Vulnerabilities / Threats
4/8/2012
08:07 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Project Basecamp Releases New Metasploit Exploit Modules

Includes Stuxnet-type exploit module for popular Schneider PLC

Digital Bond has released three new Project Basecamp Metasploit Modules that exploit vulnerable PLC's used in critical infrastructure SCADA and DCS. These modules make demonstrating the ease of compromise and potential catastrophic impact possible for owner/operators, vendors, consultants or anyone else involved in SCADA and other industrial control systems (ICS). C-level executives running the critical infrastructure will see and know beyond any doubt the fragility and insecurity of these devices. The "modiconstux" module implements a Stuxnet-type attack on a Schneider Modicon Quantum PLC. Stuxnet uploaded rogue ladder logic (software programs) to a Siemens S7 PLC to cause the centrifuges at the Iranian Natanz nuclear facility to spin too fast and to hide this action from operators. The modiconstux module performs two similar actions:

1. It downloads the current ladder logic on the PLC. This information would allow an attacker to understand what the PLC is doing and modify the ladder logic to attack the physical system (manufacturing plant, refinery, pipeline, etc.).

2. It uploads new ladder logic to the PLC. Digital Bond has provided a blank ladder logic file to demonstrate the upload capability, but any ladder logic can be uploaded to the PLC. The blank ladder logic file will overwrite valid ladder logic in that space.

"The modiconstux module does not leverage a vulnerability, like a buffer overflow, in the Quantum PLC," said Dale Peterson, CEO of Digital Bond. "Instead it simply uses a feature in this insecure-by-design critical infrastructure product. There is no password or any other security in the upload and download of ladder logic. Like many PLCs, if an attacker can access the Quantum PLC over a network, he can load whatever program he wants on the PLC and damage or stop a critical infrastructure system."

Digital Bond chose to release the Project Basecamp exploit code as Metasploit Modules because the Metasploit Framework is the most widely used exploit framework in the ICS security space and by IT security professionals. This means that they are widely distributed and available for use almost immediately upon release.

The two other Project Basecamp Metasploit Modules released today are:

1. Modiconstop – Stops a Schneider Modicon Quantum PLC from operating. It is another command that lacks authentication or other security, and its only one packet to send to stop the CPU.

2. Ged20tftpbo – A buffer overflow of the tftp service on the GE D20 PLC. Note that other GE D20 Metasploit modules had been released earlier in Project Basecamp including modules that allow remote control and recover all user credentials.

Reid Wightman, ICS Security Researcher and Project Basecamp technical lead at Digital Bond developed the two Schneider modules using the documentation and available features in the Quantum PLC. This has been true of most of the Project Basecamp modules to date. It has not taken sophisticated, high-level hacking to stop or completely compromise the PLC's. However Reid and the other Project Basecamp volunteer researchers have highlighted the insecurity and fragility of PLCs and provided tools to demonstrate this.

The ICS security community has known that critical infrastructure PLC's are insecure by design for more than ten years now and little has been done to address this serious problem. Stuxnet demonstrated how an attacker can use the lack of ladder logic upload security to affect the integrity of a system. And more than 500 days after Stuxnet the Siemens S7 has not been fixed, and Schneider and many other ICS vendors have ignored the issue as well.

The lack of PLC security is not a secret to motivated organizations that want to attack SCADA and other ICS. All that is required is some hacking and process engineering skills and the ability to read the documentation and use the product. Digital Bond hopes that the newly released Project Basecamp Metasploit Modules will demonstrate to critical infrastructure owner/operators that they need to demand secure PLC's from vendors and develop a near term plan to upgrade or replace their PLCs.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.