Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

4/8/2012
08:07 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Project Basecamp Releases New Metasploit Exploit Modules

Includes Stuxnet-type exploit module for popular Schneider PLC

Digital Bond has released three new Project Basecamp Metasploit Modules that exploit vulnerable PLC's used in critical infrastructure SCADA and DCS. These modules make demonstrating the ease of compromise and potential catastrophic impact possible for owner/operators, vendors, consultants or anyone else involved in SCADA and other industrial control systems (ICS). C-level executives running the critical infrastructure will see and know beyond any doubt the fragility and insecurity of these devices. The "modiconstux" module implements a Stuxnet-type attack on a Schneider Modicon Quantum PLC. Stuxnet uploaded rogue ladder logic (software programs) to a Siemens S7 PLC to cause the centrifuges at the Iranian Natanz nuclear facility to spin too fast and to hide this action from operators. The modiconstux module performs two similar actions:

1. It downloads the current ladder logic on the PLC. This information would allow an attacker to understand what the PLC is doing and modify the ladder logic to attack the physical system (manufacturing plant, refinery, pipeline, etc.).

2. It uploads new ladder logic to the PLC. Digital Bond has provided a blank ladder logic file to demonstrate the upload capability, but any ladder logic can be uploaded to the PLC. The blank ladder logic file will overwrite valid ladder logic in that space.

"The modiconstux module does not leverage a vulnerability, like a buffer overflow, in the Quantum PLC," said Dale Peterson, CEO of Digital Bond. "Instead it simply uses a feature in this insecure-by-design critical infrastructure product. There is no password or any other security in the upload and download of ladder logic. Like many PLCs, if an attacker can access the Quantum PLC over a network, he can load whatever program he wants on the PLC and damage or stop a critical infrastructure system."

Digital Bond chose to release the Project Basecamp exploit code as Metasploit Modules because the Metasploit Framework is the most widely used exploit framework in the ICS security space and by IT security professionals. This means that they are widely distributed and available for use almost immediately upon release.

The two other Project Basecamp Metasploit Modules released today are:

1. Modiconstop – Stops a Schneider Modicon Quantum PLC from operating. It is another command that lacks authentication or other security, and its only one packet to send to stop the CPU.

2. Ged20tftpbo – A buffer overflow of the tftp service on the GE D20 PLC. Note that other GE D20 Metasploit modules had been released earlier in Project Basecamp including modules that allow remote control and recover all user credentials.

Reid Wightman, ICS Security Researcher and Project Basecamp technical lead at Digital Bond developed the two Schneider modules using the documentation and available features in the Quantum PLC. This has been true of most of the Project Basecamp modules to date. It has not taken sophisticated, high-level hacking to stop or completely compromise the PLC's. However Reid and the other Project Basecamp volunteer researchers have highlighted the insecurity and fragility of PLCs and provided tools to demonstrate this.

The ICS security community has known that critical infrastructure PLC's are insecure by design for more than ten years now and little has been done to address this serious problem. Stuxnet demonstrated how an attacker can use the lack of ladder logic upload security to affect the integrity of a system. And more than 500 days after Stuxnet the Siemens S7 has not been fixed, and Schneider and many other ICS vendors have ignored the issue as well.

The lack of PLC security is not a secret to motivated organizations that want to attack SCADA and other ICS. All that is required is some hacking and process engineering skills and the ability to read the documentation and use the product. Digital Bond hopes that the newly released Project Basecamp Metasploit Modules will demonstrate to critical infrastructure owner/operators that they need to demand secure PLC's from vendors and develop a near term plan to upgrade or replace their PLCs.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31755
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setmac allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31756
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /gofrom/setwanType allows attackers to execute arbitrary code on the system via a crafted post request. This occurs when input vector controlled by malicious attack get copie...
CVE-2021-31757
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setVLAN allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31758
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setportList allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31458
PUBLISHED: 2021-05-07
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 10.1.1.37576. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handlin...