Vulnerabilities / Threats

4/8/2012
08:07 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Project Basecamp Releases New Metasploit Exploit Modules

Includes Stuxnet-type exploit module for popular Schneider PLC

Digital Bond has released three new Project Basecamp Metasploit Modules that exploit vulnerable PLC's used in critical infrastructure SCADA and DCS. These modules make demonstrating the ease of compromise and potential catastrophic impact possible for owner/operators, vendors, consultants or anyone else involved in SCADA and other industrial control systems (ICS). C-level executives running the critical infrastructure will see and know beyond any doubt the fragility and insecurity of these devices. The "modiconstux" module implements a Stuxnet-type attack on a Schneider Modicon Quantum PLC. Stuxnet uploaded rogue ladder logic (software programs) to a Siemens S7 PLC to cause the centrifuges at the Iranian Natanz nuclear facility to spin too fast and to hide this action from operators. The modiconstux module performs two similar actions:

1. It downloads the current ladder logic on the PLC. This information would allow an attacker to understand what the PLC is doing and modify the ladder logic to attack the physical system (manufacturing plant, refinery, pipeline, etc.).

2. It uploads new ladder logic to the PLC. Digital Bond has provided a blank ladder logic file to demonstrate the upload capability, but any ladder logic can be uploaded to the PLC. The blank ladder logic file will overwrite valid ladder logic in that space.

"The modiconstux module does not leverage a vulnerability, like a buffer overflow, in the Quantum PLC," said Dale Peterson, CEO of Digital Bond. "Instead it simply uses a feature in this insecure-by-design critical infrastructure product. There is no password or any other security in the upload and download of ladder logic. Like many PLCs, if an attacker can access the Quantum PLC over a network, he can load whatever program he wants on the PLC and damage or stop a critical infrastructure system."

Digital Bond chose to release the Project Basecamp exploit code as Metasploit Modules because the Metasploit Framework is the most widely used exploit framework in the ICS security space and by IT security professionals. This means that they are widely distributed and available for use almost immediately upon release.

The two other Project Basecamp Metasploit Modules released today are:

1. Modiconstop – Stops a Schneider Modicon Quantum PLC from operating. It is another command that lacks authentication or other security, and its only one packet to send to stop the CPU.

2. Ged20tftpbo – A buffer overflow of the tftp service on the GE D20 PLC. Note that other GE D20 Metasploit modules had been released earlier in Project Basecamp including modules that allow remote control and recover all user credentials.

Reid Wightman, ICS Security Researcher and Project Basecamp technical lead at Digital Bond developed the two Schneider modules using the documentation and available features in the Quantum PLC. This has been true of most of the Project Basecamp modules to date. It has not taken sophisticated, high-level hacking to stop or completely compromise the PLC's. However Reid and the other Project Basecamp volunteer researchers have highlighted the insecurity and fragility of PLCs and provided tools to demonstrate this.

The ICS security community has known that critical infrastructure PLC's are insecure by design for more than ten years now and little has been done to address this serious problem. Stuxnet demonstrated how an attacker can use the lack of ladder logic upload security to affect the integrity of a system. And more than 500 days after Stuxnet the Siemens S7 has not been fixed, and Schneider and many other ICS vendors have ignored the issue as well.

The lack of PLC security is not a secret to motivated organizations that want to attack SCADA and other ICS. All that is required is some hacking and process engineering skills and the ability to read the documentation and use the product. Digital Bond hopes that the newly released Project Basecamp Metasploit Modules will demonstrate to critical infrastructure owner/operators that they need to demand secure PLC's from vendors and develop a near term plan to upgrade or replace their PLCs.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20161
PUBLISHED: 2018-12-15
A design flaw in the BlinkForHome (aka Blink For Home) Sync Module 2.10.4 and earlier allows attackers to disable cameras via Wi-Fi, because incident clips (triggered by the motion sensor) are not saved if the attacker's traffic (such as Dot11Deauth) successfully disconnects the Sync Module from the...
CVE-2018-20159
PUBLISHED: 2018-12-15
i-doit open 1.11.2 allows Remote Code Execution because ZIP archives are mishandled. It has an upload feature that allows an authenticated user with the administrator role to upload arbitrary files to the main website directory. Exploitation involves uploading a ".php" file within a "...
CVE-2018-20157
PUBLISHED: 2018-12-15
The data import functionality in OpenRefine through 3.1 allows an XML External Entity (XXE) attack through a crafted (zip) file, allowing attackers to read arbitrary files.
CVE-2018-20154
PUBLISHED: 2018-12-14
The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated users to discover all subscriber e-mail addresses.
CVE-2018-20155
PUBLISHED: 2018-12-14
The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated subscriber users to bypass intended access restrictions on changes to plugin settings.