This week's update is packed full of awesome, and I don't use that term lightly.
SCADA Attacks, DigtialBond, and Metasploit
This week sees the addition of six new SCADA modules, targeting a variety of PLC devices, including two new modules aimed at the Schneider Quantum programmable logic controller (PLC). In order to give penetration testers the ability to accurately assess SCADA infrastructure, Tod Beardsley (from Rapid7) and K. Reid Wightman (from DigitalBond) have been collaborating over IRC to bring DigitalBond's SCADA vulnerability assessment research to the general Metasploit audience. You can read more about DigitalBond's work here. For Metasploit users, here are the new modules in a nutshell:
- modicon_command allows a remote, unauthenticated user to issue stop and start commands, which behaves exactly what it sounds. If an attacker can reach the Modbus TCP port, an attacker can simply stop the CPU without authentication.
- modicon_stux_transfer allows a remote, unauthenticated user to download and upload the running "ladder logic" (the PLC's instruction set). Again, this is completely unauthenticated connectivity via Modbus, and this functionality is similar to the SCADA payload of the Stuxnet worm.
In testing, we noticed that uploading ladder logic is somewhat more reliable when the Modicon device is in the STOP state, so these two modules used together can make for reliable code execution.
We've also reviewed and revised four of DigitalBond's previously released Basecamp Metasploit modules for this release:
- d20_tftp_overflow : Triggers a Denial of Service condition due to a buffer overflow vulnerability in GE's D20ME PLC TFTP server.
- koyo_login : Bruteforces the authentication passcode on a Koyo DirectLogic PLC
- modicon_password_recovery : Given default FTP credentials, extracts the "write" password to the HTTP interface of the Schneider Modicon Quantum as well as the VxWorks hashes of all supervisory users.
- multi_cip_command : Issues up to four unauthenticated stop and reset commands to a variety of PLCs which implement the Ethernet/IP Common Industrial Protocol.
SCADA Defense Measures
While most PLCs are not connected to the Internet directly, some are. If one of them is yours, you might want to examine the wisdom of that ingress policy (or, more likely, correct this misconfiguration). You really don't want just anyone stumbling across your PLC and rewriting your ladder logic for you. Other defensive measures include:
- Talk to your IPS/IDS vendor. Do you have signatures or filters available and enabled to detect SCADA access? Even if you think your devices aren't reachable from outside the control network, it's usually a Good Idea(tm) to monitor for traffic you're not expecting to see. People screw up routing tables and firewall rules, so an IPS ready to leap to the defense can save your bacon. After all, many of these protocols are pretty distinctive, so they're not difficult for deep packet inspection to pick up on.
- Change the defaults. Some of the default usernames and passwords are USER and PASSWORD on these things. They're defaults in order to get your gear up and running, and are not intended for real production use. Change them, and rotate them on some kind of schedule, when people leave the organization, and all the other usual password managment advice.
- Talk to your SCADA vendor. You've got your firewalls, your IPS, and your hard to guess passwords. What else can you do? Insist that your vendor fix actual bugs is a good start. Working with them to come up with secure deployments is a longer term relationship kind of thing, but since it's usually expensive to upgrade these devices, you're in for the long term anyway.
Also this week, Jon Cran has removed a bunch of library code for the lab plugin, and converted it all over to a stand-alone Ruby gem. This is important because the lab functionality he and other contributors have put together is pretty exciting stuff, and it was a shame to have it buried in Metasploit's guts. Promoting this codebase to its own standalone project will get it a little more visibility from the general Ruby community, or so the theory goes. So, even if you're not exploiting stuff, but still have an interest in automating your VMWare lab environment, head on over to the GitHub repo to read up on where it's at today, or install it with a simple gem install lab.
Squid Proxy Pivoting
Finally, I wanted to highlight squid_pivot_scanning, a module contributed by Rapid7's Will Vandevanter. By taking advantage of an ill-configured Squid proxy and analyzing the error messages for bad HTTP proxy requests, an external attacker can map out internal networks. Not only can he find listening machines, but he can also determine which ports are open, closed, and ACL-filtered (from the perspective of the proxy server). By itself, this is a information leak, but armed with this information, a pen-tester can spend an extended period of time building up a hit list of internal hosts for an engagement that might only include a few hours on site. In addition, producing a map of ostensibly secret data can bring a nice wow-factor to a findings report.
Other New Modules
- java_atomicreferencearray by sinn3r, egypt, and Juan Vazquez, exploits CVE-2012-0507 in Java (as discussed earlier this week).
- netop by chap0 exploits OSVDB-72291 in NetOp Remote Control.
- enum_xchat by sinn3r is a post module for Linux targets which gathers information stored by XChat.
- enum_colloquy by sinn3r is a post module for Apple OSX targets which gathers information stored by Colloquy.
- shell_find_port by mak is a new 64-bit Linux payload that opens a shell over an existing connection.
If you're new to Metaspoit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.
For additional details on what's changed and what's current, please see Jonathan Cran's most excellent release notes.