Invensys ICS/SCADA fixes

Invensys published updates to fix CVE-2013-0688/CVE-2013-0684/CVE-2013-0686/CVE-2013-0685 discovered by SCADA StrageLove team during assesment of ICS/SCADA based on ArchestrA System Platform. There are several trivial and some interesting bugs in Invensys Wonderware Information Server (WIS).
Patches (limited access): https://wdn.wonderware.com/sites/WDN/Pages/Downloads/Software.aspx
ICS-CERT advisory ICSA-13-113-01: https://ics-cert.us-cert.gov/advisories/ICSA-13-113-01\

• SQLi ~10 instances
• XSS ~30 instances
• XXE/XXE OOB/“ADSI Injection” and other interesting stuff…

Credits: 
Gleb Gritsai
Nikita Mikhalevsky
Timur Yunusov
Denis Baranov
Ilya Karpov
Vyacheslav Egoshin
Dmitry Serebryannikov
Alexey Osipov
Ivan Poliyanchuk
Evgeny Ermakov
 

  Enjoy...

Thanks to Invensys security team for collaboration and rapid fixes.

SCADA StrangeLove @Positive Hack Days

At PHDays we has released two talks:
“How to build your own Stuxnet” by SCADA StrangeLove team
“Industrial protocols for pentesters” by Alexander Timorin and Dmitry Efanov.  You can find slides for second one below.
To play with PROFINET DCP Alexander released two tools:

ICS Secuirty @phdays: not bad for a one year plan

Hi there. At PHDays III SCADA StrageLove will celebrate our anniversary! Yep, year ago we had started our mission.

70+ 0-days, 5+ talks, 10+ releases... Not bad for a one year plan.

We preparing a lot of awesome stuff!

ICSA-13-067-02—INVENSYS WONDERWARE WIN-XML EXPORTER IMPROPER INPUT VALIDATION VULNERABILITY

New XML/XXE OOB stuff. http://ics-cert.us-cert.gov/pdf/ICSA-13-067-02.pdf
Thanks to INVENSYS security team for quick fix.

WinCC vulnerabilities: fresh meat

New vulnerabilities/fixes in Siemens WinCC 7.0 SP3 Update 1

CVE-2013-0678/ MISSING ENCRYPTION OF SENSITIVE DATA

CVE-2013-0676 IMPROPER AUTHORIZATION

CVE-2013-0679 RELATIVE PATH TRAVERSAL

CVE-2013-0674, CVE-2013-0675 BUFFER OVERFLOW

+ lot of good stuff for WinCC Flexible in TIA Portal V11.

More details @infiltratecon and @phdays.

Thanks to Gleb Gritsai, Sergey Bobrov, Roman Ilin, Artem Chaykin, Timur Yunusov, Ilya Karpov, Alexey Osipov, Sergey Gordeychik, Dmitry Nagibin and Siemens CERT/Product team. 

SSA-212483
http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-212483.pdf

SSA-714398
http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-714398.pdf

ICSA-13-079-02
http://ics-cert.us-cert.gov/pdf/ICSA-13-079-02.pdf

Enjoy!

PS. Exploits for WinCC? No way! This is Out Of Band.

Black Hat XXE OOB Slides and Tools

By Timur Yunusov and Alexey Osipov.



XXOETA tool
https://github.com/Gifts/XXE-OOB-Exploitation-Toolset-for-Automation/

Black Hat: XML Out-Of-Band Data Retrieval

Enjoy!

Not by SCADA alone: ATM Hacking Video

By Dmitry Evteev, Olga Kochetova, Timur Yunusov, Alexey Osipov, Yuri Goltsev, Alexander Zaitsev .

Angry Birds on a hacked ATM

 

 

 

Unrestricted rightclick on ATM