Security Issue DLL Hijacking Vulnerability Note

HD Moore of Metasploit published a blog about Exploiting DLL Hijacking Flaws on Sunday, August 22, 2010, and then almost everyone who use Windows are at risk, because you can easily spot one familiar application in the long list of applications that prone for this vulnerability, and IntegraXor is also affected for DLL Hijacking vulnerability.

DLL Hijacking vulnerability within IntegraXor was found since end of last year, this is thus far the longest vulnerability that we put on hold to patch. The biggest reason is we need to put our existing customers’ requests in priority, and this vulnerability is an attack which may have some lead way on the time line. As such we put this vulnerability in a lower priority to mitigate as compare to other security vulnerabilities that found later.

Summary of Event
  • 22-Dec-2010: An anonymous security researcher that addressed himself/herself as “Mister Teatime” has published an “Uncoordinated Disclosure” of a DLL Hijacking vulnerability at The Open Source Vulnerability Database.
  • 28-Dec-2010: ICS-CERT published a security alert.
  • 12-Jan-2011: ICS-CERT contacted IntegraXor Support Team for confirmation.
  • 17-May-2011: Build 4081 with patch was sent to ICS-CERT for verification.
  • 25-May-2011: ICS-CERT confirmed DLL hijacking has been patched.
  • 30-May-2011: IntegraXor support team issued VN and declared all version after build 4081 are patched for DLL Hijacking attack.

 

Note: The screenshot/drawing is published under Creative Commons Attribution 3.0 US License.

When you encounter any problem during development, there are few things that you could do to elaborate your problem before contacting technical support. One is producing screenshots, second is to reproduce the problem in a new project and send the test case over.

There are advantages by attempting to reproduce the problem in a new project or test case:

  • You may find that the new project is working but not your existing project so either you or others can check out the differences.
  • You might end up find out the solution by yourself while trying to reproduce the problem.
  • You can remember the steps better, and figure out what exactly causing the problem and describe only the necessary steps to technical support.
  • The newly created project is normally smaller hence easier to send as email attachment.
  • You don’t have to send out the existing project which might contain P&C information and hence protect your trading secret.

Project or test case needs to be compressed before forwarding, but it’s not quite possible if the project zip archive contain any *.exe or *.js files as it may be blocked by many types of mail server. We recommend you to use 7zip format instead, 7zip compression format produces very much smaller compressed archive, it could be as much as 3x smaller in certain targeted source file type when comparing ordinary *.zip to *.7z file format. You are advised to forward a project using any cloud base storage or otherwise the attachment will be blocked by mail server.

One of the good thing about 7zip is it doesn’t need to know the compression file format based on the file extension in order to extract. So the mail recipient (support team) doesn’t even need to put back the correct extension before extracting the email attachment. Oh yes, 7zip program is one of the must have utility that also works with many other common compression formats like zip, rar, gzip, tar and etc.

7-zip context menu extract to sub folder

Screen shot showing unknown file type (with additional underscore) can be extracted by 7zip.

Also try to describe the steps to produce the problem. Some works can be achieved with many approaches, some problems only occur in specific steps. As such clearly describe the steps in producing the problem is important.

Last but not least, please specify the expected outcome, avoid to use ambiguous terms like “the outcome is unpredictable”, “the result is screwy”, spell out what was predicted, describe what’s the expected behavior.

SVG graphic files that produced by Inkscape can be further optimized by removing some editing data and spaces which will be ignored by or have less impact to the targeted medium, most of the time, browsers. Now you may do that easily by choosing “Optimized SVG” file type upon “Save As” (Ctrl+Shift+S).

Another pop up will be prompted for user to choose what to be optimized or even compromised. The options should be chosen and tested according to what have been used, but one option that you should *not* choose is the “Enable viewboxing” which will disturb image sizing/positioning for browsers. Our brief tests also show that the precision should not go less than 3. The last option for Indent should always set to ‘None’ since nobody will care to hand code SVG file as Inkscape has done a lovely job for us.

The original SVG file which is optimized should be saved as another file and not to replace the original file. Optimization should only be done before deployment, because optimized file should not be edited as saving it directly (Ctrl+S) will put back all configuration data which was considered redundant to the targeted agent, in most contexts referring to browsers. Also, if you haven’t known, you should only remove old and unused effect/filter by clicking “Vacuum Defs” before deployment.

Do post a reply if you have more tips in optimizing SVG files.

It seems that all modern browsers are ignoring the non-proportioned scaling for raster image in SVG file. If you use Inkscape to resize an embeded/linked raster image in an SVG file, you will find that all browsers will render the raster image in the same aspect/dimention ratio as compare to the original image. Apparently only Inkscape and ASV could interpret non-proportioned raster image scaling.

Comparison was done between Inkscape and browsers in order to elaborate the problem, the IntegraXor logo was used as the raster image, and the blue frame which is the SVG element serves as the border line. The top left image is the original logo, the top right image has been resized in width which wasn’t interpret correctly in browsers, and the medium left image has been resized in height which is also wasn’t inperpreted correctly in browsers. Only the medium right image is rendered correctly in browsers when the image is resized with original aspect ratio.

Last but not least, the bottom image is also rendered correctly in browsers, whereby a trick has been apply by grouping the raster image and the SVG element before the dimension ratio is distorted. In another word, to circumvent this problem is to group the raster image with other SVG element and then scale it together. Otherwise the best thing to do is to avoid scaling or at least scale it in proportion by holding down Ctrl key, in ensuring WYSIWYG in browsers’ display.

Scaled raster image in SVG is not correctly interpreted by browsers

The browser shown in the screenshot is Firefox 4.0. However all other browsers also affected, including IE 9.0.8112.16421 RTM(KB982861), Google Chrome 10.0.648.151, Safari 5.0.3 (7533.19.4) and Opera 11.10 Build 2092. Image showing aspect ratio will be always preserved by browsers.

It has been quite a while since the last official release, lots of works have been done on Alarm output.

  1. + Added option to set email encoding in “UTF-8” or “US-ASCII”.
  2. + Added email subject (title) which is customizable based on tokenized string like screen shot.
  3. + Allow two types of alarm messages, one for Active Alarm and another for Inactive Alarm. To configure this, add %|% as separator in Message column.
  4. + Alarm message also supports tokens: %value% and %old_value% (or %compare_value%), %compare1_value% and %compare2_value%.%value% is the current value of the tag for the alarm. %old_value% (or %compare_value%) is the limit 1 in alarm setting. %compare1_value% and %compare2_value% is limit 1 and limit 2 in alarm setting. Some tokens actually share the same value in some cases.

    For numeric values, user can specify how many decimal point to display, by adding a .N inside the token, e.g. %value.N%, %old_value.N%, etc.

  5. ^ Fixed alarm export/import bug that missed out Deadband column.
  6. ^ Faster copy paste and duplicate rows in editor for large scale project.
  7. ^ Miscellaneous security and bug fixes.

User often need to add engineering unit into report. Most user tends to use old day’s method to write unit when working environment is constrained to traditional SCADA. For instance degree Celsius is being written as “degC”, meter cube being written as “m3”. This is no longer needed for modern reporting system.

Putting proper unit or symbol into HTML is natively supported and can be easily accomplished. What could do the job is HTML Character Entity Reference that having the following format &name;. It always starts by ampersand character (&) and ends by semicolon (;). For instance, to type degree symbol (°) just enter “°”, to show Superscript 3 (³) then enter “³”. More commonly used engineering unit or symbol can be found at comprehensive list of entity in Wikipedia.

SCADA report layout

A report layout that showing actual unit symbol

This version is the official version of previous beta, except HTML visual editing which is still in preliminary stage has been taken out. This version is released mainly for previously announced SQL unauthenticated vulnerability fix, as an additional note, this vulnerability allows attacker to access historical data in database, but no I/O devices can be directly compromised/controlled via this vulnerability. Nevertheless, we urge all user to upgrade to this latest version for better security/stability concern.

  1. * Server task log shows some of the activity log in debug mode only.
  2. ^ Fixed case sensitive search.
  3. ^ Various minor bug fixes for P.E. data entry.
  4. ^ Improved Report Server stability.
  5. ^ Server stability improvement.
  6. ^ Fixed SQL unauthenticated vulnerability.
  7. + Web server added with client login/logout history. (beta)
  8. + For easier reference, server task log can now be selected and copied into clipboard by pressing Ctrl+C. (beta)

Earlier we announced that SQL vulnerability issue has been resolved by adding Read/Write security control onto database configuration, however the security researcher Dan Rosenberg from VSR claimed that the vulnerability is not fully patched. We were forced to put this issue aside as we have putting on hold too many other features request earlier, and then when we returned to merge the production line with security fix, we were dragged by some crash issues for this fix and worst still bumped into unnecessary problem that due to breaking change in ADO update KB983246 (included in Windows 7 Service Pack 1).

And after the vulnerability is fixed we ourselves have been confused by the default configuration that has no Write security control. And finally after more tests and clarification from developer and analysts, last week ICS-CERT has confirmed via email that the reported SQL Unauthenticated Vulnerability has been resolved, that was right before we almost need to setup a conference call with ICS-CERT analysts.

ICS-CERT mail thread

So by the time ICS-CERT confirmed that issue has been *completely* resolved, the correspondence on one single vulnerability has accumulated up to 53 messages that span across three months. So far this is the vulnerability issue that we find most tedious to solve, and again we thank ICS-CERT for helping up in verifying this fix.

Due to the confusion arised, we have decided to accept ICS-CERT recommendation to make Write security level default to a value of 100, but Read level remains as 0 which is open for world reading. This means guest user no longer allow to acknowledge alarm nor delete any report by default, starting from this Release Candidate version 3.60.4042 or for any other version later.

We have been holding too long on this latest official release, as we were working hard on some stability and security issues. So this release has got no surprises on new features but purely on security and stability improvement.

However, if you are looking for new features, check out the beta release which has more bug fixes and added features despite has not gone through the regression test, so it must not be used for production. Below is the change log for this beta:

  1. + Web server added with client login/logout history.
  2. + Added visual editing tool for HTML file.
  3. + For easier reference, server task log can now be selected and copied into clipboard by pressing Ctrl+C.
  4. * Server task log shows some of the activity log in debug mode only.
  5. * Fixed case sensitive search.
  6. * Various minor bug fixes for P.E. data entry.
  7. * Improved Report Server stability.
  8. ^ Server stability improvement.

SCADA web login history

Web login history only available in beta release for now.

Note: The common download links for Official Release and Beta Release are always pointing to the latest version. So you may get the current mentioned version or newer version if you download it later.

To ensure SCADA mimic can be shown correctly on iPhone or iPad, you must first ensure the SVG graphic can be shown perfectly in Apple Safari, which is the browser used for iPhone/iPad. The screen shot below shown that some SVG gradient effects are not correctly rendered in Safari browser as compared to Firefox, Chrome and IE + ASV. Below described the issues caused the defect of SVG gradient display in Safari.

Safari SVG gradient effect support problem

Safari could not render gradient effect correctly.

Gradient that Repeated with Reflected Effect

Firstly Safari doesn’t support ‘Repeat’ with ‘Reflected’ option. If this option is chosen, no reflection will be seen but only blank area will be shown. The workaround is to duplicate the targeted graphic object and flip it either vertically or horizontally.

Inkscape Fill and Stroke, Gradient:Repeat+Reflected

Gradient Over Horizontal/Vertical Bezier Line’s Stroke

And then this is one of the funny problem for Safari, the gradient effect on stroke only works if the Bezier line is neither horizontal nor vertical.

Gradient over 2 Points Bezier horizontal line will not work

Gradient over 2 points Bezier horizontal line will not work in Safari, it will show solid line instead.

To get rid of this problem, simply use filled rectangle instead. However, for any reason that you must use gradient over horizontal/vertical stroke, you may add one redundant node at the end making it like a L-shape line, but the redundant node must be placed within the width of the stroke so it will not affect the intended graphic look.

Workaround for Gradient over 3 Points L-shape bezier line

Workaround for Gradient on horizontal bezier line by using 3 Points L-shape stroke.

For the generations who have been through the DOS and Windows 3.11 era, they must not have forgotten the good old days that they could easily copy a program around without caring about the installation file, but they were struggling on squeezing files into the fragile floppy disks instead. Now that we have a memory stick or USB/thumb drive that can carry giga bytes of data, but most of the program nowadays will require installation that have lots of dependency on Windows system files or other files at different directories, which made the programs no longer portable.

Thanks to the PortableApps.com we can now enjoy the similar portability again and yet on large capacity of storage. It’s extremely useful for System Integrators as they need to work across different system. The beauty of PortableApps is you could add any well written application into the portable app directory. Alternatively, there’s another simpler version of Portable Start Menu. Below are 10 applications in alphabetical order that are very useful when working at site.

  1. 7zip
    Is there any need of other file compressing software? 7zip produced faster and smaller file compression, especially in 7zip format.
  2. Free Download Manager
    The Internet connection at site might be weak, you may need a sophisticated downloading tool to fight for every byte of the bandwidth. Free Download Manager is not packaged in PortableApps, but you can easily create one by clicking on the File menu and select Create Portable Version.

  3. Free File Sync
    Free File Sync is a very fast and efficient tool to synchronize two directories for backing up or merging purpose. Although Free File Sync is not packaged in PortableApps, but you could simply copy the whole directory from Program Files and put them into your portable disk and then uninstall it from your system.
  4. Mozilla Thunderbird
    S.I. should be conservative and defensive, so that is why Thunderbird is the choice. Generally, desktop mail client provides a mean to view mail archive during offline session, which is a likely condition at site. Or, it’s a efficient way to send/receive mail over poor Internet connection.
  5. Mozilla Firefox
    When there’s any need/chance of using Internet Browser to search for information in limited time at site, you will want to use a browser with setting that you used to. And you don’t want to leave any personal information behind.
    Other than Firefox, there are another two popular portable browsers that come later, namely Google Chrome and Opera.
  6. Notepad Plus Plus
    We are not aware of any other better text editor especially for engineering purpose.
  7. Libre Office
    In any case that you need to open up a spreadsheet for calculation, or if your company service report is written in ODT format. Note that Libre Office is the successor of Open Office, or you can simply assume it as the upgraded version of Open Office.
  8. Team Viewer
    This requires no further explanation.
  9. WinDirStat
    Over the times, very often database system at site may encountered hard disk space constrain due to some large temporarily files that copied/installed onto it during project execution stage. It can be tricky to find out if it was installed or stored by other system integrator. WindDirStat could come to rescue to help finding out which directories are containing files that occupying precious space unnecessarily.
  10. WinMerge
    WinMerge is not just for programmer, many engineering programs’ configuration may require text file to be edited. And WinMerge is an extremely useful tool to help identify the differences between files or even directories.

If you have ever checked for application version from “Support Information” in Add or Remove Programs applet (or Version column in Programs or Features applet in Vista or above), you may noticed some applications (including IntegraXor) have mismatched version number displayed here compared to the one in their respective binaries. This is because the Windows fetches the version from the application installer. If the application installer reports a different version than the version compiled into the binaries, or worst, if the application installer does not report a version at all, then you see a mismatch.

IntegraXor binaries and installer are developed using Visual Studio, the binaries version string is in MM.NN.BB.RR (major.minor.build.revision) format, while Installer project only allow version string in MM.NN.BB (major.minor.build) format. This caused the version mismatch in IntegraXor “About Box” and in “Add or Remove Programs” applet.

Versioning scheme is not as simple as incrementing numbers, there are quite some aspects to be considered as well to ensure it’s systematic and consistent. In order to ensure the About Box version is matched with Support Information pop up, we will now start with version string of MM.NN.BBBR.0 (major.minor.build+revision.0) format, and BBB will be used for stable release and R will be used for beta numbering. Stable release will always have trialling zero for R and Beta release will have incremental number from the last stable release.

For example:
3.60.4011.0 -> beta
3.60.4012.0 -> beta
3.60.4013.0 -> beta
3.60.4020.0 -> stable
3.60.4021.0 -> beta
3.60.4022.0 -> beta
3.60.4030.0 -> stable
… …

  1. + Added SQL Database Authentication with Read/Write level control.
  2. ^ Tag Watch List can be saved across session.
  3. ^ Server stability improvement.
  4. * Debugging message in status output window will be hidden when debug mode is turned off.

Project Editor Database Configuration

Every database could have its own read and write level setting which associated to User level/privilege setting. Note that the default level for both read/write is nil which has no security, this is to ensure compatibility issue for previously developed project. User must manually enter higher level of security as per project requirement.

SQL Authentication Vulnerability

IntegraXor 3.6.4000.5 is now added with Read and Write level column to database table which allows user to configure security level for individual database entry. Now only user with security level higher than or equal to the read level can browse for trend and alarm data, and user with security level higher than or equal to the write level can acknowledge alarm. The credit for finding this vulnerability goes to Security Researcher from Virtual Security Research who has reported to ICS-CERT at 22nd December 2010.

Project Editor Database Configuration

Every database could have its own read and write level setting which associated to User level/privilege setting. Note that the default level for both read/write is nil which has no security, this is to ensure compatibility issue for previously developed project. User must manually enter higher level of security as per project requirement.

Along with this SQL authentication feature, we have also fit in the improvement done for Watch List – Now Watch Window could save user defined list created across session. And also server stability improvement. Lastly, debugging messages in status output will be hidden when debug mode is turned off.

Summary of Event
  • 22-Dec-2010: ICS CERT Contacted IntegraXor support team. Technical report for the vulnerability is received.
  • 27-Dec-2010: IntegraXor development team acknowledged the vulnerability.
  • 11-Jan-2011: Security fixed is issued as official release for general download.
  • 11-Jan-2011: Public announcement is made by IntegraXor support team.

Crossing 2011 seems to be quite challenging for IntegraXor team in handling security issues. However we are very glad that several security researcher are helping us in finding security vulnerability and even help us to verify the patched release when the loophole is fixed. We wish to thank them and also Kevin, Kathy & Bryan from Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) who have been very helpful and responsible in verifying and coordinating.

In fact it was our original idea to invite white hat hackers to find any vulnerability in IntegraXor SCADA, as we don’t believe security in obscurity. Now that so many excellence security researchers come by and we truly welcome them, and we are very pleased that we could response and patch the vulnerability within very fast time frame. Thanks to the development team who have carefully designed the well structured architecture that could be easily improved and maintained.

SCADA Vulnerability Alerts

Having done and said that, we do not always response fast to security issues that we may otherwise judge not severe, especially some vulnerability issues that required physical present of the attacker. Some security issues will also take us longer time to fix when it involves different GUI design as we concern a lot on user friendliness. Also we will have concern on compatibility impact as we wish to ensure previously developed project can be easily upgraded to latest release so that the attacker will not be interested to develop any malware targeting older versions of IntegraXor.

We wish to thank everyone again in making IntegraXor Web SCADA to become more secure than ever.