Stuxnet : Analysis, Myths and Realities

ACTUSÉCU 27 XMCO

David Helan

STUXNET : ANALYSIS, MYTHS AND REALITIES

CONTENTS Stuxnet: complete two-part article on THE virus of 2010

Keyboard Layout: analysis of the MS10-073 vulnerability used by Stuxnet Current news: Top 10 hacking techniques, zero-day IE, Gsdays 2010, ProFTPD...

Blogs, softwares and our favorite Tweets...

This document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!! [1] Are you concerned by IT security in your company? ACTU SÉCU 27 XMCO Partners is a consultancy whose business is IT security audits.

Services:

Intrusion tests Our experts in intrusion can test your networks, systems and web applications Use of OWASP, OSSTMM and CCWAPSS technologies

Security audit Technical and organizational audit of the security of your Information System Best Practices ISO 27001, PCI DSS, Sarbanes-Oxley

PCI DSS support Consulting and auditing for environments requiring PCI DSS Level 1 and 2 certiﬁcation.

CERT-XMCO: Vulnerability monitoring Personalized monitoring of vulnerabilities and the ﬁxes affecting your Information System

CERT-XMCO: Response to intrusion Detection and diagnosis of intrusion, collection of evidence, log examination, malware autopsy

About XMCO Partners:

Founded in 2002 by experts in security and managed by its founders, we work in the form of ﬁxed-fee projects with a commitment to achieve results. Intrusion tests, security audits and vulnerability monitoring are the major areas in which our ﬁrm is developing.

At the same time, we work with senior management on assignments providing support to heads of information- systems security, in drawing up master plans and in working on awareness-raising seminars with several large French accounts.

To contact XMCO Partners and discover our services: http://www.xmco.fr WWW.XMCO.FR

This document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!! [2] EDITORIAL NUMBER 27 FEB. 2011

We wish you a happy 2011… ACTUSECU This is the first issue of ActuSécu certainly be implementation errors in 2011. As usual, a very busy that may be exploited by pirates, year end made us a little late in especially as these are particularly Editor in chief: writing this issue. ingenious concerning hacking Adrien GUINAULT means of payment. The XMCO team is strengthened Contributors: with the arrival of Florent We hope that you find this issue Charles DAGOUAT Hochwelker, a security consultant interesting and we look forward to Florent HOCHWELKER coming from SkyRecon. The seeing you at Black Hat Stéphane JIN security of the Windows kernel, Barcelona, for which XMCO is a François LEGUE DEP bypass and other tricks for partner. Frédéric CHARPENTIER happily causing memory overflows Yannick HAMON no longer hold any secrets for him. Frédéric Charpentier Florent has also written its first Chief Technology Officer article in this issue. CONTACT XMCO What will 2011 bring us in terms of [email protected] attacks and security? Without [email protected] wishing to gaze into a crystal ball, it is clear, for me, that 2011 will be THE XMCO AGENDA the year of m-payment: contactless mobile payments (by PCI DSS QSA TRAINING NFC or GSM). Although these 7 and 8 March in London technologies are, a priori, new, BLACKHAT EUROPE they are based on existing and 16 and 17 March in Barcelona proven frameworks. There will BLACK HAT

This document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!! [3] STUXNET PART I P. 5 BOOKMARKS AND TOOLS P. 52

P. 13 CONTENTS STUXNET...... PART II

Stuxnet Part I: analysis, myths and realities..5 An examination of THE virus of 2010

Stuxnet Part II: technical analysis...... 13 Propagation, infection and attacks on industrial systems.

Keyboard Layout vulnerability...... 29 Analysis of the "elevation of privileges" vulnerability KEYBOARD used by Stuxnet (MS10-073). LAYOUT P. 29 Current news...... 38 Top Ten hacking techniques, zero-day IE, GS Days, ProFTPD...

Blogs, software and extensions...... 52 IMA, VMware compliance checker, Twitter and the rn_101 blog.

CURRENT XMCO 2011 NEWS P. 38

This document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!! [4] ACTU SÉCU 27 Stuxnet, elected malware of STUXNET PART I : the year HISTORY, MYTHS AND It would have been ACTU SÉCU 27 inconceivable not to devote an article to THE malware of the REALITIES year 2010.

Although nearly everything has already been said on this subject, we could not resist wanting to write an article on Stuxnet several months after the media buzz has subsided.

Much is still obscure concerning this malware, its origins and its developers.

However, we will try to give a summary, also taking an objective view in relation to various papers covering the

subject. Karsten Kneese Karsten

If there is one thing to remember about 2010, it is surely To quickly reach its target, the malware also uses a the case of Stuxnet. This is because this malware, password defined by default within certain SCADA specifically produced to carry out the second highly- (Supervisory Control And Data Acquisition) systems. publicized targeted attack of 2010 (after Aurora) This is based on the Siemens SIMATIC WinCC caused comment for more than six months! This article software. is intended as a summary of this long period, which was punctuated by many new developments. It covers the “Stuxnet is a complex piece of malware development of the discoveries and announcements constructed from many items, intended to that took place during this period and tries to analyze all sabotage the normal functioning of certain the facts in order to draw conclusions. Between reminders on technical matters, genuine rumors and critical systems. ” false realities, this article will appraise the situation as Thanks to all the work performed by various completely as possible. researchers with an interest in malware, the role of Stuxnet has been clarified. The malicious code acts in Preliminary reminders several stages: firstly, a removable item of storage media is used to compromise a system on a local Stuxnet is a complex piece of malware constructed from network. Once present on a network, the malware many items, intended to sabotage the normal replicates, moving towards the discovery of a point of functioning of certain critical systems. In contrast to access to its target: a system on which WinCC is the somewhat indiscreet approach which is used to installed. access these sensitive systems, this sabotage is intended to be very discreet. Secondly, when such a target is discovered, the To approach its target, Stuxnet exploits at least four behavior of the various items controlling the target zero-day vulnerabilities (currently all corrected by architecture is modified in order to physically impair Microsoft) targeting different versions of Windows, as the integrity of the industrial production system. In the well as the famous MS08-067 vulnerability that was case of Stuxnet, this concerns modifying the normal corrected several years ago. function of certain critical systems by manipulating their WWW.XMCO.FR controllers.

This document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!! [5] STUXNET PART I : HISTORY, MYTHS AND REALITIES ACTU SÉCU 27

History the Metasploit framework. This allowed control of a system to be taken over remotely by exploiting the It is difﬁcult to create a comprehensive history of the security vulnerability through WebDAV sharing. This events relative to Stuxnet because of the numerous code allowed a pirate simply to encourage an Internet new developments and announcements during this long user to visit a web page with Internet Explorer to take period. Limiting ourselves to the dates of the control of the underlying system. The same day discoveries made and publicized by the researchers Symantec renamed W32. Temphid to W32.Stuxnet, and would not really make sense. It is necessary to consider Siemens reported that the company was in the process the period before the media took an interest in this of studying reports referring to the compromise of subject, as this attack is so complex. We are therefore several SCADA systems linked to WinCC. going to try, with hindsight, to trace a history that takes into account the dates before the beginning of the On 20 July, Symantec announced that it had media interest in this sabotage campaign. Also, all this discovered how the malware communicated with its takes into account discoveries made after this attack command and control (C&C) servers, and the meaning attracted media interest. of the exchanged messages.

On 21 July, MITRE assigned reference From Stuxnet CVE-2010-2772 to the security vulnerability present within the Simatic WinCC and PCS 7 software from Everything officially began on 17 June 2010, when the Siemens. A password had been hard-coded and could Belarusian company Virusblokada published a report on be used to access certain components of Siemens the virus RootkitTmphider, mentioning the LNK applications with elevated privileges. security vulnerability. This vulnerability, which was zero-day in June 2010, allows a pirate to execute code Two days afterwards, on 23 July, VeriSign revoked the when opening a directory, whether it is shared (SMB, certificate belonging to JMicron Technology Corp. WebDAV), local or on a mass-storage peripheral (external hard disk, USB drive, portable telephone, MP3 player, etc.). The vulnerability gradually began to “On 17 July, Symantec renamed arouse comment. MITRE dedicated reference "W32.Temphid" as "W32.Stuxnet" and CVE-2010-2568 to it the following 30 June, and on 13 July, Symantec added the detection of this virus under Siemens reported that the company was in the name of W32. Temphid. the process of studying reports referring to the compromise of several SCADA systems The next day, on 14 July, MITRE assigned references linked to WinCC ” CVE-2010-2729 and CVE-201 0-2743 to security vulnerabilities present in the print spooler and in the keyboard management. Two days afterwards, on 16 Then several days passed, during which the July, Microsoft published a security alert referenced researchers and specialists involved in this study KB2286198. This last concerned the security certainly did not stop working. On 2 August, outside its vulnerability exploited by the malware. The "Patch Tuesday" cycle, Microsoft published its security management of LNK files was then clearly identified as bulletin MS10-046 proposing several patches for the problematic by the software publisher. At the same time, LNK vulnerability. On 6 August, Symantec presented VeriSign revoked the certificate belonging to Realtek the method used by Stuxnet to inject and hide code on Semiconductor Corp. This was because it had been a PLC (Programmable Logic Controller). used by pirates to sign certain drivers used by their malware. Symantec subsequently revealed that the first On 14 September, Microsoft published a new security malware, which had a driver signed by the certificate bulletin (MS10-061) and offered a patch for the security and which was identified as coming from the Stuxnet vulnerability present within the print spooler that was family, went back to January 2010. discovered by Symantec in August. The same day, MITRE assigned reference CVE-2010-3338 to the On 17 July, the antivirus publisher ESET detected new "elevation of privileges" vulnerability that was identified malware coming from the Stuxnet family. This used a within the task scheduler. certificate belonging to JMicron Technology Corp. to Just several days afterwards, on 17 September, sign one of its components. On 19 July, a year after Joshua J. Drake (jduck1337) published exploitation ivanlefOu had published a proof of concept, the code within the Metasploit framework. This allowed researcher HD Moore published exploitation code within control to be taken of a system via the security

This document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![6] STUXNET PART I : HISTORY, MYTHS AND REALITIES ACTU SÉCU 27

vulnerability present within the Windows print spooler. knowledge that was necessary, the human and Lastly, to end the month of September, the publishers of material resources necessary and lastly, the cost of the antivirus solutions ESET and Symantec published a such an organization make certain countries ideal ﬁrst version of their report, on 30 September, suspects. Among the list chosen by the researcher were presenting their almost-complete analyses of the Israel, the United States, Germany and Russia. malware. In fact, both publishers did not wish to disclose information on vulnerabilities that had not yet been corrected by Microsoft. The following month, on 20 November, Joshua J. Drake published new exploitation code within the

Metasploit framework to exploit the vulnerability present RatcliffTrey within the Windows task Scheduler. Finally, to prevent the exploitation of the last security vulnerability exploited by Stuxnet, Microsoft, on its "Patch Tuesday" of 12 October, published its security bulletin MS10-073 that gave a patch for the vulnerability related to the management of the keyboard. Then, after two months of waiting, in its "Patch Tuesday" of 14 December, Microsoft published its security bulletin MS10-092 offering a patch to correct the security vulnerability related to the task scheduler.

The progress made by Ralph Langner

Thanks to the work done by the German researcher Ralph Langner, which began as soon as the media began to take an interest in the malware, it has been possible to identify numerous trails related to the origin of Stuxnet, to its potential targets and to the people who are hiding behind this attack. Of course, all information published by this former psychologist should be treated with caution. Even so, it appears, with hindsight, that many opinions that he gave have been subsequently validated by other researchers (such as Symantec) or by documents coming from third-party sources. On 15 November, Langner presented a technical On 16 September, Langner announced that Iran, and solution allowing the malicious code 315 to destroy particularly the nuclear power station at Bushehr, gas centrifuges. He was then supported by the nuclear which was built in cooperation with Russia, was the specialist from ISIS (Institute for Science and main target. The researcher was also the ﬁrst to speak International Security), David Albright. On the same day, of cyber war. On each following day, he published new a second announcement gave the details of the attack hypotheses and new discoveries. The researcher performed by the code 417. In the days that followed, approached numerous entities, such as Congress, the numerous details of this second attack were presented DHS and the INL in the United States, and also and a hypothesis concerning the targets was given: appeared on television. On 13 November, Langner according to the researcher, the code 315 targeted the announced, just after Symantec, that he had come to IR-1 centrifuges present in the Natanz enrichment the same conclusions concerning the malicious code centre, while module 417 targeted the steam turbines in 315 and the PLCs targeted. He took advantage of this the electrical power station at Bushehr. A single to present the K-1000-60/3000-3 steam turbines weapon, malware, which contained two payloads: the manufactured by the Russian manufacturer "Power code modules 315 and 417, targeting different PLCs. Machines" which, according to him, equipped the Bushehr nuclear plant. The following day, he presented At the end of November, the former psychologist his analysis concerning the entity that probably ordered announced that Iran and Venezuela had concluded an this attack: for him, only a government could have been agreement in 2008. This alliance allowed Iran to install involved in such a scenario: the complexity of the WWW.XMCO.FR ballistic missiles on Venezuelan territory in exchange for

This document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![7] STUXNET PART I : HISTORY, MYTHS AND REALITIES ACTU SÉCU 27 the help provided by Iran in setting up a nuclear agreement, one month before the end of his term of program in the host country. A situation in which the office in January 2009, to the establishment of a United States would surely not be delighted to find secret program aiming to sabotage the electrical and itself; and therefore, in his opinion, a justification for the computer systems at the main uranium enrichment establishment of this secret program. centre at Natanz. From the beginning of his term of office, Barack Obama, who had been informed of this At the end of December, helped by the publication of before taking office, accelerated this program on the the report from ISIS, which gave an analysis of the advice of those knowledgeable concerning the case of nuclear infrastructure situation reported by the Iran. inspectors from the International Atomic Energy Agency (IAEA ), Langner announced that he had discovered the precise target of the malware, and more precisely, of block 417. This was the safety system associated with cascades of centrifuges used to enrich uranium. In his opinion, the PLCs targeted were used every two years in the functioning of an enrichment centre such as Natanz.

A single weapon, malware, which

“ RatcliffTrey contained two payloads: the code modules 315 and 417, targeting different PLCs ... ”

At the beginning of January, the researcher presented a new hypothesis on the role of blocks 315 and 417. According to him, their main objective was not the destruction of the centrifuges, but rather to make these production systems massively inefﬁcient. By analyzing the data embedded in the code, and theoretical calculations on the yield of uranium production, the researcher discovered that the operations performed by the two blocks of code would drastically reduce the yield of the centrifuges.

To summarize, over the course of these few months, Langner was probably the researcher who communicated most concerning Stuxnet.

Still according to the New York Times journalists, this The "New York Times" theory program was based on work performed at the Idaho National Laboratory (INL) in partnership with the For the first time since the beginning of this scenario, an Department of Homeland Security (DHS) and Siemens. article published by the New York Times on 16 January During 2008, they claim that Siemens requested the described a plausible scenario. Even though this INL to test the security of its Step7 software used to scenario is based more on a correlation between events control a set of industrial systems (tools, probes, etc), and facts, rather than on tangible proof, these authors using controllers such as PCS7 (Process Control have the distinction of being among the first to officially System 7). The results obtained, including numerous name the various protagonists. It should therefore be security vulnerabilities, were presented in July at a taken with caution and is the responsibility only of the conference that was held in Chicago. journalists who wrote the New York Times article. Several months later, American diplomacy succeeded in In this scenario, the United States set up a plan to establishing an embargo on certain components hinder Iran in its quest to produce nuclear weapons. necessary to the correct functioning of a uranium WWW.XMCO.FR According to the journalists, President Bush gave his enrichment centre. According to a diplomatic cable

This document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![8] STUXNET PART I : HISTORY, MYTHS AND REALITIES ACTU SÉCU 27 revealed by Wikileaks, in April 2009, 111 Siemens Israel of having ordered these assassinations. After this controllers necessary to controlling a uranium second suspect event, the Iranians took the decision to enrichment cascade were therefore blocked at the port "hide" Mohsen Fakrizadeh, the third (and last?) of Dubai in the United Arab Emirates. nuclear specialist.

At the end of 2010, the Institute for Science and International Security (ISIS) reported that 984 defective controllers had been replaced at the end of 2009 according to a report by inspectors from the IAEA.

Strangely, this figure exactly corresponds to the number Ludo Benoit of Siemens controllers contained within an enrichment cascade. Nevertheless, what is the relationship between these 984 defective controllers and Stuxnet? These controllers were replaced between the end of 2009 and the beginning of 2010, while Stuxnet made its first public appearance at the beginning of 2010 although it was not yet identified.

The article presents Israel as a principal ally of the United States in manufacturing and testing this malware. This "small" country, which is highly advanced technologically, and particularly in cyber-warfare, is alleged to have built a replica of the Natanz enrichment centre in its own nuclear research centre: Dimona. The journalists gave two reasons for this alliance. Among the Americans' other allies, none of them would be able to make the IR-1 centrifuges work properly. These were derived from the Pakistani P-1, which themselves were copied from plans of the German G-1 stolen by the doctor of physics Abdul Qadeer Khan (father of the Pakistani nuclear bomb and in charge of a network specialized in the sale of nuclear material that helped to spread sensitive technology to Iran, North Korea and Libya). The second reason was that Israel had long been openly seeking to prevent Iran from obtaining Forbes's counter theory nuclear weapons. Another article published by journalists at Forbesʼ the following day strongly criticized this analysis. According In this scenario described by the Times, to them, this was based on no tangible proof. Only “ gestures made by certain diplomats at press the United States is alleged to have set up a conferences and the content of several diplomatic plan to hinder Iran in its attempt to cables revealed by Wikileaks gave any support to the produce nuclear weapons. ” journalists' article. The journalists took advantage of trashing this theory to According to the authors of this article, other information push their own analysis that was published in revealed the magnitude of this American program. December. According to them, the "real" powers behind Massoud Ali Mohammadi, an Iranian nuclear Stuxnet were Finland and China. The reasoning behind specialist, was killed in January 2010 by an explosion this was that Vacon, the Finnish manufacturer of caused by a remotely-triggered bomb ﬁxed to a frequency converters (variable frequency drives) had motorbike. On 29 November 2010, when Iran a manufacturing plant in China. This would mean that recognized for the ﬁrst time that Natanz had suffered China would know precisely which PLCs to target. damage related to Stuxnet, a second physicist, Majid Furthermore, China is suspected to have access to part Shahriari, was the victim of a second fatal "accident". of the source code of Windows, which could explain the On both of these occasions, president Mahmoud discovery and use of four zero-day vulnerabilities.

Ahmadinejad directly accused the United States and WWW.XMCO.FR

This document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![9] STUXNET PART I : HISTORY, MYTHS AND REALITIES ACTU SÉCU 27

Numerous other details relating China and Finland were and rescue, was controlled by a SCADA system based also revealed by the journalists to support their theory. on Siemens S7-400 and SIMATIC WinCC PLCs. This For example, RealTek Semiconductor, the Taiwanese announcement occurred during a complex period in company whose certificate was stolen to sign the Indo-Chinese relationships, because both countries are drivers, has an establishment in the industrial zone of fiercely competing with each other in the aerospace Suzhou, in China, not far from Vacon. Finally, China sector to be the first Asian country to put a man on the was relatively untouched by the worm. moon.

Although Symantec and other publishers of anti-virus software named Iran as the main victim of Stuxnet, it was not before mid-October that the subject of Stuxnet was publicly mentioned by Iran. During this ﬁrst speech, the Iranian president simply denied the damage that the worm was supposed to have caused to national infrastructure. A month later, in November, the country recognized for the ﬁrst time that it had suffered "slight" problems leading to the postponement of the launch of the Bushehr plant. In reaction to this attack, the government arrested some Russian service contractors suspected of being spies. These were subsequently released

Since the beginning of 2011, numerous other events were added to this story. Symantec, by recovering samples obtained from various publishers of antivirus software in the market, was able to make a statistical study of the attacks.

So, thanks to the 3,280 samples recovered from ESET, F-Secure, Kaspersky, Microsoft, McAfee and Trend Micro, Symantec was able to draw the following conclusions: - exactly ﬁve organizations were targeted;

Lastly, very many international experts criticized the these five organizations are all present in Iran; Ludo Benoit quality of the code in the malware. Several - most of the 12,000 infections corresponding to the commentators criticized the amateurism of certain 3,280 samples can be traced to these various functionalities of Stuxnet: the very basic component that organizations; communicates with the C&C servers (for example, no - among the victims used as vectors for propagation, communications encryption, the lack of robustness of three were attacked once, one was targeted twice and the control servers, etc), the absence of additional the third was attacked three times; protection (polymorphism, anti-debug and robust - these attacks took place at very precise dates: in June encryption), and finally an indiscreet means of 2009, one month later in July 2009, then at three further proliferation that is unworthy of an attack carried out stages in March, April and May 2010; discreetly by the military, etc. According to these - lastly, three variants of the malware corresponding to commentators, just these observations are evidence the attacks that took place in June 2009, April 2010 and that no government is hiding behind Stuxnet. May 2010 were observed. The existence of a fourth variant is assumed but has not been observed among the samples obtained. According to Symantec, these five companies are The other factors to be remembered suppliers with links to the Natanz enrichment centre.

On 9 July, the Indian satellite INSAT-4B was declared From these samples Symantec was able to produce inoperable. This satellite, which was used for graphs representing the proliferation of the malware. transmitting telecommunications, television For this, the researchers used the information recorded broadcasting, meteorology and for individual search (date and time, for example) by the malware when it WWW.XMCO.FR

This document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![10] STUXNET PART I : HISTORY, MYTHS AND REALITIES ACTU SÉCU 27 infects a new system. These graphs clearly highlight the ﬁve dates corresponding to the attacks and the number of targets initially contaminated during each of these events.

“In April 2009, the researcher Carsten Kohler published an article in the magazine Hackin9 presenting a security vulnerability within the Windows print spooler. No one reacted, not even Microsoft, which was clearly concerned. ”

The day after this announcement, several media echoed another announcement that was particularly surprising. During a video shown at a party given in honor of the retirement of general Gabi Ashkenazi, and published by the conservative newspaper Haaretz, it was claimed that the newly-retired general had supervised the creation of Stuxnet. Nevertheless, as no ofﬁcial Israeli source has corroborated this announcement, it must be taken with caution. Lastly, it was in March 2010 that the ﬁrst malware in the Stuxnet family appeared which exploited the LNK The warning signs vulnerability.

The Stuxnet affair began well before 2010. Thus, Symantec was able to find traces of the malware going back to 2008. On 20 November 2008, Symantec Conclusion observed the exploitation of the LNK vulnerability for the first time. This had not been analyzed at the time Stuxnet has caused a lot of comment and been and we had to wait until the appearance of Stuxnet to highly publicized. The various theories, analyses discover that pirates had known about this vulnerability for more than two years. The virus in question was then and hypotheses made until now do not allow any identified as "Trojan.Zlob" and does not appear to be conclusions to be drawn with certainty, either related to Stuxnet. concerning those ordering the attacks or the targets. However, according to the various In April 2009, the researcher Carsten Kohler published an article in the magazine Hackin9 presenting a discoveries made by several researchers and security vulnerability within the Windows print journalists (Symantec, Langner and the New York spooler. No one reacted, not even Microsoft, which Times), Iran seems to have been targeted, was clearly concerned! Several months later, in June 2009, Symantec detected a new malware that is now especially the nuclear enrichment centre at Natanz. identified as the first version of Stuxnet. This was very Concerning those ordering the attack, and bearing simple and did not carry all of the payloads that we in mind its complexity, the resources used and the know today. According to Symantec, it was in January 2010 that the first malware in the Stuxnet family different information revealed by the journalists, appeared using the certificate from Realtek Israel and the USA appear to have played a role in Semiconductor Corp. to sign one of the components of this affair. We must also bear in mind that all of the the malware. information revealed by the various observers is always subjective…

WWW.XMCO.FR

This document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![11] STUXNET PART I : HISTORY, MYTHS AND REALITIES ACTU SÉCU 27

References

Resources on Stuxnet http://blog.eset.com/2011/01/03/stuxnet-information- and-resources

F-Secure (FAQ) http://www.f-secure.com/weblog/archives/ 00002040.html http://www.f-secure.com/weblog/archives/ 00002066.html

Timeline http://www.infracritical.com/papers/stuxnet-timeline.txt

CERT-IST http://www.cert-ist.com/fra/ressources/ Publications_ArticlesBulletins/VersVirusetAntivirus/ stuxnet/ New York Times http://www.nytimes.com/2011/01/16/world/middleeast/ 16stuxnet.html?pagewanted=all http://www.nytimes.com/2010/11/30/world/middleeast/ 30tehran.html?pagewanted=print http://www.nytimes.com/2010/01/13/world/middleeast/ 13iran.html?_r=1&pagewanted=print

Forbes http://blogs.forbes.com/jeffreycarr/2011/01/17/the-new- york-times-fails-to-deliver-stuxnets-creators/? boxes=Homepagechannels http://blogs.forbes.com/ﬁrewall/2010/12/14/stuxnets- ﬁnnish-chinese-connection/ WWW.XMCO.FR

This document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![12] Stuxnet, elected malware of the STUXNET PART II: year

ACTU SÉCU 27 TECHNICAL ANALYSIS After having looked at the history of Stuxnet and the theories and assumptions behind it, let us now look at its technical analysis.

Some very good white papers (Symantec and ESET) have given a detailed presentation of the complexity of this malware.

We will try to summarize everything to give an understanding of the propagation modes used, the relationships with industrial systems and the consequences that Stuxnet may cause.

Charles Dagouat Bjoern Schwarz Bjoern

The second phase corresponds to the attack itself: this General functioning is the search for a target.

Stuxnet is a complex piece of malware. Its functioning mode revolves around two main "functions": the “Stuxnet is a complex piece of malware. Its propagation of the virus, which is based upon the vulnerabilities inherent in the Windows platform, and the functioning mode revolves around two attack on SCADA systems, which is focused on WinCC main "functions": the propagation of the and PCS7. virus, which is based upon the vulnerabilities inherent in the Windows This second function corresponds to the payload transported by the malware. It is based on the software platform, and the attack on SCADA component WinCC. WinCC is a very widespread tool systems, which is focused on WinCC and for remote monitoring and data acquisition developed PCS... ” by Siemens. Installed on a Windows system, it is used to control an automatic system such as a In the case of Stuxnet, the target is a Siemens WinCC Programmable Logic Controller (PLC). This type of control and monitoring system linked to certain PLCs. If architecture is particularly adapted to critical such a system is detected, its behavior is then infrastructure such as can be found in industry. discreetly impaired. Lastly, the final phase corresponds to the material consequence of this modification. The To fulfill its task, Stuxnet's functioning is governed by a undetectable effect discreetly acts on the system in very specific scenario. The architecture of the malware order to slowly destroy it. is built around several main functionalities that correspond to the different stages in the attack process. The first stage is not characteristic of Stuxnet, but corresponds to the majority of worms: it is the propagation phase. During this phase, the malware seeks to spread within a given area. the local network. WWW.XMCO.FR

This document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!! [13] STUXNET PART II: TECHNICAL ANALYSIS ACTU SÉCU 27

Phase I: malware propagation Exploitation of this vulnerability simply requires a user to open a malicious directory. Exploitation code has Phase 1 of the attack carried out by Stuxnet therefore already been published within the Metasploit corresponds to the proliferation of the malware within framework. an installed base of computers. For this, the authors of Stuxnet used no less than four zero-day vulnerabilities Using this, a pirate only needs to get an Internet user to targeting various components of Windows. But this access an Internet address with Internet Explorer to propagation function may itself be subdivided into take control of the remote system. In this proof of several sections: the first corresponds to compromising concept, the server forces the client to open a shared Windows systems and the second corresponds to the file using the WebDAV protocol. long-term installation of the virus on a compromised system. “The authors of Stuxnet used no less than The main points of entry chosen by the developers of four zero-day vulnerabilities targeting Stuxnet to penetrate the target infrastructure are removable storage media such as USB drives and various components of Windows... ” other portable hard drives. Those behind the attack are therefore mainly relying on human intervention to carry the virus from one system to another. A user observing the content of a USB drive infected by Stuxnet can see the following six files: - Copy of Shortcut to.lnk ; Main attack vector: removable storage media - Copy of Copy of Shortcut to.lnk ; - Copy of Copy of Copy of Shortcut to.lnk ; The vulnerability in question is related to how the - Copy of Copy of Copy of Copy of Shortcut to.lnk ; Windows operating system manages shortcuts. This - ~WTR4141.TMP ; type of file corresponds to the extensions ".LNK" and - ~WTR4132.TMP. ".PIF". More precisely, the vulnerability relates to the way that the icon for the link is loaded. This image is The various shortcuts entitled "Copy of (... ) Shortcut normally loaded from a CPL (Windows Control Panel) tO.lnk" correspond to different versions of Windows. file using the system function "LoadLibraryW()". In These links all load the library "-WTR4141.tmp" which, reality, a CPL file is just a DLL. By specifying the in turn, loads the file "-WTR4132.TMP". appropriate information as the access path to a malicious DLL in the section "File Location Info" of a LNK file, a pirate is therefore able to force any Windows system to execute arbitrary code by simply displaying the content of a directory.

After having ofﬁcially acknowledged the security vulnerability by publishing the security alert referenced KB2286198 on 16 July, Microsoft quickly reacted by publishing its bulletin MS 10-046 and the associated patches on 2 August, outside its "Patch Tuesday", which was planned for eight days later, the following 10 August. WWW.XMCO.FR

This document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![14] STUXNET PART II: TECHNICAL ANALYSIS ACTU SÉCU 27

Additional attack vectors: local network installed on a Windows system, the malware has several functionalities that allow it to work as part of a However, Stuxnet does not only rely on help from users network. Among these, the malware installs an RPC to spread. For this, it also uses two other security faults server that allows it to communicate various items of that can be remotely exploited within a local network. information with other infected systems present on the The first relates to the Microsoft print spooler, while the LAN. second targets the old vulnerability present within the server service (MS08-067). Print spooler INFO This security vulnerability was initially presented in the magazine Hackin9 during 2009. When a printer is Provision of free tools for getting rid of shared on a system, a user is able to "print" (read and malware, including Stuxnet. write) files in the "%System%" directory. Exploitation of this security vulnerability takes place in two phases. The BitDefender and Microsoft have just made first consists of depositing the files "winsta.exe" and free tools available for getting rid of "sYsnuIlevnt.m0f" respectively in the directories the most currently-fashionable malware. "Windows\System32" and "Windows\System32\wbem \mof". After publishing a tool last month for getting rid of Zeus (see CXA-2010-1211), BitDefender has just published another The second phase in exploiting this vulnerability tool for deleting the Stuxnet malware. consists of executing the script "sysnullevnt.mof". This As a reminder, the malware was detected file, in MOF ("Managed Object Format"), is used to for the first time by a company based in force Windows to execute the code contained in the file Belarus (see CXA-2010-0893), following "winsta.exe". Execution of this script is automatic. This the discovery of the zero-day LNK is because the MOF files placed in the directory security vulnerability affecting all "Windows\System32\wbem\mof" are automatically versions of Windows (see CXA-2010-0906). compiled by "mofcomp.exe" to record the WMI context that triggers the execution of the script. Microsoft has just updated its This security vulnerability was corrected by Microsoft "malicious software removal tool", which can now deal with the most virulent when it published its bulletin MS10-061, which added a botnet that is currently known: Zeus/ series of checks before allowing a document to be ZBot. Zeus is malware that is constantly printed. being developed, and which mainly aims to steal banking information.

Server service The two tools can be downloaded via the following links: Lastly, Stuxnet exploits the old MS08-067 security vulnerability in the server service. This vulnerability, Sutxnet : which at the time was massively exploited by Confikerl http://www.malwarecity.com/community/ Downadup, is used here to deposit a file in shared index.php?app=downloads&showfile=12 directories of the C$ or Admin$ type. The execution of this file is planned the day following compromise, using Zbot : the task scheduler. It appears that the shell code used http://blogs.technet.com/b/mmpc/archive/ by the malware to carry out these two actions is 2010/10/12/msrt-on-zbot-the-botnet-in-a- relatively advanced, in contrast to that which was used box.aspx by Confiker.

This security vulnerability was corrected by Microsoft when it published bulletin MS08-067. The exploitation of these various security vulnerabilities allows malware to distribute itself both on a local network and, more widely, on all systems on which users can connect removable storage media. Once WWW.XMCO.FR

This document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![15] STUXNET PART II: TECHNICAL ANALYSIS ACTU SÉCU 27

Phase II: installation of the malware Stuxnet therefore adds a task which calculates the The long-term installation of the malware requires associated CRC32 hash, "manually" changes the file to certain actions that involve elevated privileges. The raise the privileges associated with it, adds a comment exploitation of the security vulnerabilities presented field and fills it with random data to provoke a collision. previously does not allow elevated privileges to be The task is then executed with the highest privileges. obtained. In order to ensure maximum dissemination, two security vulnerabilities are therefore exploited by This security vulnerability was corrected by Microsoft Stuxnet in order to elevate its privileges once the when it published bulletin MS10-092, which changed system has been compromised. the hash function used. The CRC-32 hash function was replaced by SHA-256. This algorithm is considered These two vulnerabilities cover all existing versions of secure against collision attacks. Windows. The first can locally elevate its privileges on old versions of the operating system: There remains an unknown factor. According to Windows 2000 and XP; while the second can perform Microsoft, these two security vulnerabilities respectively the same operation on more recent versions of the OS: targeted Windows XP and 2000 for the keyboard Windows Vista, 7 and 2008. management, and Windows Vista, 7 and 2008 for the task scheduler. It would appear that the technique used The first vulnerability relates to the way the keyboard by Stuxnet to install itself on Windows Server 2003 is is managed by the driver "Win32k.sys". An index is unknown, or that the malware has excluded this loaded from a shared library without verification. This platform from its targets. operation allows the malware to force the system's kernel to execute code controlled from the user area. This security vulnerability is described in detail in the article on page 29 and was corrected by Microsoft when it published its bulletin MS10-073, which added a check to prevent the use of an index that overflowed the table of associated data.

Ludo Benoit

The second vulnerability relates to the task scheduler. The definition of a task is stored in an ordinary XML file contained in the directory "%SystemRoot% \system32\Tasks". Access to this directory is restricted. Even so, an XML file (corresponding to a task) contained in it is accessible and can be written to by the user who added it. Secondly, the description XML file contains, among other things, information related to the execution of the task; for example: the user and the required level of privileges. A user who defined a task can therefore freely change the identifier of the user and the level of privileges required, in order to elevate privileges.

To protect against this type of attack, Microsoft therefore introduced a "security feature" which calculates a hash of the file corresponding to a task when it is defined. This is checked before the task is executed. But the CRC32 algorithm used for calculating this hash is unfortunately not designed for operations related to security. It is too weak to fulfill this role because it is relatively easy to implement collisions. It is actually nothing more than a straightforward CRC calculation of the XML file. By adding data into a commented field, it is therefore easy to produce a valid file with the same hash as the original, after it has been WWW.XMCO.FR modified.

This document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![16] STUXNET PART II: TECHNICAL ANALYSIS ACTU SÉCU 27

Functioning of the malware proliferation have been added to it by its designers. Among these are functionalities allowing it to spread, The malware can be decomposed into several files. The hide itself and lastly to update itself. These correspond, main module, which takes the form of a DLL, is packed overall, to the various functions (21) exported by with UPX. This module is executed at the start of an Stuxnet's main module: attempt at compromise, whatever the vector (USB drive, network or SQL). As has previously been Function 1: infect removable media and launch the explained, the malware uses four zero-day Windows RPC server; vulnerabilities to spread via different vectors (USB and Function 2: intercept the calls to certain functions in local network). All of these techniques are used to order to infect .S7P and .MCP files corresponding to install it on a system. In the most widespread case of Step7 projects; infection by opening a directory present on a USB drive, Function 4: initiate the Stuxnet uninstallation the exploitation of the LNK vulnerability launches procedure; execution of the main module. Function 5: check that the rootkit (the kernel driver MrxCls.sys) is correctly installed; Functionalities provided Functions 6 and 7: return the version of Stuxnet installed; Among other things, execution of this module launches Functions 9, 10 and 31 (13?): update the malware a rootkit to hide the malicious files present on the USB from Step7 files drive. For this, certain system functions associated with Function 14: infect Step7 files; the shared libraries "ntdll.dll" and "kerneI32.dll" are Function 15: point of entry for the system-infection intercepted so that code can be injected, and to hide routine; the presence of various malicious files based on Function 16: infect the system (installation of drivers, specific criteria (".lnk" with a size of 1,471 bytes and "WTRabcd.tmp" files for which the sum of a, b, c and d DLLs, resources, code injection, etc.); modulo 10 is equal to 0). Function 17: replace a Step 7 DLL so as to be able to intercept the calls to certain functions; Function 18: The malware is capable of injecting executable code complete uninstallation of the malware; Function 19: into running processes or into another process whose infect a USB drive; name corresponds to that of an antivirus program. Function 22: infect remote systems via the local These operations mean that it is not necessary to load network; a file that would risk being detected by an antivirus Function 24: check the Internet connection; program. Function 27: RPC server; Function 28: dialogue with the command and control (C&C) server; Function 29: dialogue with the C&C server and execute the code returned;

exakta Function 32: RPC server used by the service server to respond to certain RPC calls;

Several network functionalities are implemented within the malware. Among these are the RPC client and server. P2P communications and the use of a C&C are mainly used to keep the malware up to date and to recover information. Nevertheless, these could be used to download and install other malware or to exﬁltrate sensitive information stolen from the compromised system.

Several other functionalities useful to the malware's WWW.XMCO.FR

This document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![17] STUXNET PART II: TECHNICAL ANALYSIS ACTU SÉCU 27

Installation of an RPC server #decrypt function on python The RPC server is subdivided into two components for def decrypt(key, counter, sym): v0 = key * counter managing local and remote RPC calls. For this, Stuxnet v1 = v0 >> 0xb infects different processes according to the type of RPC v1 = (v1 ^ v0) * 0x4e35 call to be managed: "services.exe" for "local" calls, or v2 = v1 & 0xffff one of the processes "netsvc", "rpcss" or "browser" for v3 = v2 * v2 remote RPC calls. The various RPC methods are as v4 = v3 >> 0xd v5 = v3 >> 0x17 follows: xorbyte = ((v5 & 0xff) + (v4 & 0xff)) & 0xff Method 1: returns the version of Stuxnet; xorbyte = xorbyte ^ ((v2 >> 8) & Method 2: loads the module passed as a parameter 0xff) xorbyte = xorbyte ^ (v2 & 0xff) in a new process and executes the specified exported return xorbyte ^ sym function; Method 3: loads the module passed as a parameter into the memory space of the current process and calls the first exported function; This file contains several items of information, such as Method 4: loads the module passed as a parameter the list of servers used to check the Internet connection into a new process and executes it; ("www.windowsupdate.com", "www.msn.com"), the list Method 5: creates a "dropper" and sends it to a of C&C servers ("www.mypremierfutbol.com", compromised system; "www.todaysfutbol.com"), the dates and times of activation and deactivation of the worm, after which the Method 6: executes the specified application; worm installs itself automatically using the previously- Method 7: reads the data from the specified file; mentioned functions, the version of the malware, the Method 8: writes the data into the specified file; minimum number of files that a USB drive must contain Method 9: deletes a file; to be able to be infected using malicious LNK files, and Method 10: performs various tasks from the names of lastly, other ancillary information used for the correct files intercepted using the "hooks" installed by "Method functioning of the worm and its propagation. 2", and writes the information into a log file.

It appears that the last three methods implemented are Concerning the functioning mode of the C&C servers, not used by Stuxnet. an instance of Stuxnet does not exchange plaintext messages with the two previously-mentioned servers. Thanks to this mechanism based on RPC which can be Each of the messages sent over the Internet to the used within the context of P2P communications, servers is encrypted using a very simple algorithm. This Stuxnet is, among other things, able to update itself on is a simple XOR with the following 31-byte key: a local network from another compromised system. // Encryption char Key[31] = { 0x67, 0xA9, 0x6E, C&C communications 0x28, 0x90, 0x0D, 0x58, 0xD6, 0xA4, 0x5D, 0xE2, 0x72, The second functionality related to the network is a 0x66, 0xC0, 0x4A, 0x57, module for communicating with one of the command 0x88, 0x5A, 0xB0, 0x5C, 0x6E, 0x45, 0x56, 0x1A, and control (C&C) servers. Like the "P2P over RPC" 0xBD, 0x7C, 0x71, 0x5E, function, the module allows a compromised system to 0x42, 0xE4, 0xC1 } ; load malicious code into memory and execute it. // Encryption procedure The list of command and control servers is specified in void EncryptData(char *Buffer, int BufferSize, char *Key) the "%WINDIR% configuration file \inf\mdmcpq3.pnf". { This file of 1,860 bytes may be decrypted with the for (int i = 0 ; i < following function: BufferSize ; i ++) Buffer[i] ^= Key[i % 31]; return ; } WWW.XMCO.FR

This document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![18] STUXNET PART II: TECHNICAL ANALYSIS ACTU SÉCU 27

The structure of a message sent by the malware is Stuxnet's block of configuration data. Lastly, a specially- quite complex. It contains much information specific to designed DLL is placed in the multiple sub-directories of the victim. Among this is information related to the the directory "hOmSave7". network interfaces, the version of the OS and of the malware. This message is simply sent to a server that The infection mechanism is relatively simple. When the sends an HTTP GET request to one of the URLs listed project is opened using WinCC Simatic Manager, the in the configuration file. For example: http:// DLL placed in the sub-directories of the directory www.mypremierfutbol.com/index.php? "hOmSave7" is automatically sought. When this is data=STUXNET_CC_MESSAGE. loaded, the library decrypts the protected data and loads the malware's main component into memory to In response to this request, the server returns a complete the process of infection. message composed of several items: a size coded over 4 bytes, a flag coded over 1 byte and lastly an executable image. If the size of the received message “Lastly, to maximize the efficiency of the does not correspond to the indicated size of the image + 5 bytes, the malware ignores this response. If the size proliferation operation, the malware corresponds, according to the value of the flag, the searches for the WinCC software. When it is malware loads the executable image into the memory discovered, Stuxnet connects to the space of the current process or into another process database used by the software using a using one of the dedicated RPC methods, then executes it. standard hard-coded password.”

It nevertheless appears that this important functionality has not really been used, neither to update the software Persistence nor to install additional malicious tools. It nevertheless acts as a hijacked port. The rapid blocking of the To ensure the persistence of the functionalities domains www.mypremierfutbol.com et previously installed, Stuxnet nevertheless has to www.todaysfutbol.com perhaps had a role in this. profoundly modify the system. This is because it is not possible to inject code into arbitrary processes or to sustainably hide files in the user area without profound Seeking and infecting the WinCC environment modifications to the system. Two system drivers signed with private keys Lastly, to maximize the efficiency of the proliferation corresponding to certificates belonging to Realtech and operation, the malware seeks the WinCC software. JMicron are therefore installed using the elevated Once it is discovered, Stuxnet connects to the privileges obtained from the two proofs of concept database used by the software, using a standard hard- (Keyboard Layout and Task Scheduler). "MrxCls.sys" is coded password. Once connected to this database, the used to inject code into a process. "MrxNet.sys" is a malware sends the malicious code via SQL requests, rootkit for hiding the malicious files used to exploit the then executes it. LNK vulnerability. In contrast to the rootkit used in the user area, this one is persistent. This first action compromises the MSSQL server. Then, the malware modifies the SQL views defined on The fact that these last are signed with stolen the server to force the execution of code each time certificates means that they can be more discreetly these views are accessed. installed so as not to arouse the user's suspicions (signature essential for installing drivers under Windows Stuxnet is at last capable of infecting WinCC / Step7 7/Windows Vista). The ".lnk" files with a size of 1,471 projects associated with WinCC Simatic Manager. The bytes, and the "WTRabcd.tmp" files, for which the sum files that are sought and modified have the of a, b, c and d modulo 10 is equal to 0 are filtered so extensions .S7P, .MCP or .TMP. Under certain specific that they are not displayed by the file explorer. This filter conditions, files with the names "xutils\listen is active only for the file systems NTFS, FAT and CDFS. \xr000000.mdx", "xutils\links\s7p00001.dbf" and "xutils After being registered using the function \listen\s7000001.mdx" or "GracS\cc_alg.sav", "GracS "FileSystemRegistrationChange()", the driver is called \db_log.sav" and "GracS\cc_alg.sav" are deposited. In each time a file system is mounted and can therefore both cases, these files correspond respectively to an monitor the requests that are sent to it. Thus, the driver encrypted version of the malware's main DLL, to a data can act with complete impunity and choose which files file of 90 bytes and lastly, an encrypted version of to display in a directory. WWW.XMCO.FR

This document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![19] STUXNET PART II: TECHNICAL ANALYSIS ACTU SÉCU 27

1: The pirate manages to infect a USB drive used by a person working on a computer connected to the target information system.

2: The person uses their USB drive within the target information system's LAN.

3: After having infected a Windows workstation, Stuxnet seeks to spread across the LAN.

4: Sutxnet contacts its C&C server.

5: An employee whose USB drive has been contaminated connects to a workstation equipped with WinCC software and belonging to an industrial network.

6: When this contaminated workstation connects to a PLC, Stuxnet deposits the malicious code corresponding to PLC 0

7: The malicious code sends speciﬁc orders to the variable frequency drives.

7 bis: The person responsible for supervising the equipment cannot identify the presence of Stuxnet. WWW.XMCO.FR

This document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![20] STUXNET PART II: TECHNICAL ANALYSIS ACTU SÉCU 27

The resources embedded by Stuxnet keyboard layout (Keyboard Layout) (MS10-073) The following exports were observed by Symantec in The two previously-mentioned drivers correspond the older versions of Stuxnet, but have disappeared in respectively to resources 201 and 242 of the main the "latest" conversions: module. Eleven other resources are also available, Resource 207: Information related to the exploitation such as an executable module PE (210), a link file LNK of a vulnerability using Autorun.inf. (240), and a block of configuration data for the driver "MrxCls.sys" (205) Resource 231: Resource used to check whether the system is connected to the Internet or not. Resource 201: driver "MrxNet.sys" signed using certificates belonging to RealTech or JMicron; Resource 202: DLL used in compromising Step 7 projects; Resource 203: CAB file containing an equivalent of resource 202 used for compromising WinCC projects; INFO Resource 205: encrypted configuration-data file for Definitions the driver "MrxCls.sys"; Resource 208: shared library "s70tbldx.dll" usurping PLC : Programmable Logic Controller the functions of the original Siemens DLL; Resource 209: file of 25 bytes containing encrypted data Large-scale remote-control system for deposited in "%WINDIR%\help \winmic.fts"; the real-time processing of a large number of remote measurements and for Resource 210: model of PE file used for creating or remotely controlling technical injecting executables ("-WTR4132.TMP"); Resource facilities. It is an industrial 221: malicious code used for exploiting the security technology in the field of vulnerability present in the server service (MS08-067) instrumentation. A programmable Resource 222: malicious code used for exploiting the controller is a programmable electronic device for controlling industrial security vulnerability present in the print spooler processes by sequential processing. It (MS10-061) sends orders towards the preactuators Resource 240: model LNK file (operative section or operative section on the actuator side) from input data (sensors) (control section or control section on the sensor side), instructions and a computer program. “To ensure the persistence of the functionalities previously installed, Stuxnet SCADA : Supervisory Control And Data nevertheless has to profoundly modify the Acquisition (télésurveillance et system. This is because it is not possible to acquisition de données) inject code into arbitrary processes or to Large-scale remote-control system for sustainably hide files in the user area the real-time processing of a large without profound modifications to the number of remote measurements and for remotely controlling technical system ... ” facilities. It is an industrial technology in the field of instrumentation.

Resource 241: "-WTR4141.TMP", DLL used for loading the executable corresponding to resource 221 "- WTR4132. TMP" responsible for installing malware (dropper) Resource 242: Driver "Mrxnet.sys" (Rootkit) used to mask the presence of certain ﬁles Resource 250: Malicious code used to exploit the WWW.XMCO.FR security vulnerability present in the management of the

This document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![21] STUXNET PART II: TECHNICAL ANALYSIS ACTU SÉCU 27

Phase 3: Attack on industrial systems equivalent functions in "s70tbxsx.dll".

Detection of SCADA systems based on WinCC The 16 functions whose behavior is altered correspond to the methods for reading ("s7blk_read"), writing Once the Windows system has been compromised and ("s7blk_write"), enumeration ("s7blk_findfirst" and the malware installed, the third phase of the attack can "s7blk_findnext") and deletion ("s7blk_delete") of the begin. This corresponds to the search for certain blocks of code present on the PLC. It is by modifying specific software. To access the SCADA system, the certain key functions of this library that the attackers authors of the malware have chosen to go via the ensure the sustainability and discretion of their attack. development tools associated with the target system: To avoid detection when an operator first connects to a Step7 and WinCC. These two tools are respectively compromised PLC, the "read" and "enumeration" used to develop programs operating on systems of the functions hide certain blocks of code from the operator PLC type and to check their correct functioning. and only return the original "healthy" code. Incidentally, these tools are potentially the only point of entry to these sensitive systems, given that they are not But not all PLCs are targeted. Stuxnet, using two supposed to be connected to the Internet, but rather to threads launched by the malicious library, searches for a network dedicated to them. precisely two types of appliance with the references Siemens 6ES7-315-2 and 6ES7-417. The main To carry out this third phase of the attack, the malware difference between these two models of controller is the searches for and replaces the shared library quantity of embedded memory. 256 KB for the series "s7otbxdx.dll". This library, which comes from the S7-315 against 30 MB for the series S7-417. Simatic software suite from Siemens, is used in order to have a PC running on Windows communicate with a Module 315 PLC from the Simatic family. Usually, a developer programs their equipment with one of the numerous Secondly, in the configuration targeted by the malware, programming languages interpreted by the software the PLCs of series 300 (6ES7-315-2) must use between suite, such as STL or SCL. This is subsequently one and six Profibus CP 342-5 modules to compiled into a specific assembler code called "MC7", communicate with the systems under their control. before being loaded on the PLC. Once again, only certain identification numbers are sought. In the case of Stuxnet, these are the Profibus By renaming the shared library "s70tbxdx.dll" as identification numbers "7050h" and "9500h". These "s70tbxsx.dll", then by placing its own version of the numbers uniquely identify the models of these items of library "s70tbxdx.dll", the malware is able to intercept all equipment, which are known as "frequency converter calls to the functions exported by the original library and drives" or "variable frequency drives". The to manipulate them at will. In fact, only the behavior of corresponding products are the "KFC750V3" several functions is affected. Most of the calls to the manufactured by Fararo Paya based in Teheran in Iran, functions of "s70tbxdx.dll" are directly sent to the and the "Vacon NX" from Vacon based in Finland. WWW.XMCO.FR

This document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![22] STUXNET PART II: TECHNICAL ANALYSIS ACTU SÉCU 27

Subsequently, the system goes into a state machine Variable frequency drives are generally used to control clearly described by Symantec. The transition between the speed of other components such as motors. each state is governed by timers, tests or by the end of other tasks. Approximately, the system collects data for Finally, the last criterion sought is the presence of at a period of between 13 days and three months, before least 33 variable frequency drives among the two sending falsiﬁed data on the communication bus for models previously mentioned. about 50 min, then returning to the initial state.

If these various extremely precise conditions are According to Symantec's study, the system uses fulfilled, the process of infection begins by the DP_RECV to inspect the messages sent by the variable modification of certain blocks of code such as frequency drives, which contains specific information DP_RECV, OB1 and OB35. These blocks of code are corresponding to the current operating frequency. infected by overwriting or by increasing their sizes in Lastly, this attack allows a pirate who has successfully order to introduce the malicious code at the beginning injected their malicious code to withdraw the control that of the block. These operations ensure that the added the legitimate blocks of code had on the data code is executed when the block in question is called. transmitted during the phase nicknamed The functions FC1865 and FC1874 are therefore "deadfoot" ("DEADF007" in the code). This phase respectively injected into blocks OB1 and OB35. corresponds to 50 min during which the PLC sends Note: DP_RECV corresponds to the function in charge semi-arbitrary information to the various variable of managing the reception of data on the bus. frequency drives through the Profibus modules. The OB1 corresponds to the main function, which is messages sent correspond to frequencies that must be continuously executed. converted into rotation speeds by the variable OB35 corresponds to a timer executed every 100 ms. frequency drives. Furthermore, execution of the legitimate code is prevented using a call to the In reality, Stuxnet may infect systems that correspond command BEC (Conditional Block End) instead of to its selection criteria in different ways. This is letting the execution of the program continue. Without because two sequences of malicious code exist and may be used to infect a plc according to the distribution of the products that are controlled. The first sequence, referenced A by Symantec, is selected when there is a majority of Vacon appliances. The second sequence, referenced B by Symantec, is used when a majority of Fararo Paya variable frequency drives are present. In all cases: the module 315 is designed to allow a PLC 6ES7-315-2 to control up to six Profibus "masters" each controlling 31 "slave" converters, each on their dedicated Profibus network. Finally, the attack 315, which corresponds to about 3,000 lines of STL code accompanied by 4 blocks of data (DB888, DB889, DB890 and DB891), is organized as follows:

The code block DP _RECV is copied to the address FC1869, then replaced by malicious code which itself calls the original code that was moved.

Each time a variable frequency drive sends data to a PLC 6ES7-315-2 via the Proﬁbus CP 342-5 module, its data is transferred to the original code before being reprocessed by the added malicious code.

Each of the messages to be processed must be in a speciﬁc format when it is examined by DP _RECV. Namely, it must be composed of 31 records of 28 or 32 bytes corresponding to each of the converters. WWW.XMCO.FR

This document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![23] STUXNET PART II: TECHNICAL ANALYSIS ACTU SÉCU 27

this, other contradictory information could be sent by the pre-recorded data is transmitted to the original logic, the PLCs. while the real data is processed by the malicious code. At the same time, the pirates control the output towards During the offensive phase during which the falsified which they send the signals that they wish to send. messages are sent, the orders given allow the attackers to vary the rotation speed of the motors by stages. In sequence A, when there are more Vacom variable “ The purpose of this code sequence is to frequency drives, the first stage is placed at 1,410 Hz. This is then lowered to 2 Hz before being increased to intercept the signals going to and from the PLC 1,064 Hz. These large variations probably cause and to supply pre-recorded falsified values to material damage to the motors, which are supposed to turn at frequencies of between 807 and 1,210 Hz. the code in charge of the logic. This trick can also falsify the signals returned upon output to avoid attracting the attention of an operator Module 417 who may observe dubious signals. ” Another sequence of the malicious code is dedicated to PLCs referenced 6ES7-417. The code composing this Nevertheless, the presence of this code is particularly sequence is more complex than that which targets surprising, given that, according to the study by PLCs of series 300. This module 417 is broken down Symantec, it is not functional. This is because the into nearly 12,000 lines of STL code, accompanied by library in charge of copying the malicious code on the 10 blocks of data, partly loaded by the malicious DLL PLC does not copy all of the code to allow the attack to and partly generated dynamically. In the same way as function properly. Among other things, the block OB1, for sequence 315, an injection of code into block which, as previously, corresponds to the main function OB1 ensures that the added malicious functions are that is continuously called by the PLC, is not modified to called. trigger the call to the malicious functions. Furthermore, still according to Symantec, in contrast to the code in Ralph Langner's analysis provides understanding of the attack 315, the STL code in module 417 contains role and functioning of this second sequence of code. numerous comments and debugging functions that According to him, the code added by the attackers to are characteristic of unfinished work. the PLC allows an attack that is much more complex than for module 315. This is because the code in However, Langner qualified this assumption. This question is used to carry out an attack of the "man-in- particularly-large block of code (about 12,000 lines) the-middle" type on the controller itself. could not have been designed for nothing (extremely complex code, which would have required significant In contrast to the previous sequence, for which the resources in time, personnel and technology). principle was based on modifying the results returned Furthermore, certain interactions related to this code using a conditional jump (BEC) to prevent the execution were also highlighted in his laboratory. The researcher of the original code, the purpose of this code sequence therefore concluded that, based on the study of the is to intercept the input/output signals to/from the PLC code embedded by Stuxnet, it is difficult to know and to supply falsified pre-recorded values to the code whether or not it was operational in the attack carried in charge of the logic. out against Natanz, but that it had been deliberately designed like that. This trick also allowed falsifying the signals returned upon output to avoid attracting the attention of an In all cases, module 417 of Stuxnet, just like module operator who may observe dubious signals. As the 315, seeks a SCADA architecture that meets certain researcher emphasized, this attack is worthy of a very precise restrictions. These are six assemblies each Hollywood scenario in which the spies repeatedly send containing 164 centrifuges. This condition was deduced images to the control room corresponding to what the by Langner from function FC 6069. This is used to store surveillance cameras should be seeing. 984 (6 * 164) entries in data block DB 8063.

In the same way as for code 315, a state machine could follow the progress of attack 417. During a ﬁrst phase, the role of the malicious code is to record the values to be subsequently replayed. Several other intermediate states correspond to the offensive phase, during which WWW.XMCO.FR

This document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![24] STUXNET PART II: TECHNICAL ANALYSIS ACTU SÉCU 27

Destruction/Sabotage For its part, module 417 does not directly or indirectly Once Stuxnet has identified and infected its target, the target the steam turbines at the plant at Busherh, as malware then begins a long phase during which slight Langner originally thought, but targets the system in variations will lead to a probable destruction of charge of part of the safety system for the enrichment equipment, and above all to a reduction in the yield of centre. Among other things, this system would be in the enrichment process. charge of emptying a defective centrifuge to avoid an accident leading to its premature destruction. This high- According to Ralph Langner, by collecting all the level security system allows gas to be passed from one information relative to modules 315 and 417 recovered centrifuge to another, avoiding accidents and up to now, it is possible to deduce the precise minimizing disruption, while maintaining the production architecture of the target system. This information partly yield. Module 417 is therefore responsible for an comes from the study of the STL code and functions assembly of 6 cascades of 164 centrifuges, namely implemented, partly from the data that is processed, 984. and lastly from scientific data on the functioning of a nuclear enrichment centre. A cascade of gas centrifuges is an assembly of 164 “Once Stuxnet has identified and infected centrifuges placed one after the other. The first handles the gas, then when its task is finished, it sends the gas its target, the malware then begins a long into the second, and so on. To improve the yield of phase during which slight variations will these cascades, physicists have discovered a specific assembly in which a cascade is divided into "stages". lead to a probable destruction of Each of these "stages" in the cascade is composed of equipment, and above all to a reduction in one or more centrifuges, according to its location. Thus, the yield of the enrichment process. ” the various stages are in series, while the centrifuges that compose them are placed in parallel. This cascade architecture, when it is correctly chosen, can maximize the quantity of enriched uranium produced. By manipulating these two controllers in this way, Stuxnet would be capable of simultaneously causing As described previously, module 315 precisely targets a the destruction of IR-1 centrifuges through premature uranium enrichment cascade. By slightly changing the wear and reducing their yield by modifying the rotation speed of the centrifuge, the malware causes theoretical organization and configuration of each of the premature wear that can lead to the self-destruction of cascades. the machine.

Stéfan Le Dû WWW.XMCO.FR

This document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![25] STUXNET PART II: TECHNICAL ANALYSIS ACTU SÉCU 27

Questions/answers concerning F-Secure Why is Stuxnet considered to be so complex? It uses multiple vulnerabilities and drops its own driver Mikko Hypponen from the F-Secure laboratory has to the system. drawn up a list of particularly interesting questions that shed light on a large number of points. We have How can it install its own driver? therefore selected the most relevant questions to Stuxnet driver was signed with a certiﬁcate stolen from conclude this article. Realtek Semiconductor Corp.

What does it do then? Has the stolen certificate been revoked? It infects the system, hides itself with a rootkit and sees Yes. VeriSign revoked it on July 16th. A modified variant if the infected computer is connected to a Siemens signed with a certificate stolen from JMicron Technology Simatic (Step7) factory system. Corp was found on July 17th.

What does it do with Simatic? What's the relation between Realtek and Jmicron? It modifies commands sent from the Windows computer Nothing. But these companies have their HQs in the to the PLC (Programmable Logic Controllers, i.e. the same office park in Taiwan… which is weird. boxes that actually control the machinery). Once running on the PLC, it looks for a specific factory Did the Stuxnet creators find their own 0-day environment. If this is not found, it does nothing. vulnerabilities or did they buy them from the black market? Which plant is it looking for? We don't know. We don't know. How expensive would such vulnerabilities be? Has it found the plant it's looking for? This varies. A single remote code execution zero-day in We don't know. a popular version of Windows could go for anything between $50,000 to $500,000. What would it do if it finds it? The PLC modification searches for specific high- Why was it so slow to analyze Stuxnet in detail? frequency converter drives (AC drives) and modifies It's unusually complex and unusually big. Stuxnet is their operation. Stuxnet searches for specific AC drives over 1.5MB in size. manufactured by Vacon (based in Finland) and Fararo Paya (based in Iran). When did Stuxnet start spreading? In June 2009, or maybe even earlier. One of the So does Stuxnet infect these Vacon and Fararo Paya components has a compile date in January 2009. drives? No. They drives do not get infected. The infected PLC How long did it take to create Stuxnet? modifies how the drives run. The modification happens We estimate that it took over 10 man-years to develop only when very specific conditions are all true at the Stuxnet. same time, including an extremely high output frequency. Therefore, any possible effects would Who could have written Stuxnet? concern extremely limited AC drive application areas. Looking at the financial and R&D investment required and combining this with the fact that there's no obvious Some suggest the target of Stuxnet was the Natanz money-making mechanism within Stuxnet, that leaves enrichment facility in Iran. Are there Vacon AC drives in only two possibilities: a terror group or a nation-state. these facilities? And we don't believe any terror group would have this According to Vacon, they are not aware of any Vacon kind of resources. drives in use in the Iranian nuclear program, and they can confirm that they have not sold any AC drives to So was Stuxnet written by a government? Iran against the embargo. That's what it would look like, yes.

In theory, what can Stuxnet do? Was it Israel? Egypt? Saudi Arabia? USA? It can adjust the functioning of motors, pumps and We don't know. conveyor belts. It can shut down a control unit. By changing the appropriate parameters, it can cause Was the target Iran? explosions. We don't know. WWW.XMCO.FR

This document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![26] STUXNET PART II: TECHNICAL ANALYSIS ACTU SÉCU 27

Is it true that there's are biblical references inside For example, by breaking into a home of an employee, Stuxnet? ﬁnding his USB sticks and infecting it. Then wait for the There is a reference to "Myrtus" (which is a myrtle employee to take the sticks to work and infect his work plant). However, this is not "hidden" in the code. It's an computer. artifact left inside the program when it was compiled. Basically this tells us where the author stored the What does it do then? source code in his system. The speciﬁc path in Stuxnet It infects the system, hides itself with a rootkit and sees is: \myrtus\src\objfre_w2k_x86\i386\guava.pdb. if the infected computer is connected to a Siemens Simatic (Step7) factory system. Could it mean something else? Yeah: it could mean "My RTUs", not "Myrtus". RTU is an abbreviation for Remote Terminal Units, used in factory systems.

How does Stuxnet know it has already infected a machine? It sets a Registry key with a value "19790509" as an infection marker.

What's the signiﬁcance of "19790509"? It's a date. 9th of May, 1979.

What happened on 9th of May, 1979? Maybe it's the birthday of the author? Then again, on that date a Jewish-Iranian businessman called Habib Elghanian was executed in Iran. He was accused to be spying for Israel.

Is there a link between Stuxnet and Conficker? It's possible. Conficker variants were found between November 2008 and April 2009. The first variants of Stuxnet were found shortly after that. Both exploit the MS08-067 vulnerability. Both use USB sticks to spread. Both use weak network passwords to spread. And, of course, both are unusually complex.

Is there a link to any other malware? Some Zlob variants were the ﬁrst to use the LNK vulnerability.

Will Stuxnet spread forever? The current versions have a "kill date" of June 24, 2012. It will stop spreading on this date.

How many computers did it infect? Hundreds of thousands.

But Siemens has announced that only 15 factories have been infected. They are talking about factories. Most of the infected machines are collateral infections, i.e. normal home and ofﬁce computers that are not connected to SCADA systems.

How could the attackers get a trojan like this into a secure facility? WWW.XMCO.FR

This document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![27] STUXNET PART II: TECHNICAL ANALYSIS ACTU SÉCU 27

References Hackin9 (Printer spooler article) http://newsoft.dyndns.org/tech/PrintYourShell.pdf Symantec (Report plus blog) http://www.symantec.com/content/en/us/enterprise/ media/security_response/whitepapers/ OSVDB w32_stuxnet_dossier.pdf Microsoft Windows Shell LNK File Parsing Arbitrary Command Execution http://www.symantec.com/connect/blog-tags/ http://osvdb.org/show/osvdb/66387 w32stuxnet Siemens SIMATIC WinCC Default Password http://osvdb.org/show/osvdb/66441 ESET(Report plus blog) http://www.eset.com/resources/white-papers/ Microsoft Windows on 32-bit Task Scheduler Crafted Stuxnet_Under_the_Microscope.pdf Application Local Privilege Escalation http://osvdb.org/show/osvdb/68518 http://blog.eset.com/2010/09/23/eset-stuxnet-paper Microsoft Windows on 32-bit win32k.sys Keyboard Layout Loading Local Privilege Escalation Resources on Stuxnet http://osvdb.org/show/osvdb/68517 http://blog.eset.com/2011/01/03/stuxnet-information- and-resources Microsoft Windows Print Spooler Service RPC Impersonation StartDocPrinter Procedure Remote Code Execution F-Secure (FAQ) http://osvdb.org/show/osvdb/67988 http://www.f-secure.com/weblog/archives/ 00002040.html Microsoft http://www.f-secure.com/weblog/archives/ http://www.microsoft.com/technet/security/bulletin/ 00002066.html MS08-067.mspx

http://www.microsoft.com/technet/security/bulletin/ Langner (Blog) MS10-046.mspx http://www.langner.com/en/blog/ http://www.microsoft.com/technet/security/bulletin/ http://www.controlglobal.com/articles/2011/ MS10-061.mspx IndustrialControllers1101.html?page=print http://www.microsoft.com/technet/security/bulletin/ MS10-073.mspx LEXSI http://cert.lexsi.com/weblog/index.php/2011/01/31/397- http://www.microsoft.com/technet/security/bulletin/ dossier-stuxnet-de-la-vulnerabilite-lnk-au-sabotage- MS10-092.mspx industriel

ISIS - Institute for Science and International Security http://isis-online.org/isis-reports/detail/did-stuxnet-take- out-1000-centrifuges-at-the-natanz-enrichment-plant/8

WWW.XMCO.FR

This document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![28] Keyboard Layout and MS10-073: a look KEYBOARD LAYOUT at one of the vulnerabilities exploited by Stuxnet

ACTU SÉCU 27 2010 was notable for several Windows vulnerabilities allowing a user to elevate their privileges (Scheduler, KeyboardLayout, NtGdiEnableEUDC and Windows Class). Several exploitation codes were made public.

In this article, we are going to study the KeyboardLayout (CVE-2010-2743 - MS10-073) vulnerability used by the Stuxnet worm to elevate its privileges under Windows 2000 and XP, and learn how to develop an associated proof of concept.

Florent Hochwelker

XMCO Jon (xlibber) Jon

Reminder User permissions under Windows When a processor of the x86 family functions in protected mode, it is capable of isolating the various Under Windows, from version NT 3.51, it has been processes that it executes using a ring mechanism. possible to create user accounts with restricted There are 4 different rings: Rings 0, 1, 2 and 3. Under privileges, as well as administrator accounts. These Windows, only ring 0 and ring 3 are used. ordinary users have limited permissions. For example, they cannot change certain system parameters, access The kernel, which is executed in ring 0, has all directories belonging to other users or write into certain privileges. It can therefore access any memory space. directories, such as the sensitive Windows directories. From Windows 1.0 to Windows 98, Microsoft's “A program executed by an ordinary user operating system did not really offer separation between the various users. This was partly due to the in ring 3 can only access addresses fact that Windows was still based on MS-DOS. between Ox80000000 and OxFFFFFFFF. ”

The version NT 4.0 of Windows, which came out in 1996, was the first Microsoft operating system to The user's programs are isolated in ring 3 and cannot include permissions management on files and access the kernel memory space. directories (ACL) using the NTFS file system. Using these mechanisms, a virus that succeeds in infecting a Under Windows, the virtual memory space is addressed machine but which executes with the permissions of an as shown in the diagram below for each process. ordinary user would have a great deal of difficulty in Programs executed by ordinary users in ring 3 therefore entirely infecting a machine and hiding its presence cannot access addresses between Ox80000000 and within the system. OxFFFFFFFF corresponding to the kernel memory space (or at least not as ordinary users*). Differences between "user-land" and "kernel- land" * However, a user with administrator permissions can install a driver executing in ring 0, or, using certain APIs, modify the kernel memory Before going into explanations of the vulnerability, let us zone. For example, under XP, the function NtSystemDebugControl() remember the difference between the kernel area is used by the debugger Microsoft WinDbg. (kernel-land) and the user area (user-land). WWW.XMCO.FR

This document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!! [29] KEYBOARD LAYOUT: ANALYSIS OF THE VULNERABILITY ACTU SÉCU 27

The kernel provides a large number of system calls for performing numerous different actions. It is generally not advisable to call them directly.

When a program has to carry out certain tasks, it generally uses the APIs supplied by the Windows Table of system calls operating system. For example, the Windows CreateFile function will use Let us take the example of the CreateFile API function, the system call NtCreateFile. The program therefore which can create or open a ﬁle on the disk. passes control to the kernel to create the requested ﬁle.

BreakPoint on the system call

g: continues the execution of the program kn: displays the call stack

It is then possible, as an ordinary user, to send data that will be processed in ring 0.

So, in order to take control in kernel-land mode (ring 0), a vulnerability must be found within a kernel function or in a driver (hardware drivers are also in ring 0) which allows control to be taken of ring 0 to access this protected memory area, to which access is normally The program in the user area (ring 3) , will call the prohibited. CreateFile function that is available in the kernel32.dll library. This library is also present in the user area. This The various processes under Windows have a system function will perform several processes to check the of tokens corresponding to identities which specify the parameters passed and then, through a system call, will permissions assigned to each of them. Once ring 0 is pass control to the kernel. controlled, it is possible to modify the token for our application and replace it with a system token (NT/ WWW.XMCO.FR

This document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![30] KEYBOARD LAYOUT: ANALYSIS OF THE VULNERABILITY ACTU SÉCU 27

LOCALAUTHORITY), which will give us full permissions. The vulnerability comes from an overﬂow in the table of pointers used in the function xxxKENLSProcs contained in the library win32k.sys. win32k is a library of functions loaded into kernel-land (ring 0) and accessible via system calls, which, among INFO other things, manages various graphical rendering tasks. Keyboard Layout: what is it ?

The Keyboard Layout is a binary file describing the layout of the keys on the keyboard. There is therefore one file per keyboard layout. These files are in the form of libraries (DLL files) and are available in the directory "Windows/ system32/".

For example, the French keyboard corresponds to file "kbdfr.dll".

Vulnerable code within the function xxxKENLSProcs

We can see that the code calls a pointer on the function call _aNLSVKFProc[ecx*4] taking, as a parameter, a value of a byte located at address [eax-83h]. This value corresponds to a table index, which originally contains only 3 entries representing 3 functions (indexed from 0 to 2).

Before Microsoft published bulletin MS10-073, no check on its length was made. Consequently, it was then possible to overrun the table…

Libraries corresponding to the various Keyboard Layouts present under Windows XP Content of table aNLSVKFProc

dds: displays the data in the table and the associated symbols

Keyboard Layout and Stuxnet For example, by specifying an index of 5, we can redirect the call to the address Ox60636261 located in The vulnerability that we are going to present was the user area, where we may have previously placed exploited by the Stuxnet virus. As a reminder, Stuxnet our malevolent code (payload). As a reminder, the user- implemented two zero-day vulnerabilities allowing land area contains addresses between elevation of privileges on all versions of the Windows OxOOOOOOOO and Ox7FFFFFFF. We can therefore operating system (from 2000 to Seven). The Keyboard- allocate memory at the address Ox60636261 and write Layout vulnerability is used by the virus to elevate its whatever we want to it. It is important to note that this privileges under Windows 2000 and XP. WWW.XMCO.FR

This document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![31] KEYBOARD LAYOUT: ANALYSIS OF THE VULNERABILITY ACTU SÉCU 27

value may vary according to operating systems and Analysis of the vulnerability service packs. The vulnerability

“For example, by specifying an index of 5, When Windows loads a new Keyboard Layout, it calls we can redirect the call to the address an API function "LoadKeyboardLayout()" present within the library user32.dll. This function takes an identiﬁer as Ox60636261 located in the user area, a parameter, in the form of a character string, together where we may have previously placed our with a ﬂag. malevolent code (payload)”

Now let's get to the point of the subject: the exploitation of the vulnerability. Brace yourselves!

It is normally impossible to load a Keyboard Layout, other than that of the system, as an ordinary user.

By looking more closely at this function, we notice that it uses a system call "win32k! NtUserLoadKeyboardLayoutEx" (present in win32k.sys). The prototype for this function is available in the documentation on ReactOS *. The call takes 7 parameters, the ﬁrst of which corresponds to a HANDLE.

This value (HANDLE) corresponds to one of the Keyboard Layout ﬁles. We can use the Windows API "CreateFile()" function to open our specially-designed

Wade Kelly Keyboard Layout and recover a valid HANDLE corresponding to our ﬁle.

In order to check which parameters must be passed to this function, we are going to study how it is called using a Windows debugger. For this, we are going to put breakpoint on the system call "win32k! NtUserLoadKeyboardLayoutEx".

* Free OS compatible with Windows XP WWW.XMCO.FR

This document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![32] KEYBOARD LAYOUT: ANALYSIS OF THE VULNERABILITY ACTU SÉCU 27

1er paramètre

dernier paramètre

Déclenchement de l’appel de NtUserLoadKeyboardLayoutEx

Windows XP, it is possible to pass control to the kernel g: continue execution of the program using the instruction "sysenter". dps: display the content of the stack !handle: display the information on the specified handle The APIs available in user32.dll and ntdll.dll all use the same method to make this system call under Windows We can see that the 1st parameter is indeed our XP. HANDLE. The 2nd parameter corresponds to offsets. It is formed [0] mov eax, XXXh of two groups of two bytes, here OxOOOO and [1] mov edx, 7FFE0300h Ox1768. [2] call dword ptr [edx] The 3rd parameter is a pointer towards a [3] retn 1Ch UNICODE_STRING structure representing the name of the Keyboard Layout. We can put an arbitrary value into Code for making the syscall it. The 4th parameter also represents a HANDLE, but one [0] eax is used to specify the number of the system call that is more specific. This is because it represents the used. The list of system calls is available on the keyboard Layout that is currently used. Internet. That of "NtUserLoadKeyboardLayoutEx" is The 5th parameter is again a pointer to a Ox11 C6. UNICODE_STRING structure representing the ID of the [1] We place the address Ox7FFE0300 in the register layout. EDX. At this address, which is fixed under Windows XP, The 6th parameter is a value representing a Keyboard is a pointer towards the following assembler instructions Layout identifier. for moving to ring 0. Lastly, the 7th parameter is a flag. Ox82 represents the flags Ox2 (KLF _SU8STITUTE_OK) and Ox8 (KLF _NOTELLSHELL). mov edx,esp sysenter The system call is not accessible directly. Consequently, we have to use assembler code to make the call. Under WWW.XMCO.FR

This document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![33] KEYBOARD LAYOUT: ANALYSIS OF THE VULNERABILITY ACTU SÉCU 27

the input language associated with the keyboard using the shortcut alt+shift, a new icon with question marks (?) appears as well as the icons "FR" and "EN" corresponding to the two keyboard layouts loaded on our system.

SHIFT+ALT dd: ok u: disassemble from the given address

[2] The call to assembler instructions located at the address referenced by edx (Ox7FFE0300) allows entry Our Keyboard layout is therefore correctly applied. It into ring 0. corresponds exactly to the layout of the French keyboard that was previously loaded. [3] Finally, this last assembler instruction resumes execution of the program in ring 3. The vulnerability is based on the fact that the 2nd argument passed to NtUserLoadKeyboardLayoutEx To be sure that we have a valid Keyboard Layout, we represents two offsets, each stored over two bytes. simply copy kbdfr.dll and we attempt to load it. When loading a French keyboard, the default value is Ox1768. In our exploitation code, we use a function of the "naked" type so as not to be bothered by the assembler prolog (push ebp; mov ebp, esp).

The code corresponding to the _asm block corresponds to the system call used.

We are going to use the values recovered from the breakpoint to stay as close as possible to valid values.

Here, hFile is a HANDLE corresponding to our copy of kbdfr.dll.

The 2nd argument is an offset pointing to a structure contained in kbdfr.dll. We use the value observed with

the debugger, to be sure of having a correct value. emdot

Once the code is executed, it appears that nothing has happened. However, we may notice that when changing WWW.XMCO.FR

This document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![34] KEYBOARD LAYOUT: ANALYSIS OF THE VULNERABILITY ACTU SÉCU 27

In order to be able to reach the vulnerable code xxxKENLSProcs, we are going to modify this value to point towards the structure KBONLSTABLES (see below) added within our malicious kbdfr.dll ﬁle.

Content of the modiﬁed library (DLL)

We write both structures directly into our copy of the file kbdfr.dll. Here, we choose to modify a text zone for greater simplicity. When the keyboard is loaded and the user presses a button, the function xxxKENLSProcs is called. A check It should be noted that it is not necessary for loaded file is made on a global variable gpKbdNlsTbl. This value to be a valid PE binary For example, Stuxnet used a represents our offset passed as the 2nd argument when text file containing these two structures and not a full loading the Keyboard layout. valid Keyboard Layout file.

In the 2nd parameter, we pass the offset where the “In order to be able to reach the KBONLSTABLES structure is located. vulnerable code xxxKENLSProcs, we are going to modify this value to point towards the structure KBONLSTABLES (see below) added within our malicious kbdfr.dll file.” INFO Analyse différentielle du correctif MS10-073 Here are the two structures to be added to our malicious DLL. These structures are constituted as Microsoft a corrigé cette vulnérabilité follows: avec le correctif MS10-073. Pour cela, quelques lignes de codes ont été ajoutées (en rouge) afin de contrôler que la valeur de l’index soit inférieure à 3.

In order to execute the code present at the address Ox60636261 located at index 5 of table win32k! aNLSVKFProc, the variable NLSFEProcType of the structure VK_F needs to be set to 5. The code corresponding to the Virtual Key (variable Vk) is an arbitrary value that we must reuse later on. We will leave this value at 0 (like stuxnet) for greater simplicity.

The variable pVkToF of the structure KBONLSTABLES must point to the structure VK_F. Given that we need a structure VK_F to trigger the vulnerability, we are going to set NumOfVkToF to 1.

All the other variables can be set to 0. pVkToF is a relative virtual address (RVA). Which gives us: WWW.XMCO.FR

This document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![35] KEYBOARD LAYOUT: ANALYSIS OF THE VULNERABILITY ACTU SÉCU 27

The exploitation code SendInput(1, &key, sizeof(key));

Let's examine our code in order to understand the 6. Program halt (crash) at address Ox60636261. sequence of events during exploitation. The exploitation of the vulnerability is successful.

1. Recover the HANDLE corresponding to the current Keyboard Layout returned by the API function "GetKeyboardLayout()" so that a valid value can be used. “For example, by specifying an index of 5, HKL hKL = GetKeyboardLayout(GetCurrentThreadId ()); we can redirect the call to the address Ox60636261 located in the user area, 2. Load our malicious Keyboard Layout by using our where we may have previously placed our parameters (including the previously-recovered value malevolent code. 11 ” so that it can be passed as the 4th parameter (hKL)) with the system call NtUserLoadKeyboardLayoutEx)

NtUserLoadKeyboardLayoutEx(hFile, 0x1B001768, Technical solution for changing the permissions &emptySTRING, hKL, &puszKLID, 0x09990999, of the current process from the kernel area. 0x82); Lastly, the ﬁnal stage consists of elevating our 3. Activate our Keyboard Layout using the API function privileges by using our own payload (shell code) ActivateKeyboardLayout() taking as a parameter our located at the address Ox60636261. For this, it is hKLActivateKeyboardLayout(hKL, Ox82); necessary to allocate memory using the VirtualAlloc() API function, then to place our payload within it. As the 4-5. Exploit the vulnerability with a Windows API for address Ox60636261 is located within the user area, simulating the newly mapped key corresponding to the this is no problem. value of the Virtual Key Vk speciﬁed in the structure VK_F. WWW.XMCO.FR

This document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![36] KEYBOARD LAYOUT: ANALYSIS OF THE VULNERABILITY ACTU SÉCU 27

The payload will then be executed in the same context References as the kernel, namely the 0 ring. Vupen's analysis http://www.vupen.com/blog/ Our payload must be able to execute the following 20101018.Stuxnet_Win32k_Windows_Kernel_zero- actions: day_Exploit_CVE-2010-2743.php

1) Browse the processes open on the system. 2) Find a SYSTEM process. ESET's analysis 3) Copy the token for this process. http://blog.eset.com/2010/10/15/win32k-sys-about-the- 4) Copy this token into our own process. patched-stuxnet-exploit

Our elevation of privileges is now ﬁnished. Our process is now running with SYSTEM privileges.

Execution of the program from a user account WWW.XMCO.FR

This document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![37] Current news...

What has been happening over the last few weeks within the small L'ACTU SÉCU N°27 world of IT security?

As at the end of each year, Jeremiah Grossman presented the top 10 hacking techniques. Some zero- day vulnerabilities discovered within Internet Explorer spoiled CURRENT NEWS Microsoft's Christmas holidays. Lastly, we will return to a particularly-successful attack on servers hosting the ProFTPD project and we will assess the second edition of GS Days.

Adrien GUINAULT Sharon Pruitt Sharon

• Penetration test/attacks: Top 10 techniques of the year 2010

• Zero-day vulnerability: Microsoft Internet Explorer import CSS

• Conference : The GS Days 2010

• Attack/Cyber criminality: Zero-day attack on servers hosting the ProFTPD project WWW.XMCO.FR

This document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!! [38] Top 10 hacking

techniques 2010 AlaskaTeacher ACTU SÉCU 27

Each year since 2006, Jeremiah Grossman has put together the "top 10" new web attacks of the previous year.

The process of selection, which applies to the 69 new techniques that were on the list in 2010, has been reviewed. To establish the top 15, Internet users initially voted for their favorite new techniques. Then, a panel of security experts classiﬁed this top 15 to obtain the top 10 new web attacks of 2010.

Here is a quick summary of the attacks which have marked the year 2010.

Padding oracle (Juliano Rizzo, Thai Duong) “Juliano Rizzo and Thai Duong are at the top of this list with their research into Juliano Rizzo and Thai Duong are at the top of this list with their research into Padding Oracle which we Padding Oracle which we present in detail present in detail in the next issue. in the next issue ... ”

Evercookie (Samy Kamkar)

Evercookie is an API developed in JavaScript. It can force a browser to store a cookie permanently.

To do this, Evercookie uses numerous techniques (HTTP cookie, Flash cookies, Silverlight storage, Web history, ETags, web cache , etc,) to store a cookie in numerous locations.

Therefore, a cookie cannot be deleted via standard functions offered by web browsers.

The codes and the description of the techniques used are available at the following address:

http://samy.pl/

Each technique is very interesting, such as the creation of a PNG image from a cookie. WWW.XMCO.FR

This document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!! [39] PENETRATION TEST/ATTACKS: TOP 10 HACKING TECHNIQUES 2010 ACTU SÉCU 27

Hacking Auto-Complete (Jeremiah Grosman)

As usual, Jeremiah Grossman was in the top three of this list, with several vulnerabilities identiﬁed within the main browsers on the market. His research showed that it was possible to manipulate browsers' caches, particularly information saved when HTTP forms are submitted.

When HTTP forms use the attribute autocomplete=off, this parameter tells browsers not to save the information. In most of the forms found on the Internet, this attribute is not used. It therefore makes it easier for Internet users to complete forms.

Attacking HTTPS with Cache Injection (Elie Bursztein, Baptiste Gourdin, Dan Boneh)

The HTTPS Cache injection attack consists of injecting a JavaScript library within a browser, in order to intercept the data exchanged between the victim and a website based on the HTTPS protocol.

According to the author, 43% of the top 10,000 sites use external JavaScript libraries. Consequently, if a pirate compromises a site hosting one of these libraries, Through some ingenious JavaScript code, Jeremiah it may affect the conﬁdentiality of the sites that use this showed that this information could easily be disclosed. code. Different code is offered for the four main browsers, either to write within the cache or to read information. His research showed that it was possible The most interesting of these four proofs of concept “ concerns Internet Explorer 6 and 7. The JavaScript to manipulate browsers' caches, code that is offered allows the use of the "down" button particularly information saved when HTTP when a user is on an entry ﬁeld. This will automatically forms are submitted ... " .” show the various proposals contained within the browser. In other words, the malicious JavaScript code that is This code will then go into the history and auto-submit loaded will intercept the data exchanged between the the content to a third-party domain controlled by the victim's browser and the website that uses the library in pirate. question.

The authors gave no further explanations. They nevertheless put several videos online. Their proofs of concept work, but several limitations make exploitation WWW.XMCO.FR

This document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![40] PENETRATION TEST/ATTACKS: TOP 10 HACKING TECHNIQUES 2010 ACTU SÉCU 27

difﬁcult: - The error message on the validity of the certiﬁcate is displayed on the screen. - Under Internet Explorer, several display bugs and a slowdown could quickly raise the suspicions of an Internet user.

The demonstration is nevertheless impressive. Using The code checks that the token submitted by the user is this method, the researchers were able to steal valid before updating the e-mail address. connection identiﬁers for sites such as Twitter or A legitimate request sent from the HTML form would be Blogger.com. as follows:

However, if the victim visits a website which uses an iFrame as follows:

The victim will, without their knowledge, send a POST request as follows: Bypassing CSRF protections with ClickJacking and HTTP Parameter Pollution (Lavakumar Kuppan, Manish Saindane)ClickJacking attacks already caused considerable comment some time ago. With proof of concept and Consequently, the JSP code will have to process two e- presentations at Black Hat, the subject has been mail fields: one coming from the URL and the other examined in depth. coming from the arguments of the POST request. This dual use is an attack technique called HTTP Lavakumar Kuppan and Manish Saindane presented a parameter pollution, which can trap the JSP code that technique for bypassing the CSRF protection in place processes the field received in the URL first. on JSP and ASP.NET applications. Therefore, a pirate can use this method to force a An example will illustrate this better than any connected user to change their e-mail address without explanations. their knowledge, while bypassing the anti-CSRF code.Imagine an application which, once authenticated, allows its e-mail address to be updated. To protect itself against CSRF attacks, the developers add a unique Universal XSS in IE8 (Eduardo Vela - sirdarckcat, token in a hidden field when the update form is David Lindsay - thornmaker) accessed. Without going into the details, the two researchers showed various techniques for carrying out Cross-Site Scripting within Internet Explorer 8, bypassing the filters implemented within this new browser.In this case, the page that will process the received data is a JSP page named updateEmail.jsp: WWW.XMCO.FRThis document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![41] PENETRATION TEST/ATTACKS: TOP 10 HACKING TECHNIQUES 2010 ACTU SÉCU 27HTTP POST DoS (Wong Onn Chee, Tom Brennan) scenario in which a pirate makes a webpage available containing a Java applet capable of carrying out such Attacks of the "denial of service" type caused much an attack. The malicious software would be provided to comment, particularly with the "Slowloris" attack. Internet users in the form of a game to attract them and cause them to execute the software. Finally, such an The attack in question is based on the massive dispatch attack would be very difficult to trace, because of the of HTTP requests of the POST type. A pirate first sends disappearance of the traces. This is because as soon the header of the POST request containing a valid as a user closes the browser or empties the cache, the content-length field. Subsequently, the body of the attack would stop from one of the zombies and no HTTP request is sent to the server very slowly, while traces would remain on the workstation. Also, the more remaining sufficiently quick to avoid being cut by the that this game is used by Internet users, the more the timeout. This behavior has the effect of forcing a server attack would be effective. to exhaust its resources (memory and CPU), which, in the case of high demand, causes denial of service. A full presentation of this attack was given at the According to the researcher, just several hundred such OWASP conference. requests could crash a vulnerable server. http://www.hybridsec.com/papers/OWASP-Universal- Very quickly after their presentations, tools were HTTP-DoS.ppt published: RUDY (R-U-Dead-Yet) OWASP HTTP Post Tool JavaSnoop (Arshan Dabirsiaghi) These tools are very easy to use and can have disastrous consequences. After the diverse and varied web attacks, a tool also The Slow Headers or Slow POST attack method, and makes it into the top 10. the Connection Rate, are chosen. JavaSnoop is a program for intercepting the methods and data used within a Java program.Java applications may often be audited using a decompiler such as Jad and a debugger attached to the program to be audited. However, JavaSnoop eliminates this stage and can intercept all inputs and outputs from the program.Several seconds are enough to cause denial of service.To finish, the researcher Onn Chee also presented a WWW.XMCO.FRThis document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![42] PENETRATION TEST/ATTACKS: TOP 10 HACKING TECHNIQUES 2010 ACTU SÉCU 27CSS History Hack In Firefox Without JavaScript http://p42.us/ie8xss/ for Intranet Portscanning (Robert "RSnake" http://cve.mitre.org/cgi-bin/cvename.cgi? Hansen) name=CVE-2010-1489 http://bit.ly/fmSNzA As usual, Robert Hansen, alias "Rsnake", comes within the top 10. This researcher and author of the ha.ckers, site, showed how to use the CSS history to identify HTTP POST DoS internal IP addresses previously visited by a user. http://www.darkreading.com/vulnerability-management/ 167901026/security/attacks-breaches/228000532/ The CSS history is a subject addressed several times index.html by Rsnake. The aim is to be able to identify the sites visited by an Internet user based on the CSS properties of the history, without using any JavaScript code. JavaSnoop http://www.aspectsecurity.com/tools/javasnoop/References CSS History Hack In Firefox Without JavaScript for Intranet Portscanning CERT-XMCO references http://ha.ckers.org/blog/20100125/css-history-hack-in- CXA-2010-1178, CXA-2010-0916, CXA-2010-0502, firefox-without-<a href="/tags/JavaScript/" rel="tag">javascript</a>-for-intranet-portscanning/ CXA-2010-1621 http://jeremiahgrossman.blogspot.com/2011/01/top-ten- Java Applet DNS Rebinding web-hacking-techniques-of-2010.html http://blog.mindedsecurity.com/2010/10/java-dsn- rebinding-java-same-ip-policy.html Padding Oracle http://usenix.org/events/woot10/tech/full_papers/ Rizzo.pdfEvercookie http://samy.pl/evercookie/Hacking Auto-Complete http://jeremiahgrossman.blogspot.com/2010/08/ breaking-browsers-hacking-auto-complete.html http://blackhat.com/html/bh-us-10/bh-us-10- briefings.html#GrossmanAttacking HTTPS with Cache Injection http://www.youtube.com/watch?v=bt0Qh9c59_c http://elie.im/talks/bad-memoriesBypassing CSRF protections with ClickJacking and HTTP Parameter Pollution http://blog.andlabs.org/2010/03/bypassing-csrf- protections-with.htmlUniversal XSS in IE8 WWW.XMCO.FRThis document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![43]Microsoft and IE Daniel Horacio Daniel ACTU SÉCU 27Let's import video clips! Microsoft alerted its clients (KB2488013) then, in February, corrected this vulnerability with bulletin Microsoft had a difficult year end with the discovery of MS11-003. several critical vulnerabilities affecting Internet Explorer. A vulnerability of the zero-day type was discovered “ The difficulty resulted in the within the Internet Explorer browser (versions 6, 7 and circumvention of DEP and ASlR ...” 8). It results from an error in the management of the "clip" attribute by the shared library mshtml.dll. Microsoft reacted by publishing the security bulletin referenced KB2458511 (CVE-2010-3962) then the bulletin MS10-090.Several weeks later… new zero-day! INFO This time, this second vulnerability came from a Exploiting an IE vulnerability via an handling error when importing CSS styles, within the alternative browser. same shared library mshtml.dll. By getting a user to open a malicious web page, a pirate was able to corrupt the memory and take control Billy Rios, the famous security of the target system. Exploitation of this vulnerability researcher, has just published an required the use of the "heap spray" technique so that article presenting an attack vector that is interesting for exploiting the latest the pirate could be sure of executing their malicious zero-day vulnerability in Internet code. Explorer. Using an alternative browser and Adobe This critical vulnerability (CVE-201 0-3971) did not Reader, it is possible to exploit this cause much of a reaction on the Internet. Although vulnerability. Microsoft took no less than two months to correct this major problem, Pirates did not really exploit this The PDF language allows the use of an vulnerability although it affected all versions of API method called "app.launchURL ()". Internet Explorer (6, 7 and 8). The difficulty resulted in This function takes a URL that will be the circumvention of DEP (Data Execution Prevention) opened by the default browser. and ASLR (Address Space Layout Randomization). Consequently, a malicious PDF opened with an alternative browser such as Although HD Moore quickly published a first exploit Firefox would cause a predefined URL to within Metasploit, this was not reliable in all be opened with the default browser environments. (Internet Explorer).The users of this browser are therefore exposed to the exploitation of a vulnerability affecting Internet Explorer.A proof of concept was put online on the researcher's blog: http://xs-sniper.com/sniperscope/Adobe/ BounceToIE.pdf WWW.XMCO.FRThis document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!! [44] ZERO-DAY VULNERABILITIES: MICROSOFT AND IE ACTU SÉCU 27References:CERT XMCO references: CXA-2010-1724, CXA-2010-1736, CXA-2010-1785, CXA-2010-1808, CXA-2010-1828, CXA-2010-1830, CXA-2011-0197CVE references: http://cve.mitre.org/cgi-bin/cvename.cgi? name=2010-3962 http://cve.mitre.org/cgi-bin/cvename.cgi? name=2010-3971Microsoft references: http://www.microsoft.com/technet/security/advisory/ 2458511.mspx http://www.microsoft.com/france/technet/security/ bulletin/ms10-090.mspx http://www.microsoft.com/technet/security/advisory/ 2488013.mspx http://www.microsoft.com/technet/security/bulletin/ MS11-003.mspxOther references: http://www.wooyun.org/bugs/wooyun-2010-0885 http://seclists.org/fulldisclosure/2010/Dec/110 http://xcon.xfocus.net/XCon2010_ChenXie_EN.pdf http://www.breakingpointsystems.com/community/blog/ ie-vulnerability/ WWW.XMCO.FRThis document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![45] The GS DAYS 2010 ACTU SÉCU 27 Last 30 November, the second edition of GS days took H@ckRAM (Arnaud Malard - Devoteam) place in the Espace Saint Martin in the very heart of Paris. This conference is a meeting place for two Subsequently, during the H@ckRAM conference, communities that are usually separate: researchers and Arnaud Malard, a consultant at Devoteam, listed and other technicians on one side and decision-makers on described the various techniques for exploiting the the other. content of a system's live memory. These techniques concern two contexts in particular: the post-mortem Sixteen conferences took place, covering technical, study and the attack on a system. This conference has legal and organizational subjects. They allowed the the merit of presenting an overview of existing tools and 260 French-speaking participants to (re)discover techniques for accomplishing the objectives, which are: numerous aspects related to security. the extraction, analysis and manipulation of data contained in RAM. Although all of these conferences were enticing, we had to make a selection. “Arnaud Malard listed and described the After a breakfast that brought together all participants various techniques for exploiting the around the stands belonging to the various partners of content of the live memory of a system 11 the event, Marc Brahmi quickly introduced the event This speech was the occasion to announce, to participants, the date of the third edition of GS Days. Firstly, Arnaud Malard presented the various contexts This will take place on 10 May 2011, in the Espace from which it is possible to extract the content of this Saint Martin. memory: live, from the file hyberfile.sys during prolonged hibernation, from a "crashdump" following a crash, by using the DMA mechanism that is mainly From legal to technical: putting one finger up to used by the FireWire and PCMCIAIPC Card protocols, hacking (Diane Mullenex, Legal Practitioner - from a virtual machine of the VMware type and lastly, by carrying out a "coldboot" attack. After this first part, Paul Such, SeRT Philippe Humeau, NBS System) Arnaud gave a quick demonstration of the "memdump" script, supplied within the Metasploit framework. Then SCRT and NBS were respectively represented by Paul he presented the various existing tools for analyzing all Suchs and Philippe Humeau. They were accompanied the information that is recovered in this way. by Diane Mullenex, who is a legal practitioner. They began the day with an opening keynote address entitled "from legal to technical: putting one finger up to hacking!". Unfortunately, this introduction had to be cut short due to lack of time. This plenary session presented several points such as post-incident analysis (the context, the aim, prior questions, submission of a disk before a court and analysis of the memory), and that of catching someone in the act.The speakers, from technical and legal backgrounds, presented the main stages in preparing a legally- admissible technical case, and the main errors that are easy to make. Even so, the conclusion was given that few cases get as far as trial: currently, most of them are concluded by a privately-negotiated arrangement. WWW.XMCO.FRThis document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!! [46] CONFERENCE: THE GS DAYS 2010 ACTU SÉCU 27After that, he listed certain sensitive data that could be malicious code into an NX zone, transform this non- obtained in this manner, such as BIOS passwords, LM/ executable zone into an executable zone and lastly, to NTLM hashes, the SAM database and LSA secrets, the execute the code. passwords recorded by browsers and other fat clients and even the AES/RSA keys used by encryption solutions such as TrueCrypt.Lastly, the consultant showed several videos presenting the dangers associated with the control of live memory: an elevation of privileges of a process from a serial port, then the misappropriation of the Windows authentication process through the modification of two opcodes following a signature, via a modification of the hyberfile.sys file, as well as via the DMA mechanism. In spite of a small question that remained unanswered on the estimate of the disruption to the content of live memory caused by exploiting a process, the consultant met all the expectations of his audience.Return Oriented Programming (Jean-Baptiste Aviat - HSC)Afterwards, Jean-Baptiste Aviat, from the consultancy INFO HSC, presented a conference entitled "Return Oriented GS DAYS returns Programming": reminder and practice". This conference was very educational. It clarified concepts that are often After the success of the first two mentioned in the news but rarely defined. editions, GS DAYS will very soon return on 10 May 2011, from 08:30 to 18:00 at After a quick presentation of the "basic" stack overflow the Espace Saint Martin. and existing protection measures (canary, DEP/bit NX), the consultant introduced the "Return into Libc" This third edition will address the following subjects: method, which can bypass these protection functions. After this, the researcher presented various technical The security of industrial networks solutions that developers use to protect themselves and systems against this attack technique (compilation without dangerous functions, compiling these functions so that The efficient use of connection data their addresses contain OxOO, and the implementation Dualistic use of workstations of ASLR (Address Space Layout Randomization)). The researcher ended by presenting what is the current The call for papers has already been ultimate circumvention: ROP (Return Oriented launched. Programming). This technique, which is usable when at Contact and information: least one library is not loaded with ASLR, is based on http://www.gsdays.fr/ the use of "gadgets". Each of these pieces of assembler code has two characteristics: a unique address, and a "ret" instruction that terminates the instructions.Using these, it is possible to write the different addresses of the gadgets beyond the buffer in order to chain their calls using "ret". Each of these gadgets will be responsible for a very specific task, in order to copy WWW.XMCO.FRThis document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![47] CONFERENCE: THE GS DAYS 2010 ACTU SÉCU 27The security of Android (Nicolas Ruff - EADS) Internet. Lastly, he ended his conclusion by presenting a "hand-made" circuit for simulating a specific After a long break for lunch, the researcher Nicolas Ruff autonomous RFID system, using a roll of toilet paper as from EADS led a conference on the security of the an antenna support. The researcher concluded his Android ecosystem. This very personal presentation presentation by stating that speaking of the security of gave the audience a quick introduction to the market an RFID system could mean anything or nothing. It is context of smart phones, its architecture, the security important to know what a given system allows to be mechanism of its operating system and its limits. done, so as not to have a false impression of security.Telecommuting: the frontier between private and public life (Catherine Duval and Yann Fareau Devoteam) The following conference was led by Catherine Duval and Yann Fareau. It was entitled "Telecommuting: the frontier between private and public life". Between social, legal and environmental developments, this long appraisal of telecommuting in France gave a complete presentation of the major issues associated with this new way of working. The various components (managerial, legal and practical) were reviewed.XSSF: demonstrating the danger of XSS (Ludovic Courgnaud and Imad Abounasr - Conix) Nicolas will return to the SSTIC with the same subject,Irfan Saad The final technical conference, called "XSSF: doubtless with more material and we hope for some demonstrating the danger of XSS" caused quite a demonstrations! reaction in the audience. Firstly, the two consultants from Conix, Ludovic Courgnaud and Imad Abounasr, presented the risks associated with exploitation of RFID : Radio Frequency Insecure Device (Serigo vulnerabilities of the XSS type, and the low Domingues - SCRT) importance that is still associated with them. Then they spoke of XSSF, a tool specially developed for this. This A conference entitled "RFID: Radio Frequency Insecure framework is based on Metasploit. Just like BeeF, it Device?" was then given by Sergio Alves Domingues allows control to be taken of systems by exploiting from SCRT. After a quick presentation of the vulnerabilities present in the operating system (e.g.: characteristics specific to RFID systems, the researcher hcp, LNK), in the <a href="/tags/Web_browser/" rel="tag">web browser</a>, or in its plug-ins, simply gave a case study on the EM410X system. This is by using JavaScript to force a browser to execute supposed to provide proven security because it is certain actions. This stage can control a set of bots available solely in "read-only" mode; and it contains that can be used subsequently. For example, pirates only a single identifier, according to the manufacturer. could use it as a relay for carrying out attacks. The two However, the researcher showed what it was possible consultants showed how easy it was to go from an XSS to do according to three attack models: collision, cloning on the site belonging to Norton/Symantec to the and emulation. The large number of bits (40) over which construction of a genuine botnet. The presentation the unique identifier is coded makes collision difficult. ended by a discussion between consultants and Nevertheless, using cloning and emulation, it is decision-makers on the legality of a French company extremely simple to create an apparent copy of this making the code for a "hacking" tool available. autonomous system. The researcher presented a "copier", which could be bought for a few dollars on the WWW.XMCO.FRThis document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![48] CONFERENCE: THE GS DAYS 2010 ACTU SÉCU 27Other conferencesFinally, the day ended with lessons learned, jointly presented by France Paris and EdelWeb. The conference "Integrating security into a project with significant regulatory, technical and timetable constraints: lessons learned from online games" presented the management of each stage by both parties, from the definition to the implementation of an online game platform accredited by ARJEL.ConclusionThis second edition of GS DAYS was particularly interesting. The conferences were of an excellent level and the days were very well organized. The GS DAYS compare well in relation to other international conferences.References Website and information http://www.gsdays.fr/ WWW.XMCO.FRThis document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![49] ATTAQUE Jeff Keyzer Jeff PROFTPD ACTU SÉCU 27Servers belonging to ProFTPD compromised! Modification of the file src/help.c During November, pirates broke into servers hosting the ProFTPD project. This attack was carried out on The file help.c was modified with the following few lines 28 November 2010 by exploiting a vulnerability that is of code: still currently not disclosed.The pirates took advantage of this intrusion to replace the source code of ProFTPd version 1.3.3c, placing a stolen port…The HELP ACIDBITCHEZ backdoor Just giving the FTP command "HELP ACIDBITCHEZ" then allows a pirate to directly obtain a shell and take The code added by the pirates gives access to a control of the server. system on which ProFTPD is installed with the root user. Zero-day or not zero-day For this, the pirates have added and modified two files within its source: But how did the pirates get into these servers? The question is still not answered. Addition of file tests/test.c This file has been added within the source. When The pirates took advantage of this compiling the version of ProFTPD with the back “ door, a request is sent to a Saudi Arabian server intrusion to replace the source code of (212.26.42.47) to warn the pirates of the presence of a ProFTPd version 1.3.3c, placing a stolen new target. port ...”The first hypothesis would be the exploitation of a zero- day vulnerability. However, a question remains unanswered, which is why would the pirates have used this vulnerability on the software publishers' servers, with the risk that administrators would discover the vulnerability used, when they could have used it massively on all ProFTPD servers discovered on the Internet? WWW.XMCO.FRThis document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!! [50] ATTACKS: ZERO-DAY AND PROFTPD ACTU SÉCU 27The second hypothesis concerns the exploitation of a References vulnerability revealed at the same time by the magazine Phrack n043. A vulnerability affecting versions below CERT-XMCO references 1.3.3d and 1.3rc1 related to an error within the function CXA-2010-1692, CXA-2010-1680, CXA-2010-1673 sqLprepare_where() in the SQL module. http://www.phrack.org/issues.html? By sending specially-designed packets, a pirate could issue=67&id=7#article cause a buffer overflow and take control of a system implementing ProFTPD. http://xorl.wordpress.com/2010/12/02/news-proftpd- owned-and-backdoored/Neither of these two hypotheses was confirmed and the developers did not wish to reveal more.Consequences...Consequently, all versions downloaded between 28 November and 2 December contained malicious code. No figure was communicated on the number of downloads of this version, which was available for 5 days.Si vous avez un doute, nous vous conseillons fortement If you have any doubts, we strongly advise you to search for the character string ACIDBITCHEZ within the binary for ProFTPD and if necessary download the latest published version (1.3.3d or 1.3rc1 ). WWW.XMCO.FRThis document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![51] Our bookmarks, blogs and favorite toolsACTU SÉCU 27 With each publication, in this section, we present free tools, Firefox extensions and our favorite websites.For this edition, we have chosen to present the auditing program IMA, two tools that are useful for PCI DSS audits, a blog and BLOGS, SOFTWARE our top Twitter profiles.AND TWITTER Adrien GUINAULT Wade KellyOn the agenda for this edition: • IMA: Identity Management Auditor, an auditing tool developed by Yannick Hamon, consultant at XMCO.• VMware compliance checker: tool for testing VMware environments for PCI DSS certification.• The blog m_101: security blog specialized in the presentation of vulnerabilities and solutions to challenges.• Top Twitter: a selection of Twitter accounts followed by CERT-XMCO. WWW.XMCO.FRThis document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!! [52] IMA ACTU SÉCU 27 Auditing permissions for systems and databases Description IMA is a program developed by Yannick Hamon, a consultant at XMCO. It can perform permissions audits on MSSQL, Oracle, Active Directory and Lotus Domino. This tool can quickly identify user profiles (administrators, DBA, etc,) and test the robustness of passwords for all accounts.How many times have you manually connected with Osql to an MSSQL database to extract the hashes, then passed them to John the Ripper? With IMA, one click is sufficient. Whether it is through local authentication or domain authentication, IMA recovers, audits, then reports the results in a directly-usable format (Excel, graph). It has several very useful functions: imports .pot files (John the ripper, export in different formats), Pass-The-Hash, password generators and SQL clients. Let's hope that IMA becomes the reference for security auditors!Screenshot Address http://www.xmco.fr/ima.htmlXMCO opinion IMA has become an essential tool for our security audits. It becomes essential when it is necessary to audit dozens of Oracle and MSSQL databases or to check permissions on an instance of Active Directory. As the tool is developed and maintained in the author's free time, the author apologizes in advance for any potential bugs. Do not hesitate to report them or suggest new functionalities.For us, it is the best freeware of its kind;-) WWW.XMCO.FRThis document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!! [53] VMware Compliance Checker Auditing Windows systems ACTU SÉCU 27Description Vmware Compliance Checker is a very useful tool for auditing Windows systems for PCI DSS audits. It reports the essential security points of a Windows system for reaching the requirements imposed by the PCI DSS 1.2 standard: presence of a personal firewall, unnecessary services, permissions, logs, password policy, etc.Screenshot Address http://www.vmware.com/products/compliance-checker/XMCO opinion Combined with a tool such as MBSA for security patches, this tool checks that a Windows system complies with basic security principles. WWW.XMCO.FRThis document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!! [54] m_101ACTU SÉCU 27 Technical blog specialized in the exploitation of vulnerabilities Description Let's remain within the spirit of our rather technical article on the exploitation of Windows and Linux security vulnerabilities, with the blog m_101.This blog, written by a student with a keen interest in security, lets you follow and understand the resolution of challenges and the exploitation of vulnerabilities. Screenshot Address Link: http://binholic.blogspot.com/Twitter: http://twitter.com/w_levinXMCO opinion This blog will let you perfect your technical knowledge in highly varied fields, from the exploitation of Windows vulnerabilities to partial solution of challenges.An excellent blog for an informed audience. WWW.XMCO.FRThis document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!! [55] Twitter ACTU SÉCU 27 Selection of Twitter accounts followed by CERT-XMCO URL TypeRegvulture http://twitter.com/regvulture General info honlinenews http://twitter.com/honlinenews Security info helpnet http://twitter.com/helpnetsecurity Security info hdmoore http://twitter.com/hdmoore Metasploit xanda http://twitter.com/xanda Technical CERT_Polska_en http://twitter.com/CERT_Polska_en Security info schneierblog http://twitter.com/schneierblog Security info taviso http://twitter.com/taviso Technical ivanlef0u http://twitter.com/ivanlef0u Technical msftsecresponse http://twitter.com/msftsecresponse/ Security info WWW.XMCO.FRThis document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!! [56] Acknowledgement s...ACTU SÉCU 27 Vanessa Lynn http://www.flickr.com/photos/judeanpeoplesfront/ Cover * Sharon Pruitt (pinksherbet) : * David Helan (davidhelan) : http://www.flickr.com/photos/pinksherbet/ http://helmen.blogspot.com/ http://www.flickr.com/photos/davidhelan/3443012216/ * Daniel Horacio (dhammza) http://www.flickr.com/photos/dhammza* Saad Irfan (saadirfan) Photos of articles http://www.flickr.com/photos/saadirfan/* Jeff Keyzer (mightyohm) : * Karsten Kneese (karstenkneese) : http://www.flickr.com/photos/mightyohm/ http://www.flickr.com/photos/karstenkneese/ * Vanessa Lynn (vanessa_lynn) : * Trey Ratcliff (stuckincustoms) http://www.flickr.com/photos/vanessa_lynn/ http://www.flickr.com/photos/stuckincustoms/ * BlackburnMike_1 / Mike Blackburn : * Ludo Benoit (pics_troy) : http://www.flickr.com/photos/mikeblackburn/: http://www.flickr.com/photos/pics_troy/ * Nick Fisher (cobrasick) : * Bjoern Schwarz (bagalute) : http://www.flickr.com/photos/cobrasick/ http://www.flickr.com/people/bagalute/ * The Consumerist : * Shelly Munkberg (zingersb) : http://www.flickr.com/photos/consumerist// http://www.flickr.com/photos/zingersb/ * Shorts and Longs | The Both And (48424574@N07/) * Stéfan Le Dû (st3f4n) : http://www.flickr.com/photos/48424574@N07 http://www.flickr.com/photos/st3f4n/ *AlaskaTeacher (alstonfamily): * Jon (xlibber) : http://www.flickr.com/photos/alstonfamily/ http://www.flickr.com/photos/xlibber/ * Exakta : * Wade Kelly (wader) : http://www.flickr.com/photos/exakta/ http://www.flickr.com/photos/wader/ * Seth Anderson (swanksalot) : * emdot http://www.flickr.com/photos/swanksalot/3820698076/ http://www.flickr.com/photos/emdot/ sizes/z/in/photostream/ http://www.b12partners.net/wp/ * Michael LaCalameto (stopthegears) : http://www.flickr.com/photos/stopthegears/* Rob Shenk (rcsj) : http://www.flickr.com/photos/rcsj/* -JvL- (-jlv-) : http://www.flickr.com/people/-jvl-/* Gordon (judeanpeoplesfront) : WWW.XMCO.FRThis document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!! [57] ACTU SÉCU 27About ActuSécu ActuSécu is a digital magazine written and published by the consultants of the XMCO Partners consultancy. Its purpose is to give clear and detailed presentations on IT security in complete independence. All editions of ActuSécu can be downloaded from the following address (french and english versions): http://www.xmco.fr/actualite-securite-vulnerabilite-fr.html About XMCO Partners Founded in 2002 by experts in security and managed by its founders, we work in the form of fixed-fee projects with a commitment to achieve results. Intrusion tests, PCI DSS security audits and vulnerability monitoring (CERT-XMCO) are the major areas in which our firm is developing. At the same time, we work with senior management on assignments providing support to heads of information-systems security, in drawing up master plans and in working on awareness-raising seminars with several large French accounts. Contact XMCO Partners To contact XMCO Partners and obtain information about our business: +33 (0)01 47 34 68 61. http://www.xmco.fr http://cert.xmco.fr WWW.XMCO.FRThis document is the property of XMCO Partners. Any reproduction is strictly prohibited. !!!!!!!!!!!!!!!!! [58] </div> </article> </div> </div> </div> <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.6.1/jquery.min.js" crossorigin="anonymous" referrerpolicy="no-referrer"></script> <script> var docId = '125673279555048e51ba53d9bde4a228'; var endPage = 1; var totalPage = 58; var pfLoading = false; window.addEventListener('scroll', function () { if (pfLoading) return; var $now = $('.article-imgview .pf').eq(endPage - 1); if (document.documentElement.scrollTop + $(window).height() > $now.offset().top) { pfLoading = true; endPage++; if (endPage > totalPage) return; var imgEle = new Image(); var imgsrc = "//data.docslib.org/img/125673279555048e51ba53d9bde4a228-" + endPage + (endPage > 3 ? ".jpg" : ".webp"); imgEle.src = imgsrc; var $imgLoad = $('<div class="pf" id="pf' + endPage + '"><img src="/loading.gif"></div>'); $('.article-imgview').append($imgLoad); imgEle.addEventListener('load', function () { $imgLoad.find('img').attr('src', imgsrc); pfLoading = false }); if (endPage < 5) { adcall('pf' + endPage); } } }, { passive: true }); if (totalPage > 0) adcall('pf1'); </script> <script> var sc_project = 11552861; var sc_invisible = 1; var sc_security = "b956b151"; </script> <script src="https://www.statcounter.com/counter/counter.js" async></script> </html><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script>