Tuesday, August 4, 2020

[Siemens] OZW672: Undocumented user ("Back door"), with weak password (CVE-2017-6872)

Affected device (Tested): OZW672.06
 

OZW devices are used for the remote monitoring of building control equipment. For example, for monitoring heating or air conditioning systems.


Downloading the firmware
The device's firmware has been downloaded and decompiled.

Source: https://support.industry.siemens.com/cs/document/62567396/ozw672-factory-firmware-update-and-system-definition?dti=0&lc=en-WW





Readings of key resources are performed. Such as: "/etc/shadow"


Immediately, credentials are sent for cracking:



It was only possible to break the hash that corresponds to the user "ACS"



 


Exposure
The "Shodan" platform (https://shodan.io) is then used to provide a representative sample of the degree of exposure of the device under analysis.

The search criteria used (Dork) was: "ProFTPD 1.3.1 Server (Siemens Switzerland Ltd.)"



Validation
 We then validate by crosschecking the credentials with the results obtained. As shown in the screenshot below, the credentials are valid.





Report:

This vulnerability was duly reported to Siemens. However, the problem was already known.
A CVE was assigned to it: CVE-2017-6872.


ANNEXES

Device manual:

Tuesday, July 21, 2020

[KMC Controls] Backdoor in "BACnet Building Controller" (CVE-2020-7233)

The KMC BACnet Building Controller BAC-A1616BC has a "backdoor" on the embedded web service.




Web Server Functions

    • Built-in web configuration pages allow web browsers to configure I/Os and objects, monitor values and alarms (configuration/monitoring also available through TotalControl), and set-up users and passwords.
    • Upgradable firmware (without requiring physical access) through the web or Ethernet connection, allowing easy updates
    • Custom web graphical interface (created/published in TotalControl, ver. 1.7 or higher)

    Monday, July 20, 2020

    [Siemens] SIMATIC S7-200; DOS via modbus injection ( CVE-2020-7584 )


    In our laboratory we were able to identify and reproduce a vulnerability which enables the construction and delivery of Modbus protocol frames to the PLC, generating an absolute denial of service in the equipment.


    Thursday, July 16, 2020

    [OMRON] "NS WEB Interface": Login Bypass (CVE-2018-6624)

    Today we will be presenting a vulnerability classified as critical found in Omron NS 1.1 / 1.2 / 1.3 which allows remote attackers to bypass authentication via a direct request to the resource "/monitor.html"



    The vulnerability has been assigned the following CVE: "CVE-2018-6624"

    Friday, July 10, 2020

    [Schneider] Multiple (and known) vulnerabilities

    We will be reviewing some known vulnerabilities present in various Schneider Electric devices.


    The affected devices that we've used in the following proofs of concept are:
    • BMX P34 CPU B
    • STB NIP 2311

    Thursday, July 9, 2020

    [Schneider] TM241CE24R & TM251MESE: Login Bypass


    Today we are showcasing a few interesting facts regarding the PLC, TM241CE24R (M241) and TM251MESE (M251)




    This model of PLC (like most) has an embedded web service running by default on port 80. Immediately after accessing the web application, we are able to see the validation form which seems to work perfectly, except for a few interesting details...

    Monday, July 6, 2020

    [Schneider] PowerLogic PM5560: Cross Site Script via Cross Protocol Injections ( CVE-2018-7795 )

    The PowerLogic PM5560 product has several embedded services for remote management, one of which is web. This service has some inputs vulnerable to JS code injection. In other words, the web application is vulnerable to XSS.

     
















    We will now focus on an "alternative" medium used to permit its exploitation...

    Saturday, June 20, 2020

    Exploit - Obtencion remota de credenciales en texto claro en Schneider-Electric Modicon TM221CE16R (CVE-2017-7575)

    Los investigadores de seguridad Simon Heming, Maik Brüggemann, Hendrik Schwartke y Ralf Spenneberg han descubierto una vulnerabilidad que permite a atacantes con conexión al dispositivo afectado, obtener contraseñas sin cifrar tras el envío de una petición.

    Error en el mecanismo de protección:
    La función Application Protection es usada para prevenir la transferencia de la aplicación desde el controlador lógico al software SoMachine Basic. Un comando específicamente formado puede ser enviado vía Modbus TCP por el puerto 502 al controlador lógico y este devolverá la contraseña sin cifrar. Tras la obtención de la contraseña un atacante puede acceder a la aplicación "SoMachine Basic" para descargar, modificar y posteriormente cargar de nuevo cualquier aplicación. Se ha publicado el  identificador CVE-2017-7575 para esta vulnerabilidad.


    Denegacion del servicio de descarga desde PLC a PC - Schneider Electric PLC M340

    Son muchos los protocolos utilizados en entornos industriales, uno de ellos en Modbus.




    A continuación se presenta una técnica que evita (malintencionadamente ) que un operador autorizado pueda descargar el proyecto desde un PLC a su estación local. Es es posible mediante el envió de instrucciones especialmente formadas via modbus/tcp.


    Sunday, May 31, 2020

    Industrial Army - Lab Setup

    Este nuevo blog tiene como intención compartir exclusivamente experiencias y trabajos en torno a un tema que realmente nos apasiona, la ciberseguridad en entornos industriales.


    "INDUSTRIAL ARMY", corresponde al nombre con que que se ha bautizado al área en donde abordamos las investigaciones referente al mundo ICS/SCADA. 

    Para romper el hielo, creemos oportuno como primer articulo compartirles uno de nuestros tableros de trabajo. 


    Tablero de prueba. 

    Uno de nuestros tableros corresponde a una (mini) infraestructura basada en tecnología de la firma Schneider Electric.