从某知名厂商MIS软件逻辑缺陷谈对某工控网络的渗透 第二份案例
<!--StartFragment--><h3 class="detailTitle" style="margin:15px auto 0px;padding:5px 0px 0px;font-size:14px;font-weight:normal;width:950px;text-indent:10px;word-break:break-all;overflow-wrap:break-word;border-left:5px solid #999999;color:#000000;font-family:Verdana, "font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;letter-spacing:normal;orphans:2;text-align:left;text-transform:none;white-space:normal;widows:2;word-spacing:0px;-webkit-text-stroke-width:0px;text-decoration-style:initial;text-decoration-color:initial;">
简要描述:
</h3>
<p class="detail wybug_description" style="margin:0px auto;padding:5px 12px;font-size:13px;width:870px;line-height:25px;word-break:break-all;overflow-wrap:break-word;color:#000000;font-family:Verdana, "font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;orphans:2;text-align:left;text-indent:0px;text-transform:none;white-space:normal;widows:2;word-spacing:0px;-webkit-text-stroke-width:0px;text-decoration-style:initial;text-decoration-color:initial;">
本文可以作为对上文的一个补充,继续来探讨深入渗透后是否能对实体生产环境产生影响,以上2篇文章非SHOW,其旨在提醒软件厂商提高软件安全度的同时,提醒生产厂商对工业网络安全的重视,其中存在的技术问题,欢迎拍砖:-)<br style="margin:0px;padding:0px;" />
以下敏感信息均已打码,相关系统信息将会私信给cncert。
</p>
<h3 class="detailTitle" style="margin:15px auto 0px;padding:5px 0px 0px;font-size:14px;font-weight:normal;width:950px;text-indent:10px;word-break:break-all;overflow-wrap:break-word;border-left:5px solid #999999;color:#000000;font-family:Verdana, "font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;letter-spacing:normal;orphans:2;text-align:left;text-transform:none;white-space:normal;widows:2;word-spacing:0px;-webkit-text-stroke-width:0px;text-decoration-style:initial;text-decoration-color:initial;">
详细说明:
</h3>
<div class="wybug_detail" style="margin:0px;padding:0px;color:#000000;font-family:Verdana, "font-size:12px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;orphans:2;text-align:left;text-indent:0px;text-transform:none;white-space:normal;widows:2;word-spacing:0px;-webkit-text-stroke-width:0px;text-decoration-style:initial;text-decoration-color:initial;">
<p class="detail" style="margin:0px auto;padding:5px 12px;font-size:13px;width:870px;line-height:25px;word-break:break-all;overflow-wrap:break-word;">
接上文,我们谈到了SyncPlant中存在的越权问题,由于是单个案例不方便确认他的通用性,但根据所属公司业绩来看在多个现场工程案例中均使用了SyncPlant,特此献上第二份案例用来进行佐证,以便cncert来进行确认
</p>
</div>
<h3 class="detailTitle" style="margin:15px auto 0px;padding:5px 0px 0px;font-size:14px;font-weight:normal;width:950px;text-indent:10px;word-break:break-all;overflow-wrap:break-word;border-left:5px solid #999999;color:#000000;font-family:Verdana, "font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;letter-spacing:normal;orphans:2;text-align:left;text-transform:none;white-space:normal;widows:2;word-spacing:0px;-webkit-text-stroke-width:0px;text-decoration-style:initial;text-decoration-color:initial;">
漏洞证明:
</h3>
<div class="wybug_poc" style="margin:0px;padding:0px;color:#000000;font-family:Verdana, "font-size:12px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;orphans:2;text-align:left;text-indent:0px;text-transform:none;white-space:normal;widows:2;word-spacing:0px;-webkit-text-stroke-width:0px;text-decoration-style:initial;text-decoration-color:initial;">
<p class="detail" style="margin:0px auto;padding:5px 12px;font-size:13px;width:870px;line-height:25px;word-break:break-all;overflow-wrap:break-word;">
1,远程WEB登录
</p>
<p class="detail usemasaic" style="margin:0px auto;padding:5px 12px;font-size:13px;width:870px;line-height:25px;word-break:break-all;overflow-wrap:break-word;">
<a href="https://w.hundan.org/articles/attach/201304/06180222a8528fcda7c5585cebd05cf16456039e.jpg" target="_blank" style="margin:0px;padding:0px;color:#002E8C;text-decoration:none;"><img src="https://w.hundan.org/articles/attach/201304/06180222a8528fcda7c5585cebd05cf16456039e.jpg" alt="0.jpg" width="600" onerror="javascript:errimg(this);" style="margin:0px;padding:0px;border:none;" /></a>
</p>
<p class="detail" style="margin:0px auto;padding:5px 12px;font-size:13px;width:870px;line-height:25px;word-break:break-all;overflow-wrap:break-word;">
<br style="margin:0px;padding:0px;" />
2,问题如上篇文章所提到的,在对该系统进行测试时同样存在越权
</p>
<p class="detail usemasaic" style="margin:0px auto;padding:5px 12px;font-size:13px;width:870px;line-height:25px;word-break:break-all;overflow-wrap:break-word;">
<a href="https://w.hundan.org/articles/attach/201304/06180244f3e7bd214a8277bf711573734175b803.jpg" target="_blank" style="margin:0px;padding:0px;color:#002E8C;text-decoration:none;"><img src="https://w.hundan.org/articles/attach/201304/06180244f3e7bd214a8277bf711573734175b803.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);" style="margin:0px;padding:0px;border:none;" /></a>
</p>
<p class="detail" style="margin:0px auto;padding:5px 12px;font-size:13px;width:870px;line-height:25px;word-break:break-all;overflow-wrap:break-word;">
<br />
</p>
<p class="detail usemasaic" style="margin:0px auto;padding:5px 12px;font-size:13px;width:870px;line-height:25px;word-break:break-all;overflow-wrap:break-word;">
<a href="https://w.hundan.org/articles/attach/201304/0618033842f5a72e7256f147c505a437741655c9.jpg" target="_blank" style="margin:0px;padding:0px;color:#002E8C;text-decoration:none;"><img src="https://w.hundan.org/articles/attach/201304/0618033842f5a72e7256f147c505a437741655c9.jpg" alt="2.jpg" width="600" onerror="javascript:errimg(this);" style="margin:0px;padding:0px;border:none;" /></a>
</p>
<p class="detail" style="margin:0px auto;padding:5px 12px;font-size:13px;width:870px;line-height:25px;word-break:break-all;overflow-wrap:break-word;">
<br />
</p>
<p class="detail usemasaic" style="margin:0px auto;padding:5px 12px;font-size:13px;width:870px;line-height:25px;word-break:break-all;overflow-wrap:break-word;">
<a href="https://w.hundan.org/articles/attach/201304/0618034730482f7c58745264658bbe2fcad2306b.jpg" target="_blank" style="margin:0px;padding:0px;color:#002E8C;text-decoration:none;"><img src="https://w.hundan.org/articles/attach/201304/0618034730482f7c58745264658bbe2fcad2306b.jpg" alt="3.jpg" width="600" onerror="javascript:errimg(this);" style="margin:0px;padding:0px;border:none;" /></a>
</p>
<p class="detail" style="margin:0px auto;padding:5px 12px;font-size:13px;width:870px;line-height:25px;word-break:break-all;overflow-wrap:break-word;">
<br style="margin:0px;padding:0px;" />
3,到此我们可以继续深入,就以当前测试环境而言,系统开启了远程桌面,netstat确认安装了SQL server,web.config拿到了sa密码,接下来使用SQL扩展xp_cmdshell成功运行了系统命令,并通过转发,成功登录测试服务器
</p>
<p class="detail usemasaic" style="margin:0px auto;padding:5px 12px;font-size:13px;width:870px;line-height:25px;word-break:break-all;overflow-wrap:break-word;">
<a href="https://w.hundan.org/articles/attach/201304/06180431d3c8a8167f155a630c529b5f8e365d58.jpg" target="_blank" style="margin:0px;padding:0px;color:#002E8C;text-decoration:none;"><img src="https://w.hundan.org/articles/attach/201304/06180431d3c8a8167f155a630c529b5f8e365d58.jpg" alt="4.jpg" width="600" onerror="javascript:errimg(this);" style="margin:0px;padding:0px;border:none;" /></a>
</p>
<p class="detail" style="margin:0px auto;padding:5px 12px;font-size:13px;width:870px;line-height:25px;word-break:break-all;overflow-wrap:break-word;">
<br style="margin:0px;padding:0px;" />
4,上一篇中我们提到了Syncbase通过协议驱动采集下端的DCS等控制设备的数据为前端的WEB提供实时数据,该环境同样如此
</p>
<p class="detail usemasaic" style="margin:0px auto;padding:5px 12px;font-size:13px;width:870px;line-height:25px;word-break:break-all;overflow-wrap:break-word;">
<a href="https://w.hundan.org/articles/attach/201304/06180448d64b26d53f8808aaeaa2b22066b96d23.jpg" target="_blank" style="margin:0px;padding:0px;color:#002E8C;text-decoration:none;"><img src="https://w.hundan.org/articles/attach/201304/06180448d64b26d53f8808aaeaa2b22066b96d23.jpg" alt="5.jpg" width="600" onerror="javascript:errimg(this);" style="margin:0px;padding:0px;border:none;" /></a>
</p>
<p class="detail" style="margin:0px auto;padding:5px 12px;font-size:13px;width:870px;line-height:25px;word-break:break-all;overflow-wrap:break-word;">
<br style="margin:0px;padding:0px;" />
5,从该图我们可以看出DCS操作员站通过Moudbus TCP协议将数据转出与Syncbase实时通讯,并与测试服务器为同一网段。通过该图我们可以看出DCS下面二个AI DI数据块,其分别为DCS定义的模拟量输入(一般表示温度、压力、转速、电流等连续变化的量)与开关量输入(一般反馈各种仪表的开,关),此外一般还有AO(模拟量的控制信号,如连续可调的执行器开度控制),DO(控制器发出的开关控制信号),如图在此也为他们定义了相关的数据位置
</p>
<p class="detail usemasaic" style="margin:0px auto;padding:5px 12px;font-size:13px;width:870px;line-height:25px;word-break:break-all;overflow-wrap:break-word;">
<a href="https://w.hundan.org/articles/attach/201304/06180521b0af99327886771caaf93383fddee094.jpg" target="_blank" style="margin:0px;padding:0px;color:#002E8C;text-decoration:none;"><img src="https://w.hundan.org/articles/attach/201304/06180521b0af99327886771caaf93383fddee094.jpg" alt="6.jpg" width="600" onerror="javascript:errimg(this);" style="margin:0px;padding:0px;border:none;" /></a>
</p>
<p class="detail" style="margin:0px auto;padding:5px 12px;font-size:13px;width:870px;line-height:25px;word-break:break-all;overflow-wrap:break-word;">
<br />
</p>
<p class="detail usemasaic" style="margin:0px auto;padding:5px 12px;font-size:13px;width:870px;line-height:25px;word-break:break-all;overflow-wrap:break-word;">
<a href="https://w.hundan.org/articles/attach/201304/061805393d10f332261ef7194c1a48c13594a88a.jpg" target="_blank" style="margin:0px;padding:0px;color:#002E8C;text-decoration:none;"><img src="https://w.hundan.org/articles/attach/201304/061805393d10f332261ef7194c1a48c13594a88a.jpg" alt="7.jpg" width="600" onerror="javascript:errimg(this);" style="margin:0px;padding:0px;border:none;" /></a>
</p>
<p class="detail" style="margin:0px auto;padding:5px 12px;font-size:13px;width:870px;line-height:25px;word-break:break-all;overflow-wrap:break-word;">
<br />
</p>
<p class="detail usemasaic" style="margin:0px auto;padding:5px 12px;font-size:13px;width:870px;line-height:25px;word-break:break-all;overflow-wrap:break-word;">
<a href="https://w.hundan.org/articles/attach/201304/061805573b1af3c8d34658c23ca1aff2b3e67223.jpg" target="_blank" style="margin:0px;padding:0px;color:#002E8C;text-decoration:none;"><img src="https://w.hundan.org/articles/attach/201304/061805573b1af3c8d34658c23ca1aff2b3e67223.jpg" alt="8.jpg" width="600" onerror="javascript:errimg(this);" style="margin:0px;padding:0px;border:none;" /></a>
</p>
<p class="detail" style="margin:0px auto;padding:5px 12px;font-size:13px;width:870px;line-height:25px;word-break:break-all;overflow-wrap:break-word;">
<br style="margin:0px;padding:0px;" />
6,同理我们同样可以Client方式连接,此处我们使用{#3锅炉给水流量}进行测试,这里成功获取到了数据,此处数据显示不同是由于web刷新时间导致。
</p>
<p class="detail usemasaic" style="margin:0px auto;padding:5px 12px;font-size:13px;width:870px;line-height:25px;word-break:break-all;overflow-wrap:break-word;">
<a href="https://w.hundan.org/articles/attach/201304/061806500ae26c4df813566917b76c865fd4f01c.jpg" target="_blank" style="margin:0px;padding:0px;color:#002E8C;text-decoration:none;"><img src="https://w.hundan.org/articles/attach/201304/061806500ae26c4df813566917b76c865fd4f01c.jpg" alt="9.jpg" width="600" onerror="javascript:errimg(this);" style="margin:0px;padding:0px;border:none;" /></a>
</p>
<p class="detail" style="margin:0px auto;padding:5px 12px;font-size:13px;width:870px;line-height:25px;word-break:break-all;overflow-wrap:break-word;">
<br />
</p>
<p class="detail usemasaic" style="margin:0px auto;padding:5px 12px;font-size:13px;width:870px;line-height:25px;word-break:break-all;overflow-wrap:break-word;">
<a href="https://w.hundan.org/articles/attach/201304/06180750b3b90b3ba42a5417161fe55b25e22a00.jpg" target="_blank" style="margin:0px;padding:0px;color:#002E8C;text-decoration:none;"><img src="https://w.hundan.org/articles/attach/201304/06180750b3b90b3ba42a5417161fe55b25e22a00.jpg" alt="10.jpg" width="600" onerror="javascript:errimg(this);" style="margin:0px;padding:0px;border:none;" /></a>
</p>
<p class="detail" style="margin:0px auto;padding:5px 12px;font-size:13px;width:870px;line-height:25px;word-break:break-all;overflow-wrap:break-word;">
<br style="margin:0px;padding:0px;" />
7,根据当前测试环境我们可以大概判断位于192.168.0.17的DCS通过组态王等组态软件对下面的现场总线实时监<br style="margin:0px;padding:0px;" />
,数据采集、报警控制等等,并使用类似第一篇中的SYNCMB通过标准的Modbus协议将数据进行转发提供给SIS等程序,与第一案例不同的是,目标网络可能没有网闸等工控网络安全隔离设备,这样一来生产环境的网络是比较危险的,站在攻击者的立场上想如果攻击者对DCS等系统进行渗透或者对数据进行下置操作,都有可能直接或者间接的威胁生产的网络安全,故到此没有继续深入。
</p>
<p class="detail usemasaic" style="margin:0px auto;padding:5px 12px;font-size:13px;width:870px;line-height:25px;word-break:break-all;overflow-wrap:break-word;">
<a href="https://w.hundan.org/articles/attach/201304/0618081868a2fbcdac7a201d04d662ca8785fba9.jpg" target="_blank" style="margin:0px;padding:0px;color:#002E8C;text-decoration:none;"><img src="https://w.hundan.org/articles/attach/201304/0618081868a2fbcdac7a201d04d662ca8785fba9.jpg" alt="11.jpg" width="600" onerror="javascript:errimg(this);" style="margin:0px;padding:0px;border:none;" /></a>
</p>
<p class="detail" style="margin:0px auto;padding:5px 12px;font-size:13px;width:870px;line-height:25px;word-break:break-all;overflow-wrap:break-word;">
<br />
</p>
<p class="detail usemasaic" style="margin:0px auto;padding:5px 12px;font-size:13px;width:870px;line-height:25px;word-break:break-all;overflow-wrap:break-word;">
<a href="https://w.hundan.org/articles/attach/201304/0618082728cc0bfd7a2034f3d54b5f01e1347b8f.jpg" target="_blank" style="margin:0px;padding:0px;color:#FF6600;text-decoration:underline;"><img src="https://w.hundan.org/articles/attach/201304/0618082728cc0bfd7a2034f3d54b5f01e1347b8f.jpg" alt="12.jpg" width="600" onerror="javascript:errimg(this);" style="margin:0px;padding:0px;border:none;" /></a>
</p>
</div>
<!--EndFragment-->
页:
[1]