Double Fetch 0day, ICS/SCADA, and Remembering Barnaby Jack
Blackhat 2013 day 2 brought 0day, a sad remembrance of young researcher Barnaby Jack, and ICS/SCADA security vulnerabilities and review.
Highlights of day 2 included a mind blowing talk from Mateusz “j00ru” Jurczyk and Gynvael Coldwind, further exploring the kernel level double fetch vulnerability research that attracted interest since at least 2008. It is interesting stuff considering buffer overflow code is particularly well audited, but race conditions simply are not. Race conditions like these enable EoP exploitation and other severe potential attacks. The two developed the Bochspwn framework to implement CPU level OS instrumentation to locate double fetch vulnerabilities, and have been cranking out substantial findings in the Windows and Linux kernel since. They dropped Windows 8 0day (although, reported to Microsoft) with yet more discoveries, releasing their Bochspwn project code during their talk “Identifying and Exploiting Windows Kernel Race Conditions via Memory Access Patterns”. It’s interesting that the FreeBSD code they examined has been audited before and thus doesn’t maintain these bugs, while Linux and Windows pours out related issues.
They are hoping that folks can port the code to assess interesting and exotic embedded platforms and contribute to the body of work. Unfortunately, a second part of their work, Hyperpwn, presented some unexpected technical challenges in the structure of the memory regions they are most interested in, and it was not ready for primetime. Research is like that, and the talk was fantastic without it. Their work also happened to win a well deserved “Most Innovative Research” Pwnie the night before.
“SCADA Device Exploitation” highlighted a large dependency in attacking ICS environments – “it’s all about the pivot”. Meaning, ICS environments are best infiltrated from the backoffice and down through the reporting and control ennvironment, historian servers and other Windows resources, potentially to the PLCs themselves. A later talk, “Compromising Industrial Environments from 40 Miles Away”, chipped away at that myth by exposing poor and insecure crypto implementations in various, heavily used ICS products. In addition, realities of present day ICS implementations certainly do not follow the generic network maps positioning PLC’s buried layers down in the network. Network resources are distributed, and operations and implementations poor and messy . But they had other interesting points and demos. They pointed out OPC as a DCOM based technology used “everywhere in the process control industry”, resulting in tons of firewall ports allowing access across LANs, and that 93,793 insecure Modbus based ICS services were listening on ports directly connected to the internet in 2012. They then demoed weaknesses in often used PLC devices, forcing a pump to overflow a tank while the reporting HMI claimed devices were operating properly, in another throwback to the Stuxnet incident.
“Compromising Industrial Environments from 40 Miles Away” outlined impressive audits of several unnamed vendors’ commonly used SCADA devices, showing that authentication and crypto schemes on these devices frequently fail to deliver on the marketing messages these vendors’ pitch. ICS radio encryption can enable remote access to insecure Modbus based devices, and the speakers demoed an animated small tank explosion. The guys even identified remote memory corruption 0day in a remote gateway device, resulting in system freeze, a significant problem in ICS environments.
Of course, Barnaby Jack’s slot “Implantable Medical Devices: Hacking Humans” was not replaced. Instead, the room was used to celebrate Jack and his work as an inspiration, a colleague, a friend and authentic hacker. The night before he was awarded the only “Pwnie for Lifetime Achievement”, “Awarded to those of us who have moved on to bigger and better things.”
Cheers to looking forward to another gathering in 2014…