In the past few years, particularly in the wake of Stuxnet, SCADA and ICS software has come under heavy scrutiny from the security community for a variety of poor programming practices which has unearthed some critical security issues like as memory corruption attacks, hardcoded credentials, broken crypto, and web-based attacks such as SQL injection and cross-site scripting.¬† In this series, we're going to cover some basic techniques for auditing ICS software that is aimed at beginners and intermediate users who want to either start with software auditing or want to take a look at ICS software but aren't sure where to start.
Why ICS software?
The reasons for targeting ICS software is fairly straightforward.¬† First, Windows XP is the preferred operating system which means it lacks many of the modern protection mechanisms found on Windows 7 and 8 so exploitation is naturally much easier.¬† Second, finding security vulnerabilities in this software is generally trivial, so it makes a nice primer for gaining experience with file format fuzzing, static analysis, and web attacks.¬† While one could in theory audit things like Bob's Kewl MP3 player, I think real-world software makes it much more interesting.
What you will need
There are a variety of tools you will need to work through this series and we won't be detailing the installation of these things but you do have time between now and the next post.¬† In the mean time, you should have:
- Virtual instance of Windows XP (take a snapshot!)
- IDA (Either free 5.x version or 6.x versions will work)
- SysInternals Suite
- Rohitab API Monitor
- FOE (configuration, and basic usage can be found in my previous post)
- A web scanner such as W3AF or Arachni
Using these tools, we'll go through the basic techniques required to look at thick apps and services.¬† Throughout the process, we'll cover network service vulnerabilities such as buffer overflows, browser exploitation by abusing unsafe ActiveX controls, and file parsing vulnerabilities.
While the above is far from a comprehensive list of vulnerabilities that you'll find in this software, I hope it will serve as a solid introduction so please be sure to check back soon for part 2!