know, if you go into a pen test and say, hey, we got some SCADA systems running here. We got some software running as well on them, of course. What can we find out that's vulnerable? And what can we see, you know, what can we exploit too? So it has checks. It's also kind of added in an auto-pwn feature, which I thought was pretty necessary for any exploitation framework. It's pretty cool to do. You can just hit the dash A and it'll go through and check for all the vulnerabilities it has in the database. And if it finds any, it'll exploit them. But the payload, it just has one payload right now, which I haven't really done much of it development on it recently. But it just adds like a user, like exploit password where, something like that. You can use anything. You don't have to just exploit for some of them, but anyways. But like I said, the point of it's not for, just for exploitation, the point of it is to, you know, it has local checks, remote checks, and it can, just a brief way you can check the SCADA environment for anything that may be vulnerable. But the exploits are zero day. And I haven't worked with any of the vendors yet, but I plan to in the future. But for this, they're just, kind of let you know, kind of, the post audit. You know, the pre-audit would be, you know, before they shipped it out. I kind of do like the post audit, you know, like the vulnerability research with them and see, you know, what exactly is vulnerable. And everybody loves zero day. And the methods I use for identifying the vulnerabilities went from manual testing. Like I said, you know, some of them, actually, when I first started looking at them, I just wanted to look at the file format briefly, you know, through Hex Editor or something, before I dug into it deeper. So I just opened a Hex Editor and I was like, well, wonder what happened if I, you know, curiosity gets the best of you. What if I happened to enter a long string here or changed, you know, this value to an FF or, you know, just simple auditing. And I found that after I saved it and ran it with a program, it would crash. I like, well, then you know, you do crash analysis after that. And some of them actually vulnerabilities, some of them like buffer overflow is like easy, direct, you know, easy. You know, some of them were memory corruption, some of them were kind of harder to exploit different kinds of memory corruption, maybe pointer corruption or something like that. But it was, it was really easy with the manual, those manual tests and fuzzing, of course, in any file format fuzzer can, you know, set it up through an application, log the crashes, things like that. So I didn't actually use much fuzzing for the exploits in, in sportware. It was just too easy. Like I didn't even need to. Like I found, you know, a number of vulnerabilities just by manual testing, just playing with it. That's how easy it was to exploit. And then some was reverse engineering. I don't know if you guys seen Secuna kind of dropped my zero day a few months ago. I was reverse engineering, the EDS file format. And I just kind of went through a brief example. It actually gave me the error messages. I didn't even have to reverse it. It would actually give me the error messages to properly format the file. And then I went into, you know, after I've seen that, I was like, you know, I don't think it's giving me everything. So I want to reverse it and see what other options were available. So I went through and done that. And I found a bunch of, you know, same buffer was vulnerable, excuse me, to a bunch of, I think a Unicode buffer overflow. So I just went through, found it. And then I didn't really post any details yet, because I had not contacted the vendor or anything. And I just kind of wanted to do an example of, you know, kind of black box testing and then going into reverse engineering. And then somebody apparently, I guess it was my fault too, they found, they knew what the EDS file format was. They knew what programs used it in Skater. So they Secuna, I guess somebody, excuse me, contacted Secuna and told them about it and then they dropped my zero day and stuff. But it happens. Okay. So that was the method. I mean, it was really, I didn't use that much reverse engineering because it just calls, it wasn't necessary. I mean, I liked the reverse engineering just to do research sometimes. But these, most of the vulnerabilities came from manual testing, like manually changing variables in the web parameters or changing file formats or just, you know, running, connecting to the server and sending a long string. Like, the exploit I'll be demoing today, actually, the vulnerability is, I guess, on receive. It just receives, it doesn't even file, it doesn't even format the buffer. It just, the vulnerability is in receiving all the data into the input buffer. So I didn't need anything. I basically just connected to the software, or excuse me, server. And since the long string and crashed and then I ran it, you know, when they be or, you know, immediately something, I can't remember what debug I was using then. But in Sol, you know, I was overriding some other variables too. And I kind of backed off on my payload a little bit and then found out I could get, you know, EIP overrides. Easy. So, these bugs were like really not challenging at all to find. Some of them, like the integer bugs were kind of, they were harder to analyze and find, I guess, because you can just, you know, manually send negative one, negative whatever. There are a lot of value, six, five, five, three, six or whatever, five, five, six, five, five, three, five, whatever, and find them. But it's really easy. And the reverse or research and development findings I found, I probably went through the process over, I don't know, three or four months, just on and off, looking at different SCADA software and finding vulnerabilities. And the findings range from, you know, some of them were remote code execution, or if you look at file formats, it will be local, but if you share the file or something, it turns into remote or if you can access through a web browser, it turns into remote anyways. And then to denial of service, you know, there was tons of denial of service bugs, won't really that big a deal. Well, I guess it is in SCADA software, but as a security researcher, you really don't look at denial of service of being high profile, unless it's something that takes down like the entire network, but in a SCADA environment, if you, you know, crash the server, that's sort of a big deal. And then integrity lost, there was some, even some, you know, everybody thinks ActiveX bugs were dead, I even found some ActiveX vulnerabilities, led to integrity loss, you know, like overriding files or changing files, deleting files, something like that. So, they were interesting, the findings were, but most of them, well, yeah, half or at least most were led, the vulnerabilities led to remote code execution. So, it's pretty interesting. And so, I've talked through to the demo, and I'm going to, I've kind of used a lesser version of Splitware, I didn't, I only included like, there was a slew of vulnerabilities, but I only included one, and kind of like removed some information, because I didn't want anybody to know. But I'll demo that now in a virtual machine. Hopefully, I won't mess up the screen like we had earlier. Let's see. And the application earlier, presentation won't crash out of that happening earlier, but so far, so good. I guess you can see that. Everybody remember, rock controls, in case I forget. Okay, so this is just a Windows XP Service Pack 3 box, and just, I think this is pretty much default configuration. It may be different in other environments, but this is just the default. And it's got all patches, all updates and everything, current to maybe a week ago when I made this virtual machine. So, the Splitware folder, I've kind of dimmed it, kind of dimmed it down a little bit, but basically in the folder, let's see, I'll open up the folder and show you guys real quick. All right, so it's just the Splitware program, and just the compiled binary, and then you got the Pack folder, which contains all the exploits, in case you want to exploit. So, and there's only one in there, you guys are probably not interested in that anyways, but I'll show you the Splitware, and it's got the cool little header on it, and then you got that's target for the target, and sure you guys can read, but you know, you can get information about the exploit, run the check, you can run a certain check, and I call them SPIDs, just Splitware IDs, which had a different name before I named it Splitware, but still. Excuse me? I don't know how to do that, I'm sorry. What is it? Okay, properties? I'm sorry, I'm a Windows developer, I don't have any skills or no thought, yeah, makes sense. Okay, I'm getting a lesson here myself. Is that going to be appropriate? So glad you guys here, you guys are awesome. Okay, you guys, you see that good? Thank you. I'm just, let's, you guys really want me to change the ground, but at least my present day is going to go maybe to the time slot, so that's cool. We can do this. Yellow, I click yellow, right? That's not going to be good. I'm going to go with green. Are you serious? I like the green because it looks cool, but you guys, all right. Yellow, I guess yellow is better on the reading, so, why that's, okay, so, Splitware. So I'll just do a couple of functions of it, like I'll include one exploit, there's many more than that, but I didn't want anybody to steal my O-Day, so, let's do this. So, it just, it's all kept in a database, and hopefully I, in aid of all the stuff I didn't want anybody to know, yeah, thanks. But it just, I just put it in a flat file database right now, and it just, you know, prints out status, you know, zero day, you know, that's not what I got, vulnerability description, just like a brief thing with it, and the revision, you know, if you, if I added something onto it, you know, point one, you know, that meta-universal thing I used a DLL out of the binary that was included, so, easy stuff, but, and it's pretty much 100%, I guess I can say 100% reliable, you know, something messes up, so, and then, let's see, I guess I forgot, excuse me, I forgot how to use the up button, so, and then you can just run the check and X with it, but I've already got the vulnerable damon running, damon, damon, something, and so we're just going to just gonna show the auto pun feature, which is awesome to me, like every, I think every exploitation thing or penetration should have auto pun, like, people, people seem to love that, it's odd, it's cool, but yeah, you don't really, well, okay, I'll do the check first, because I said it's not really for exploitation, but I mean it is, but it's optional, so I'll do the check first, shit, I cannot type, check, so, you can check for a specific one, but I'm just going to check for the first one, so just run the simple windows, check the registry forward or whatever, so the explorer demo's installed, checking if it's a remote service, it can check the, it's running on the local host, have anything really cool with that, like version checking that much, but this one really doesn't, this is the one where I just sent the long character string, and I got to, I owned it, so my server is listening, so that's the check you can go through, and then we can export it, let's use auto pun, local host, you can use any host, but the local host, if you run as local host, it'll do the local check too, it's got like a if, whatever, but if you don't, it won't execute the local check, so it won't kind of, that's common sense, but anyways, hopefully auto pun will work here, so crap. The payload is, it's going to add a user account, and there should be no split account here, great. So you just see the user and the ASP machine account, and the guest, so hopefully that will change very soon, so we're going to auto pun, and it just, it's just, basically it just runs a Perl script with the exploit, but I kind of, I named it but I don't know if it is. And then payload sent, and where it's an egg hunter, it may take a few seconds for it to go, so we'll wait a couple seconds here, but you know, just sends the payload, and then you've got this nice little screen that says, in the real thing it says, you know, the title, the vendor and the product and everything, but in this, you know, I spent a couple seconds, so let's check, hopefully, we should see, okay, and we executed the code on the server, and we have a nice little support account with the password where, so yeah, that's the demo of the zero day I had in the server. Thank you. I should have like done some like dramatic music, maybe I don't know. Everybody's like should we clap or should we just, it's zero day, but I don't have it, so okay. Yeah, so you can put whatever payload you have, I don't currently support more than one right now, which, like I said, it's just a proof of concept framework, and I really haven't done that much dev on it for probably two or three months except for getting this presentation ready, I had to come up with a demo and framework to do that, so it's rock control, right? I don't think I have a rock control on this keyboard. Let's use this. Oh, that'll work, okay. We'll leave it pummin' for now, I'll restore it later, okay. Everybody leaves up to the demo, that's cool. So demo, and I guess I had to put a few recommendations here. Vendors, I really think you can ship it, because, or it'll get broken after you ship it, that's kind of, I don't know. And for the clients, I mean, I think it would be fair to say to do a security evaluation before you make a purchase, because lots of the websites have free trials and demos for SCADA software. It'd be a surprise how many you could find out there just by you know, I guess you could call them and tell them you could. But a lot of it's just free downloads, some SCADA software is just free, it's probably not that good, but yeah, a lot of it's got free trials, like I'll show you in a second. So I just wanted to say SCADA software can be just as vulnerable as your typical download.com application, and everybody knows when you want to own something, you go to download.com, download some mom-and-pop app and own it, and then I just want to show you like a page off the proficiency. You get a free trial of the DVD program, like to sell, you know, you can get the free evaluations. So you can check the software out before you buy it for the clients or check it out and find bugs in it and do presentations or something like that. So, thank you.