Tuesday, October 20, 2020

Recognizing Modbus functions

Below we present a few strategies that, based on the response readings to modbus/tcp requests, makes it possible to identify the protocol functions that would be implemented in a PLC.

Modbus/TCP structure

Let's recall the structure of the Modbus frame:

As shown in the image above the functions are positioned in the frame within a 1byte field which we call "function fields".
These functions are identified by a number from 1 to 127. The rest of the values (128 to 255) are used to identify the function that has had a problem during the communication.

Tuesday, August 4, 2020

[Siemens] OZW672: Undocumented user ("Back door"), with weak password (CVE-2017-6872)

Affected device (Tested): OZW672.06

OZW devices are used for the remote monitoring of building control equipment. For example, for monitoring heating or air conditioning systems.

Downloading the firmware
The device's firmware has been downloaded and decompiled.

Source: https://support.industry.siemens.com/cs/document/62567396/ozw672-factory-firmware-update-and-system-definition?dti=0&lc=en-WW

Readings of key resources are performed. Such as: "/etc/shadow"

Immediately, credentials are sent for cracking:

It was only possible to break the hash that corresponds to the user "ACS"


The "Shodan" platform (https://shodan.io) is then used to provide a representative sample of the degree of exposure of the device under analysis.

The search criteria used (Dork) was: "ProFTPD 1.3.1 Server (Siemens Switzerland Ltd.)"

 We then validate by crosschecking the credentials with the results obtained. As shown in the screenshot below, the credentials are valid.


This vulnerability was duly reported to Siemens. However, the problem was already known.
A CVE was assigned to it: CVE-2017-6872.


Device manual:

Tuesday, July 21, 2020

[KMC Controls] Backdoor in "BACnet Building Controller" (CVE-2020-7233)

The KMC BACnet Building Controller BAC-A1616BC has a "backdoor" on the embedded web service.

Web Server Functions

    • Built-in web configuration pages allow web browsers to configure I/Os and objects, monitor values and alarms (configuration/monitoring also available through TotalControl), and set-up users and passwords.
    • Upgradable firmware (without requiring physical access) through the web or Ethernet connection, allowing easy updates
    • Custom web graphical interface (created/published in TotalControl, ver. 1.7 or higher)

    Monday, July 20, 2020

    [Siemens] SIMATIC S7-200; DOS via modbus injection ( CVE-2020-7584 )

    In our laboratory we were able to identify and reproduce a vulnerability which enables the construction and delivery of Modbus protocol frames to the PLC, generating an absolute denial of service in the equipment.

    Thursday, July 16, 2020

    [OMRON] "NS WEB Interface": Login Bypass (CVE-2018-6624)

    Today we will be presenting a vulnerability classified as critical found in Omron NS 1.1 / 1.2 / 1.3 which allows remote attackers to bypass authentication via a direct request to the resource "/monitor.html"

    The vulnerability has been assigned the following CVE: "CVE-2018-6624"

    Friday, July 10, 2020

    [Schneider] Multiple (and known) vulnerabilities

    We will be reviewing some known vulnerabilities present in various Schneider Electric devices.

    The affected devices that we've used in the following proofs of concept are:
    • BMX P34 CPU B
    • STB NIP 2311

    Thursday, July 9, 2020

    [Schneider] TM241CE24R & TM251MESE: Login Bypass

    Today we are showcasing a few interesting facts regarding the PLC, TM241CE24R (M241) and TM251MESE (M251)

    This model of PLC (like most) has an embedded web service running by default on port 80. Immediately after accessing the web application, we are able to see the validation form which seems to work perfectly, except for a few interesting details...

    Monday, July 6, 2020

    [Schneider] PowerLogic PM5560: Cross Site Script via Cross Protocol Injections ( CVE-2018-7795 )

    The PowerLogic PM5560 product has several embedded services for remote management, one of which is web. This service has some inputs vulnerable to JS code injection. In other words, the web application is vulnerable to XSS.


    We will now focus on an "alternative" medium used to permit its exploitation...

    Saturday, June 20, 2020

    Exploit - Obtencion remota de credenciales en texto claro en Schneider-Electric Modicon TM221CE16R (CVE-2017-7575)

    Los investigadores de seguridad Simon Heming, Maik Brüggemann, Hendrik Schwartke y Ralf Spenneberg han descubierto una vulnerabilidad que permite a atacantes con conexión al dispositivo afectado, obtener contraseñas sin cifrar tras el envío de una petición.

    Error en el mecanismo de protección:
    La función Application Protection es usada para prevenir la transferencia de la aplicación desde el controlador lógico al software SoMachine Basic. Un comando específicamente formado puede ser enviado vía Modbus TCP por el puerto 502 al controlador lógico y este devolverá la contraseña sin cifrar. Tras la obtención de la contraseña un atacante puede acceder a la aplicación "SoMachine Basic" para descargar, modificar y posteriormente cargar de nuevo cualquier aplicación. Se ha publicado el  identificador CVE-2017-7575 para esta vulnerabilidad.

    Denegacion del servicio de descarga desde PLC a PC - Schneider Electric PLC M340

    Son muchos los protocolos utilizados en entornos industriales, uno de ellos en Modbus.

    A continuación se presenta una técnica que evita (malintencionadamente ) que un operador autorizado pueda descargar el proyecto desde un PLC a su estación local. Es es posible mediante el envió de instrucciones especialmente formadas via modbus/tcp.