Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

4/8/2012
08:07 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Project Basecamp Releases New Metasploit Exploit Modules

Includes Stuxnet-type exploit module for popular Schneider PLC

Digital Bond has released three new Project Basecamp Metasploit Modules that exploit vulnerable PLC's used in critical infrastructure SCADA and DCS. These modules make demonstrating the ease of compromise and potential catastrophic impact possible for owner/operators, vendors, consultants or anyone else involved in SCADA and other industrial control systems (ICS). C-level executives running the critical infrastructure will see and know beyond any doubt the fragility and insecurity of these devices. The "modiconstux" module implements a Stuxnet-type attack on a Schneider Modicon Quantum PLC. Stuxnet uploaded rogue ladder logic (software programs) to a Siemens S7 PLC to cause the centrifuges at the Iranian Natanz nuclear facility to spin too fast and to hide this action from operators. The modiconstux module performs two similar actions:

1. It downloads the current ladder logic on the PLC. This information would allow an attacker to understand what the PLC is doing and modify the ladder logic to attack the physical system (manufacturing plant, refinery, pipeline, etc.).

2. It uploads new ladder logic to the PLC. Digital Bond has provided a blank ladder logic file to demonstrate the upload capability, but any ladder logic can be uploaded to the PLC. The blank ladder logic file will overwrite valid ladder logic in that space.

"The modiconstux module does not leverage a vulnerability, like a buffer overflow, in the Quantum PLC," said Dale Peterson, CEO of Digital Bond. "Instead it simply uses a feature in this insecure-by-design critical infrastructure product. There is no password or any other security in the upload and download of ladder logic. Like many PLCs, if an attacker can access the Quantum PLC over a network, he can load whatever program he wants on the PLC and damage or stop a critical infrastructure system."

Digital Bond chose to release the Project Basecamp exploit code as Metasploit Modules because the Metasploit Framework is the most widely used exploit framework in the ICS security space and by IT security professionals. This means that they are widely distributed and available for use almost immediately upon release.

The two other Project Basecamp Metasploit Modules released today are:

1. Modiconstop – Stops a Schneider Modicon Quantum PLC from operating. It is another command that lacks authentication or other security, and its only one packet to send to stop the CPU.

2. Ged20tftpbo – A buffer overflow of the tftp service on the GE D20 PLC. Note that other GE D20 Metasploit modules had been released earlier in Project Basecamp including modules that allow remote control and recover all user credentials.

Reid Wightman, ICS Security Researcher and Project Basecamp technical lead at Digital Bond developed the two Schneider modules using the documentation and available features in the Quantum PLC. This has been true of most of the Project Basecamp modules to date. It has not taken sophisticated, high-level hacking to stop or completely compromise the PLC's. However Reid and the other Project Basecamp volunteer researchers have highlighted the insecurity and fragility of PLCs and provided tools to demonstrate this.

The ICS security community has known that critical infrastructure PLC's are insecure by design for more than ten years now and little has been done to address this serious problem. Stuxnet demonstrated how an attacker can use the lack of ladder logic upload security to affect the integrity of a system. And more than 500 days after Stuxnet the Siemens S7 has not been fixed, and Schneider and many other ICS vendors have ignored the issue as well.

The lack of PLC security is not a secret to motivated organizations that want to attack SCADA and other ICS. All that is required is some hacking and process engineering skills and the ability to read the documentation and use the product. Digital Bond hopes that the newly released Project Basecamp Metasploit Modules will demonstrate to critical infrastructure owner/operators that they need to demand secure PLC's from vendors and develop a near term plan to upgrade or replace their PLCs.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Edge-DRsplash-10-edge-articles
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
News
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: "The truth behind Stonehenge...."
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-26476
PUBLISHED: 2021-03-01
EPrints 3.4.2 allows remote attackers to execute OS commands via crafted LaTeX input to a cgi/cal?year= URI.
CVE-2021-26702
PUBLISHED: 2021-03-01
EPrints 3.4.2 exposes a reflected XSS opportunity in the dataset parameter to the cgi/dataset_dictionary URI.
CVE-2021-26703
PUBLISHED: 2021-03-01
EPrints 3.4.2 allows remote attackers to read arbitrary files and possibly execute commands via crafted JSON/XML input to a cgi/ajax/phrase URI.
CVE-2021-26704
PUBLISHED: 2021-03-01
EPrints 3.4.2 allows remote attackers to execute arbitrary commands via crafted input to the verb parameter in a cgi/toolbox/toolbox URI.
CVE-2021-27876
PUBLISHED: 2021-03-01
An issue was discovered in Veritas Backup Exec before 21.2. The communication between a client and an Agent requires successful authentication, which is typically completed over a secure TLS communication. However, due to a vulnerability in the SHA Authentication scheme, an attacker is able to gain ...