S4 Call For Papers
AAA  AAA 

Browsers as Attack Vectors and New Vuln Paper

Most asset owners are deploying firewalls with DMZ’s to restrict communication between the enterprise and control center networks. Some are even implementing solid, least privilege rulebases. This is a sound practice and should be followed, but don’t let it lull you into a false sense that this means you are risk free. Eyal demonstrated at S4 how an attacker on the enterprise could compromised systems on a control center DMZ through an allowed http connection and a vulnerable control system web application.  As operating systems have become more secure, thanks to security minded development cycle and improved security testing procedures, attackers tend to move up the chain, and the best target in the application layer these days seem to be the nearly ubiquitous web browser.
The last week the security community has been buzzing over a paper released by Mark Dowd.  To say the paper, and the vulnerability described, are technical is an understatement, but its well worth the read to get a better understanding of the types of vulnerabilities being researched and exploited by the most sophisticated attackers these days.
Specifically, this vulnerability occurs in the Flash player, which along with the browser is installed on nearly every system, and because of compatibility between versions this exploit can work when executed within Internet Explorer and Firefox.  Right there, an attacker now has an attack surface on the vast majority of systems deployed today, and due to Flash not being compiled with ASLR, Vista is also exploitable.  Combine this with DNS poisoning or simple cross site scripting attack on major site and malware using this vulnerability could spread like wildfire.
But aside from the complexity of this vulnerability, this is also an example of another area of research that is just begining to come of age in the security community.  At its core, Flash is a program that compiles and runs a specialized version of Javascript called Actionscript, but we’re collectively just starting to realize that serious vulnerabilities can exist in these types of programs.  Higher level languages, such as Actionscript, Perl, Python, and PHP are supposed to be safer, but they’re basically just low level languages with window dressing, masking the more difficult low level constructs and adding helpful features here and there.  Over the course of the next year I’d wager that we’re going to see a significant increase in vulnerabilities related to these engines/interpretors.
In the end progressing towards more secure systems is the goal, and reducing the attack surface by having the minimum number of features to function available (Windows Server Core), or by following proper deployment procedures such as segregation and frequent audits of critical components are steps in the right direction, and in the end are the only way to protect against future vulnerabilities such as these.

Author: Daniel Peck
Posted: April 17th, 2008 under Vulnerability Disclosure.
Comments: 4

Comments

Comment from Art Manion
Time: April 17, 2008, 2:30 pm

Browser and plugin/ActiveX vulnerabilities like this are widely targeted. I’d venture that a large percentage of compromised end-user hosts were victim to direct social engineering (”Please download and run this program”) and/or browser-related vulnerabilities (”Please visit this web site” or “Enjoy this compromised ad while you visit another site”).

My point is that along with considering vulnerabilities in services and protocol stacks, most “business” networks are going to include hosts that are compromised via browser-related vulnerabilities. So attacks from the business network may well be a greater threat than attacks from the control system network. Design firewall rules and network defenses accordingly.

Comment from Dale Peterson
Time: April 17, 2008, 3:24 pm

Art - I think you are exactly right on this, and my concern is asset owners may have a false sense of security. They put a firewall in place between the control center and enterprise and even implement an appropriate rulebase. Many have a “I have a firewall so I’m safe attitude”.

But an increasing number have historians or application servers on the control system DMZ with a browser/web server interface. So compromised systems on the business network can attack the DMZ system through the properly configured firewall.

Why haven’t we seen this? Probably a combination of no one confessing they have been hit and the fact that most of the compromised systems on the business network have no interest in the control system. It would likely take a motivated, directed attacker to go after the control system.

Comment from Ralph Langner
Time: April 17, 2008, 4:39 pm

Daniel, I assume that most blog readers didn’t have a chance to watch Eyal’s S4 presentation. So when referencing this, it would probably be a good idea to include a link to an abstract of his presentation.

Art, good to bring up the ActiveX topic. Many people in control rooms have no idea about the vulnerabilities introduced by this technology. If I had some funding for this, I would have my programmers implement some proof-of-concept ActiveX controls that would scare the **** out of those happy Web users. How about a Window popping up that tells you that all your PLCs (identified by IP addresses) are going to be crashed in a couple of mintes just because you were dumb enough to surf a specific Web site? Ok, you can pug out the old Ethernet cable instantly, but probably it was just a joke, just like those five minutes in the movie Golden Eye.

Comment from Daniel Peck
Time: April 18, 2008, 11:28 am

Ralph: Good idea. I’ve included a link to Eyal’s paper in the post. Thanks.

Write a comment