In an earlier post I gave a preview of Ralph Langner’s paper and DoS tool for OPC implementations. We have a second brilliant OPC paper at S4 from Lluis Mora of Neutralbit in Barcelona, Spain.
Lluis’s paper focuses on implementation vulnerabilities in OPC servers at the OPC interface level. The paper is an indepth looks at how OPC servers implement the specific handles, functions, methods, and interfaces. Some of the examples are quite serious:
the item write function takes two parameters: an item handle and a value to write to it. If the server maps handles to memory addresses and fails to validate a client-provided handle, the IO interfaces Write function allows an attacker to write any value to any memory address, a primitive which can be easily exploited to run arbitrary code on the server (e.g. through stack return addresses or SEH overwriting).
This clearly raises the stakes. It is one thing to admit that an OPC server is rarely implemented with even the limited DCOM security. It is an even larger issue to say that an OPC server can be remotely compromised and used to launch attacks on other systems. Since OPC servers are often exposed in the DMZ this could be a communication chain that could allow control system exploitation from the enterprise network or Internet.
But the news is not all bad:
The handling of long strings does not seem to be a problem for the servers we reviewed, which also do not seem to be affected by “format string” vulnerabilities. On the other hand we encountered unexpected results with the handling of integers, specifically in the handling of error messages.
This paper is full of detailed examples and will require a throrough understanding of OPC to fully appreciate it, so brush up on the protocol before attending.
In addition to the paper, Lluis will be demonstrating the tool they used to test 21 OPC servers.