Old Program, New Zero Day

Wednesday, August 1, 2012 @ 02:08 PM gHale


New zero day exploits are out for Supervisory Control and Data Acquisition (SCADA) systems.

The zero days come courtesy of 17-year-old software, Microsoft Bob.

RELATED STORIES
Tools Beat Microsoft Crypto
Black Hat: Persistent Threat Plan
Black Hat: Govt. Unplugged
Black Hat: Smart Meters Insecure
Black Hat: Sub-GHz Wireless Within Reach
Black Hat: Air Gap Myth Buster
Black Hat: New Security Paradigm

Microsoft Bob is a failed platform meant to give Windows PCs a “user-friendly” interface composed of virtual “rooms” populated by cartoon characters in lieu of the usual drag-and-drop desktop. It also had a slew of security flaws.

That program is long gone, but security researcher Wesley McGrew said at Defcon in Las Vegas the captive kiosk interface has similarities with Human Machine Interfaces (HMIs) and showed how you could manipulate them to allow unauthorized access.

The problem with special-use interfaces like Bob and HMI is they rely on their ability to keep unauthorized users locked out of the multitasking operating systems they run on top of, McGrew said. “If a user can get out of that interface or run other code, it’s over.” That usually leaves user authentication as the software’s primary mode of defense.

A “challenge code” can easily retrieve “emergency” passwords without authentication.

In one example of vulnerable SCADA HMI software, ICONICS Genesis32, McGrew found a “challenge code” at the bottom of the login screen can easily retrieve “emergency” passwords in two ways: Either by simply requesting it from the vendor by phoning technical support (the challenge codes aren’t tied to any specific user account) or by decoding it manually, which as McGrew demonstrates is actually far easier than it sounds.

McGrew also said HMI passwords commonly store within a static XOR key that persists for all users and across every installation, making unauthorized access easier for intruders.



Leave a Reply

You must be logged in to post a comment.