Open public network plc equipment-a new type of backdoor Analysis

Open public network plc equipment-a new type of backdoor Analysis

0x00 Introduction

This article is mainly from the essential components of the industrial control network PLC (Programmable Controller), clarified the implementation of a new type of backdoor. This article is A speech from the scadacs team at the Free University of Berlin at black hat 2015. This is their paper Article Internet-facing PLCs-A New Back Orifice. I will filter out the words in their papers and add some specific implementation skills and materials to their core ideas.

If you are not familiar with industrial control security, you can go to this article to make up the basic knowledge of industrial control security Quick Start analysis.

The following sections provide some background and basic knowledge. If you have a good understanding of plc industrial control security, you can directly jumpAttack Description (0x03).

0x01 Introduction

In this article, we study how attackers can access deep industrial networks through public network plc.

The method we adopt is to turn plc into a gateway (this article uses Siemens plc related technologies and features), this method is feasible in the lack of appropriate permission authentication means plc. Experienced attackers can upload or download code to a plc when they have access permissions. As long as the code is composed of MC7 bytecode, This is the native code form of plc. We studied the plc in the runtime environment and found that many network services can be implemented by uploading mc7 code. In particular, we have implemented

An SNMP scanner for Siemens plc is fully functional and sophisticated, compiled for Siemens plc, SOCKS proxy

And their implementation relies solely on the STL language code compiled into MC7 bytecode. Our scanners and proxies can be deployed in the plc without interrupting the operation of the original program in the plc, which makes it difficult for O & M to realize that the plc has been infected. To describe and analyze deep industrial network intrusion, we have developed a conceptual proof tool, PLCinject (with the github Project address: SCADACS/PLCinject ). According to our proof of concept, xxxxxxxx (This section is too tmd complex and I cannot translate it accurately. It mainly means that the malware running on the plc will increase the extension of the original code, if we regularly observe the original code and the program infected with malicious code, there is a significant difference in the running effect of the two statistically, but the impact on the production process is minimal, unless the operator actively monitors the malicious access traffic from the PLC, it is difficult to find it in the production process ). In addition, attackers can use our methods to attack Enterprise business networks through industrial control networks. This means that network management must be vigilant against two-way attacks initiated from the front and back of the Business Network.

I will add the code for Schneider plc at the end of the article.

0x02 industrial control system Introduction

Shows a typical company structure that uses automated systems. The industrial control system consists of these layers. At the top of the page is the Enterprise Resource Planning (ERP) system, which stores data related to the current available resources and production capacity. Manufacturing Execution Systems (MES) are able to manage multiple factories or platforms and receive tasks from ERP systems. The systems under MES are located within the plant, and supervise, control, and data collection (SCADA) system control production lines. They provide data about the current production status and provide interventions. The device that stores the logic related to the production process is called a programmable logic controller (PLC ). The human-machine interaction interface (HMI) displays the current progress and allows the operator to interact with the production process.

This article focuses on PLC attacks.

PLC was originally only developed for automated control. At the beginning of its development, its application scenarios were extremely closed, and it was almost impossible to contact any third-party equipment outside the industrial intranet, however, in recent years, with the rapid development of the Internet and the emergence of the Internet of Things and smart hardware, industrial PLC has gradually been exposed to the public network, you can search for schneider or siemens models on seebug and shodan to find plc devices on the Internet. Despite this, the current security of PLC is very poor. First of all, the firmware update of plc is slow. Although the manufacturer may perform maintenance and update, it is very costly to update the firmware of an online plc running in the industrial control network, A shutdown operation may stop the entire plant. Secondly, the current plc already has some relatively low-level access control methods, but few will take the initiative to open it, because it will reduce the operation efficiency and stability of the plc. Therefore, if a plc is open to the public network, we can load arbitrary code to it.

In addition to severe permission control problems, attackers may use plc as a gateway to access the production network or even the company's intranet. In this article, we analyze and discuss this threat vector, and we will prove that this method of exploits is true and feasible. For demonstration purposes, we developed a port scanner running on the plc and a socks proxy. This scanner and proxy are written using the native plc programming language Statement List (STL.

PLC

Hardware

PLC is composed of a CPU (generally with communication modules, such as industrial Ethernet, modbus, profinet, and some service interfaces, such as ftp, web, telnet, etc ), it is combined with the external numbers and analog input and output modules (sometimes a dedicated communication module is attached to the external ). This document usesSiemens S7-314C-2 PN/DP.

Execution Environment

This part is easier to understand if you have learned the computer composition principle. This part focuses on the Code Execution Process of plc, it is closely related to the concealment feasibility of our attack methods and the communication stability during proxy writing.

Siemens PLC runs a real-time operating system, which initializes periodic time monitoring. Then the operating system periodically performs four steps, such:

In step 1, the output value of the image in the CPU copy process is used to output the module status. Step 2: The CPU reads the status of the input module and updates the input value of the process image. Step 3: The execution duration of the user program in the time interval is 1 ms. Each time slice is divided into three parts and executed in sequence: operating system, user program, and communication. The number of time slice depends on the current user program. By default, the time should not be longer than 150 milliseconds, so engineers can configure different values. If the specified time is used up, the Interrupt Routine is called. Generally, the CPU returns to the starting state of the cycle and starts cycle time monitoring again.

Software

We use STEP 7 for plc programming. The version I use is v5.5.

Refer to this article for installation step7 v5.5 cn software download, simulator installation, authorization

Note that the simulator must be installed separately.

Engineers can program the PLC using the ladder chart, feature block chart (FBD), structured control language (SCL), and statement table (STL. Similar to text-based SCL and compiled STL, the LM and FBD languages are graphical. PLC programs are divided into organizational blocks (OB), function blocks (FC), function blocks (FB), data blocks (DB), system functions (SFC), and system function blocks (SFB) and the system data block (SDB. OB, FC, and FB contain actual code, while DB stores the data structure, and SDB stores the current configuration of PLC. Memory addresses with a prefix of M are used for internal data storage addressing.

Programming

A plc program consists of at least one organizational block (OB 1), which is equivalent to the main function in the C program. It will be called by the operating system. There are more organizational blocks for specific purposes, such as OB 100. This block is called once during PLC startup and is usually used to initialize the system.

I will not go into details about the syntax of various programming languages again. Please refer to relevant documents on your own.

Network Protocol

Although I have elaborated on the communication process in the original article, I will not explain it too much, because this article mainly focuses on the compilation of malicious code.

However, we still need to say that these embedded devices are usually using a cropped vxworks system. I personally think that penetration attacks and vulnerability mining of industrial control systems are currently underway, in the absence of in-depth firmware analysis, attacks against communication protocols of industrial control networks are the most efficient means. I have roughly reviewed the industrial control vulnerabilities on wooyun. In fact, it is still web penetration. In fact, for industrial networks, sometimes availability is even more important than confidentiality (such as the explosion of Iran nuclear facility ).

Siemens plc uses its own S7Comm protocol to transmit blocks. This is a Remote Procedure Call (RPC) protocol based on TCP/IP and TCP-based ISO transmission service. Package encapsulation:

The Protocol provides the following functions:

System status table request to list available block read/write data block Information Request Upload/download block transfer block to file system start, close, memory initialization debugging

The transmitted block is structured and consists of the header, data part, and tail.

For detailed transmission process, see the original article. Here only the structure of some known bytes is given:

The end contains the parameter information used to call the function. Not all the bytes in the header and tail are known to us, but we have determined the necessary areas for us to understand their content.

This part is mainly used to explain the malicious code injection method. In fact, you can use step 7 for code injection. It can even be said that all operations on this protocol can be basically completed using step 7, however, if we understand the structure and functions of the protocol, we can write scripts to automate attacks.

0x03 Attack Description

Siemens plc provides a system library that can establish any TCP/UDP connection. Attackers can use full TCP/UDP support to scan the local production network behind the public network plc. In fact, according to my understanding, only the communication on profinet can complete the TCP/UDP request, which requires that the Siemens plc model we use must contain PN, for example, the original S7-314C-2 PN/DP, in addition to s7-319-3 PN/DP and so on.

Overview

We first download the OB1 block of the plc, and then add a CALL command to CALL any controllable function. In our example, this function is called FC 666. Then, the OB1 after patche, that is, FC 666 and other blocks (this may contain many blocks, such as the FC block we have compiled, the background data block, and the shared data block ), will be uploaded to the PLC. Demonstrate the code injection process:

During the next execution cycle, the newly uploaded program containing the attack code will be executed and will not cause any service interruption (I think this is not necessarily the case, there will still be interruptions in RUN mode, and in RUN-P mode it will be automatically executed in the next cycle without interruptions ). This process allows attackers to run arbitrary malicious code on the plc. We released a tool named PLCinject with this article, which can automate this process. With this technology, attackers can execute the attack process as shown in:

In step 1, attackers inject an SNMP scanner, which runs together with the normal code on the plc. After completing a complete SNMP scan for the local network (step 2), attackers can download the scan results from the plc (Step 3 ). Attackers now have a thumbnail of the Intranet behind the public plc. Then it overflows the SNMP scanner and injects a socks proxy (step 4 ). This allows attackers to use the plc acting as a proxy to access all the plc in the local production network. In the next two sections, We will clarify the implementation of the SNMP scanner and SOCKS proxy. We will not explain in detail the details of each operation and system call. For detailed descriptions of these, we refer to the S7-300 Instruction list S7-300 CPUs and ET 200 CPUs and Siemens. (2006) System Software for S7-300/400 System and Standard Functions Volume 1/2.

Several system calls used in this article are: SFC 51 "RDSYSST", FB 65
"TCON", FB 63 "TSEND", FB 64 "TRCV", FB 67 "TU
SEND ", FB 68" TURCV ", UDT 65" TCON_PAR ".

Please refer to the article aboveSiemens. (2006) System Software for S7-300/400 System and Standard Functions Volume 1/2Search for its parameters and input and output.

SNMP protocol

Siemens plc cannot be used as a TCP port scanner, because the TCP connection function TCON cannot be terminated until the function establishes a connection successfully. In addition, up to eight TCP connections can be run concurrently in the Siemens S7-300. Therefore, the PLC can only act as a TCP scanner if eight connections fail at the same time (if the eight connections fail at the same time, the eight connection functions cannot be disconnected, the scan will not continue ). This restriction does not apply to stateless UDP connections. This is why we need to use the Simple Network Management Protocol (SNMP) based on UDP. SNMP v1.0 is defined in RFC 1157 [23] and is developed to monitor and control network devices. A large number of network devices and most SIEMENS Simatic PLC support SNMP by default. Siemens plc is very active when SNMP is enabled. By reading the SNMP system basic information (sysDesc) object using OID 1.3.6.1.2.1.1.1, Siemens plc will send its product type, product model, hardware and firmware version, in the form of the following SNMP response:

#!bashSiemens, SIMATIC S7, CPU314C-2 PN/DP, 6ES7 314-6EH04-0AB0 , HW: 4, FW: V3.3.10.

The system description can be used to match the detected plc in the vulnerability and exp library. The firmware of the plc is not often patched. There are two main reasons: on the one hand, the firmware upgrade of plc will interrupt the production process, which will cause losses; on the other hand, the firmware patch of plc can cause some product quality problems, this is intolerable for customers. This is why it is highly likely to find a SIEMENS plc device with known vulnerabilities. The SNMP scanner can be divided into the following steps:

Obtain the IP address range of the local IP address and subnet computing subnet. Establish a UDP connection. Send an SNMP request. Accept the SNMP request. Store the response to a data block to stop scanning and disable the UDP connection.

Plc programming is completely different from normal programming on X86 systems using C language. It is easier to understand if you have learned the hardware-oriented programming language such as OpenGL. Each PLC program is periodically executed, so it needs to store the program State to the state variable after each step. Here we will only explain steps 1 to 3 for SNMP scanning. Display the code snippet of step 1 and call the RDSYSST function.

The RDSYSST function reads the internal system status table (SSL) to obtain the local IP address of the plc. the SSL request is usually used for diagnosis.

Here is an instance on the siemens Official Website: Reading the local ip address.

Lines 14 and 15 will stop the function when the RDSYSST function is busy. Shows how the program calculates the first ip address and total ip address of the local network.

This is done by bitwise and operation of the local ip address AND subnet mask of the plc. This will return the starting address of the local network (24-30 rows ). The SNMP scanner now needs to know the total number of ip addresses in the subnet. Therefore, we perform XOR operations on the subnet mask and 0xFFFFFFFF (lines 35-39 ). The result is the total number of ip addresses in the subnet. Demonstrate how to use STL to establish a UDP connection. First, we need to call the TCON method and use the DB TCON_PAR_SCAN as the background data block of the function.

In the case of UDP, The TCON function cannot establish a connection, and it can only be completed under the TCP protocol, because, in contrast to UDP, its connection is targeted. However, it is not enough to call TCON only once. When the # connect variable increases from 0 to 1 between the two calls, the function starts to work. This is why we wrote a switching function (10-11 rows) after the first appearance of the connected function ). This will change the value of # connect after the first call of TCON in a cycle so that it changes from False to True. When the TCON function is called in the next cycle, the rising edge signal is detected and then executed. The next step is to send an SNMP packet based on UDP protocol and receive the response. This will be done by calling the TUSEND and TURCV functions. After the SNMP scan is completed, all data is stored in the data block that can be downloaded by attackers (step 3 ).

Provides an instance udp protocol exchange

There is no problem with other parameters of the TCON function. The key is the CONNECT parameter. This parameter requires a real pointer parameter pointing to the db block created using the UDT 65 template. Details about UDT 65 can be found in the Manual above, but it is really tough to manually create such a data structure, so I found a dedicated tool for establishing the TCON connection parameter Open Communication Wizard_V2.3.3

SOCKS5 PROXY

Once the attacker detects all SNMP devices, including local PLCs, the next step is to connect them. This can be achieved by using an accessible plc as the gateway to access the Intranet. To achieve this, we chose to implement a socks5 proxy on the plc. There are two main reasons for this. First, the SOCKS protocol is lightweight and easy to implement. In addition, all applications can use this type of proxy. Either the application supports the socks protocol or the so-called proxifier can be used to add socks support for any program. The socks5 protocol is defined in RFC 1928 [24. The following steps are required to connect to the target through Proxy TCP without error:

The client connects to the SOCKS server over TCP and sends a list of authentication methods supported by the client. The server replies with a selected authentication method. Select the corresponding sub-protocol based on the selected authentication method. The client sends a connection request with the target IP address. The server establishes a connection and replies. All subsequent data packets are transmitted through tunnel between the client and the target. The client closes the TCP connection.

Our implementation provides the necessary minimum function, which does not support authentication, So we skip step 3. We do not support error handling. In addition, only IPV4 addresses can be connected. Once the client is connected, we expect this information to go through the following steps:

The client provides the authentication method: It can be any information, for example, 0x05 0x05 (1 byte) (n bytes). The server selects the verification method: 0x05 0x00 (unauthenticated) Client Connection target: 0x05 0x01 0x00 0x01 (4 bytes) (2 bytes) server verification connection: 0x05 0x00 0x00 0x01 0x00 0x00 0x00 0x00 0x00 0x00 client and target can now communicate with the server through connection.

As mentioned above, the plc program is periodically executed. That's why we use a simple state machine to process SOCKS protocols. Therefore, we use each status number and a jump table to execute the corresponding code block. For example:

Status conversion is achieved by increasing the status code stored in a data block. Each status and action is described as follows:

Bind a listener: To start the program for the first time, you need to bind and listen to SOCKS port 1080. This is achieved through System Call TCON in passive mode. We remain in this status until someone connects to this port. Negotiation: we wait for the client to send any message. This is implemented through the TRCV function, which requires the EN_R parameter to execute. See:

Authentication: After the first message is sent, we send a response indicating that the client is not authenticated. For this purpose, we use the TSEND system call. In contrast to TRCV, this function is edge-controlled, which means that the REQ parameter must change from False to True between consecutive calls to activate sending. As shown in, we switch the flag and call TSEND twice on the rising edge of REQ.

Connection Request: Then, we expect the client to send a connection setting containing the destination IP address and port number, which will be stored in the next state. Connection: We use TCON to establish a connection to the target.

Connection Verification: When the connection to the target has been established, we send verification information to the client.

Proxy: Now we only need to open a connection tunnel between the client and the target. All data received from the client using TRCV is stored in a buffer, and the TSEND function also extracts the data and sends it to the client. The same principle applies to the opposite direction, but we must consider that sending messages may take several cycles. Therefore, the second buffer is used to ensure that no messages are mixed or lost. The error mark of TRCV is used as a signal for disconnection. When this signal occurs, we will send the final received data and jump to the next state.

Reset: In this state, we use TDISCON to close all connections and reset all flag spaces to their initial state.

0x04

The maximum transmission rate of the proxy is about 40 kb/s. If the socks Agent runs independently on the plc, the speed can be as high as kb/s. All network devices are connected directly to the plc using 100 Mbit/s Ethernet. Finally, we tested the attack cycle described in the lab. In addition to the conventional communication, we verified the use of DOS Vulnerability CVE-2015-2177 by using the socks tunnel of the tsocks library. The code is successfully executed through the socks tunnel.

Our attacks have certain limitations. To ensure that the plc can always respond to requests, the execution time of the main program needs to be monitored. When the execution time is too long, the main program will end. The snmp scanner or proxy code we uploaded, together with the original program, should not exceed the maximum execution time, 150 ms. Injection of a scanner or agent is unlikely to trigger timeout because the additional execution time of the agent runtime is 1.35 ms, which is far less than 150 ms. In addition, timeout can be avoided by resetting the time counter after the execution of the injection program is completed. This requires the system to call RE_TRIGR. For the above attacks, the simplest protection method is to keep the plc offline, or use VPN instead of public network access. If this is not possible, the level 3 protection level of the Siemens plc should be activated. This allows the plc to read data based on passwords and write protection. Attackers without the correct password cannot modify the plc program. According to our research, this function is rarely used in practice. Another application protection mechanism is to use a firewall to filter suspicious packets, for example, attempting to re-program the malicious access of the plc.

0x05 implementation on Schneider Devices

See the Schneider unity pro manual for the following technical details:

Schneider's tcp communication relies on the TCP_OPEN library, but this library has a lot of restrictions. First, the default library of Unity Pro does not contain the TCP_OPEN function block library. The tcp open Library needs to be purchased separately. The order number is TLXCDTCP50M, which can be used only after installation, only Unity Premium supports this function block library. And I found that onlyTsx ety 1100WSAndTsxety 5103The TCP_OPEN library is provided.

This means that only a very small number of Schneider devices can complete TCP communication in the actual environment. This is also the limitation of this attack, which will be mentioned in the Summary section.

Here we will only talk about the several function blocks that may be used. For details about API calls, see EF/EFB/DFB in the unity pro manual-> TCP Open Library-> advanced section.

FCT_ACCEPT accept connection request FCT_BIND bind the Data Channel port number to the IP address and port FCT_CLOSE delete data channel FCT_CONNECT establish connection FCT_LISTEN configuration channel wait for connection FCT_RECEIVE search data channel available data FCT_SEND send data to the specified data channel FCT_SOCKET create new data channel 0x06 Summary

In fact, although the idea in this article is novel, it is not very cumbersome, but it is something that everyone can think of. Although the idea is simple, after my own programming implementation, I found that there are too many pitfalls, originally, this article was reproduced in a week, but at last I found that I felt a little overwhelmed. After all, as a web dog, my research automation was too short.

Afterwards, I personally think that this attack method has very limited limitations. According to my survey, the number of CPU of the Siemens PN model is relatively large, however, the cpu of other vendors basically does not have full tcp/udp communication functions, such as Schneider mentioned in the previous section.

The following is a small demo in several articles I wrote. It is put into a project. Although the implementation is incomplete and the problem is very high, it is easy for beginners to understand, I want to give some advice. I hope you can have a chat.

S7_pro1.zip

You can use this zip file to restore it in Step 7 Without decompression.