Stuxnet-Like Trojans Can Exploit Critical Flaw in Chinese Industrial Software

A security researcher has uncovered a critical vulnerability in a popular SCADA software used in China, as well as in a few others, which raises the possibility of another Stuxnet attack.

A critical security flaw in supervisory-control-and-data-acquisition (SCADA) systems used in China raises the possibility of another Stuxnet-like attack, a security researcher said.

The latest stable version of KingView, the SCADA software developed by Beijing WellinControl Technology Development, contains a critical heap overflow vulnerability, wrote Dillon Beresford, a security researcher at NSS Labs, on his personal blog. KingView is used to visualize process data in industrial control systems and has been used throughout Chinese industry, including the aerospace and national defense industries.

"This is not any old software," Beresford warned, noting that the vulnerability affected one of the "most widely trusted and used" SCADA software systems in China.

SCADA systems are used to operate critical equipment at industrial facilities, factories, power plants, and oil and gas refineries.

While poking around the Chinese SCADA software, Beresford found a heap overflow vulnerability in a software module that listens for and processes incoming log events from the human machine interface module. The vulnerability allows remote attackers to take full control of the Windows system running the flawed software, Beresford said.

While heap overflows typically require more technical expertise to discover and exploit than stack overflows, this particular flaw could be discovered by someone with only an "intermediate" amount of skill, he said.

That is very worrying as Stuxnet, the Trojan that compromised various SCADA systems around the world last year and crippled Iran's nuclear program, had been created by "a lot of people with very specialized skills and knowledge," said Randy Abrams, director of technical education at ESET.

Exploiting this vulnerability would not pose much difficulty for these kinds of developers.

Stuxnet was "definitely going after" SCADA systems, Abrams said, but it is not clear whether Iran was the ultimate target. It's also not clear whether the "authors accomplished their objective," Abrams said.

Many Chinese industrial installations were hit hard by Stuxnet. With more vulnerabilities being exposed in SCADA software from Chinese companies, the specter of a modified Stuxnet, or a brand-new Trojan with Stuxnet capabilities, becomes more real.

Beresford published exploit code that takes advantage of the vulnerability to execute arbitrary code, after he got no response from WellinTech or CN-CERT, China's National Computer Emergency Response Team, after he contacted them with his discovery in September.

"I'm not sure what's worse, a 0-day for the most popular SCADA software in China floating around in the wild," or the lack of response from CN-CERT, he wrote on his blog. He turned to the United States counterpart, US-CERT, for help, but the Chinese still didn't respond.

He'd hoped WellinTech would rollout a fix or a new version with the flaw patched quietly, but after months of no response, he decided to publicize the flaw to force the company's hand. The Python code triggers a heap overflow and uses infected shell code to open a cell on port 4444. The code was released as a module for the Metasploit penetration testing framework and in stand-alone form.

"Hopefully this will be an incentive to issue a patch to all of Wellintech's customers," he wrote.

Beresford told ThreatPost that he'd found several other vulnerabilities in other SCADA software packages from other Chinese vendors, and that he was in the midst of contacting the companies and CN-CERT to prepare patches for those holes, as well.