Sergey Gordeychik of Positive Technologies presents in 45 minutes a large number of vulnerabilities in WinCC at S4x13 — yes the WinCC of Stuxnet fame. There are also some findings on the S7 PLC’s. The work is part of the impressive SCADA Strangelove effort.
He deals with a lot of old exploits, such as an 1825-day exploit in OpenSSL. This and other libraries were compiled in 1997. WebNavigator and ActiveX issues, some discussed and some left as an exercise for the viewer … such as the hint ComRaider still rocks.
My favorite part is at 29:45 where Sergey discusses “Can Project Be Trusted”. The Project is the logic that the PLC is implementing. Of course he shows it cannot be trusted by simply patching The Project. Patching “on the fly” would allow an attacker to change the logic, cause a problem, and then change it back, thereby hiding the attack. You have no integrity.
There is also a lot of new, fresh for S4x13 material here.
The Windows portion of Stuxnet always felt like overkill, belt, suspenders and two more belts. With all these security vulnerabilities and exploitable issues it seems unnecessary to have wasted those Windows 0days.
One last note – this presentation will be interesting for Stuxnet and ICS vuln historians. Sergey shows a number of forum screenshots showing some of the vulns being known and discussed in 2005, 2006, 2008. And a little comment in the Siemens’ code “dreckige hackerei”.