Vulnerability Market

Celil ÜNÜVER SignalSEC Ltd. www.signalsec.com

About me

• Co-founder and Researcher @ SignalSEC Corp.

• Vulnerability Research and Intelligence

• Have discovered lots of vuln affects Adobe, IBM, Microsoft, Facebook, SCADA , Novell etc.

• Speaker at CONFidence, Hackfest, Swiss Cyber Storm, c0c0n etc.

• Organizer of NOPcon Hacker Conference

Briefly

I’m interested in bug hunting

Jargon / Terminology

• Vulnerability: software bug which causes a security issue.

• 0-day: Unknown vulnerability in a computer

application. No patch!

• Exploit: A software to break software and take advantage

SCADA (in)Security

No more stuxnet

Exploit Market

Underground:

Exploit Market

Legal Buyers: Governments , Brokers (iDefense, ZDI, Netragard, Exodus etc.)

Price List

Price List

Price List

• Price depends on where you live and who you are (800 usd for zeroday attacks)

How you serve it?

PoC Weaponized Exploit

Price List

• And price depends on how you serve it:

Weaponized Exploit

Fighting Crime with the help of cyber weapons

A spy software and exploits used in Mexico to arrest a drug lord and organized crime leader

Bug Hunting Methods

• Reversing

Reversing

There are 10 types of people in the world: Those who

understand binary and those who don’t.

Bug Hunter’s Toolbag

1-) Debugger:

- Debugger

2-) Disassembler:

- IDA Pro

WinDBG

IDA Disassembler

SCADA Vulns

Sometimes it’s really easy to find SCADA VULNS!!!

Why it’s easy?

There was not a real threat for SCADA software untill 2010

So the developers were not aware of SECURE

Development

Case-1: CoDeSys Vulnerability

• CoDeSys PLC Visualization Software – WebVisu Vulnerability

• WebVisu uses a webserver which is usually open to Internet for visualization of PLC

• Discovered by me • http://ics-cert.us-cert.gov/pdf/ICSA-12-006-01.pdf

Case-1: CoDeSys Vulnerability

• France, Poland, Deutch Telecom use this software

• Buffer overflow vulnerability when parsing long http requests due to an unsafe function

Case-1: CoDeSys Vulnerability

• Direct contol on EIP

Case-2: Schneider IGSS Vulnerability

• Oslo Traffic Center, Czech Republic Gas Center, Kuala Lumpur Airport

Case-2: Schneider IGSS Vulnerability • Discovered by SignalSEC • http://ics-cert.us-cert.gov/pdf/ICSA-11-355-01-7.pdf • IGSS listens 12399 and 12397 ports in runtime • A simple bunch of code causes to Buffer Overflow use IO::Socket; $host = "localhost"; $port = 12399; $port2 = 12397; $first = "\x01\x01\x00\x00"; $second = "\x02\x01\x00\x00";

Finding Targets

• Banner Information: “SCXWebServer”

HTTP/1.1 200 OK

Content-Encoding: deflate

Date: Tue, 14 Dec 2010 19:09:52 GMT

Expires: Tue, 14 Dec 2010 19:09:52 GMT

Cache-Control: no-cache

Server: SCXWebServer/6.0

Search on SHODAN

CoDeSys ENI on SHODAN

• Server’s Banner : “ENIServer”

• Shodan Results: 195

CoDeSys WebServer on SHODAN

• Server’s Banner : “3S_WebServer”

• Shodan Results: 151

Reversing Tips

• It’s hard to find bugs via static reversing

• Use debugger + disassembler together and do dynamic reversing!

Static Reversing

• Bol

• Good luck!

Dynamic Reversing

BreakPoint on some “juicy” instructions and functions:

REP MOVSD = memcpy (edi , esi, ecx)

REP STOSD = memset (edi, eax, ecx)

STRCPY

RECV

WSARecv

Office Zero-day Exploit

• Demo

D Thank you! • Contact:

• cunuver@signalsec.com

• www.signalsec.com

• vis.signalsec.com

• Twitter: @celilunuver