Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

4/8/2012
08:07 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Project Basecamp Releases New Metasploit Exploit Modules

Includes Stuxnet-type exploit module for popular Schneider PLC

Digital Bond has released three new Project Basecamp Metasploit Modules that exploit vulnerable PLC's used in critical infrastructure SCADA and DCS. These modules make demonstrating the ease of compromise and potential catastrophic impact possible for owner/operators, vendors, consultants or anyone else involved in SCADA and other industrial control systems (ICS). C-level executives running the critical infrastructure will see and know beyond any doubt the fragility and insecurity of these devices. The "modiconstux" module implements a Stuxnet-type attack on a Schneider Modicon Quantum PLC. Stuxnet uploaded rogue ladder logic (software programs) to a Siemens S7 PLC to cause the centrifuges at the Iranian Natanz nuclear facility to spin too fast and to hide this action from operators. The modiconstux module performs two similar actions:

1. It downloads the current ladder logic on the PLC. This information would allow an attacker to understand what the PLC is doing and modify the ladder logic to attack the physical system (manufacturing plant, refinery, pipeline, etc.).

2. It uploads new ladder logic to the PLC. Digital Bond has provided a blank ladder logic file to demonstrate the upload capability, but any ladder logic can be uploaded to the PLC. The blank ladder logic file will overwrite valid ladder logic in that space.

"The modiconstux module does not leverage a vulnerability, like a buffer overflow, in the Quantum PLC," said Dale Peterson, CEO of Digital Bond. "Instead it simply uses a feature in this insecure-by-design critical infrastructure product. There is no password or any other security in the upload and download of ladder logic. Like many PLCs, if an attacker can access the Quantum PLC over a network, he can load whatever program he wants on the PLC and damage or stop a critical infrastructure system."

Digital Bond chose to release the Project Basecamp exploit code as Metasploit Modules because the Metasploit Framework is the most widely used exploit framework in the ICS security space and by IT security professionals. This means that they are widely distributed and available for use almost immediately upon release.

The two other Project Basecamp Metasploit Modules released today are:

1. Modiconstop – Stops a Schneider Modicon Quantum PLC from operating. It is another command that lacks authentication or other security, and its only one packet to send to stop the CPU.

2. Ged20tftpbo – A buffer overflow of the tftp service on the GE D20 PLC. Note that other GE D20 Metasploit modules had been released earlier in Project Basecamp including modules that allow remote control and recover all user credentials.

Reid Wightman, ICS Security Researcher and Project Basecamp technical lead at Digital Bond developed the two Schneider modules using the documentation and available features in the Quantum PLC. This has been true of most of the Project Basecamp modules to date. It has not taken sophisticated, high-level hacking to stop or completely compromise the PLC's. However Reid and the other Project Basecamp volunteer researchers have highlighted the insecurity and fragility of PLCs and provided tools to demonstrate this.

The ICS security community has known that critical infrastructure PLC's are insecure by design for more than ten years now and little has been done to address this serious problem. Stuxnet demonstrated how an attacker can use the lack of ladder logic upload security to affect the integrity of a system. And more than 500 days after Stuxnet the Siemens S7 has not been fixed, and Schneider and many other ICS vendors have ignored the issue as well.

The lack of PLC security is not a secret to motivated organizations that want to attack SCADA and other ICS. All that is required is some hacking and process engineering skills and the ability to read the documentation and use the product. Digital Bond hopes that the newly released Project Basecamp Metasploit Modules will demonstrate to critical infrastructure owner/operators that they need to demand secure PLC's from vendors and develop a near term plan to upgrade or replace their PLCs.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-10696
PUBLISHED: 2020-03-31
A path traversal flaw was found in Buildah in versions before 1.14.5. This flaw allows an attacker to trick a user into building a malicious container image hosted on an HTTP(s) server and then write files to the user's system anywhere that the user has permissions.
CVE-2020-5344
PUBLISHED: 2020-03-31
Dell EMC iDRAC7, iDRAC8 and iDRAC9 versions prior to 2.65.65.65, 2.70.70.70, 4.00.00.00 contain a stack-based buffer overflow vulnerability. An unauthenticated remote attacker may exploit this vulnerability to crash the affected process or execute arbitrary code on the system by sending specially cr...
CVE-2020-5292
PUBLISHED: 2020-03-31
Leantime before versions 2.0.15 and 2.1-beta3 has a SQL Injection vulnerability. The impact is high. Malicious users/attackers can execute arbitrary SQL queries negatively affecting the confidentiality, integrity, and availability of the site. Attackers can exfiltrate data like the users' and admini...
CVE-2020-7009
PUBLISHED: 2020-03-31
Elasticsearch versions from 6.7.0 to 6.8.7 and 7.0.0 to 7.6.1 contain a privilege escalation flaw if an attacker is able to create API keys. An attacker who is able to generate an API key can perform a series of steps that result in an API key being generated with elevated privileges.
CVE-2019-13495
PUBLISHED: 2020-03-31
In firmware version 4.50 of Zyxel XGS2210-52HP, multiple stored cross-site scripting (XSS) issues allows remote authenticated users to inject arbitrary web script via an rpSys.html Name or Location field.