PLC漏洞 工控安全

施耐德PLC以太网模块后门账户解密

早在两年前CVE-2011-4859等多个施耐德PLC硬编码漏洞,随着Basecamp的研究项目而曝光,硬编码问题存在于现运行的多个型号以太网模块中以及产品更新固件中。究其原因这还得得益于施耐德PLC以太网奇葩的升级模式。
image001
Unity Pro是施耐德系列PLC的编程软件,Unity Pro 附带的 OSLoader软件可以完成PLC的操作系统固件升级。
image003
工具可以使用如图中MODBUS,Uni‐Telway以及FTP协议与PLC交互完成固件升级,前两种非以太网模式。
image005
image007
选择FTP协议后,固件可以选择ftp以太网的方式下载,针对现已运行的低版本固件,输入IP后不需要验证(部分新版本以太网模块需要输入MAC地址确认),这里我们可以使用Wireshark截获传输的明文密码和通信数据,从图中不难看出OSloader会尝试多个默认口令,该默认登录的用户名和密码一般是按照不同的系列和型号区分。
image009
根据抓包OSLoader按顺序尝试如下fwupgrade/upgradefw,qbf771/fcsdfcsd,qbf77101/fcsdfcsd,qbf77111/fcsdfcsd,qbf77121/fcsdfcsd,fwupgrade/fwetzedus,fwupgrade/fwetzedus2,fwupgrade/00000000几组用户名和密码。根据CVE披露的受影响范围,不难看出77101,77111,77121为施耐德以太网模块的几个型号,如NOE 771 01等。
image011
image013
OSLoader登录设备后会尝试远程读取文件系统,这样即可实现远程上传下载,攻击者可以通过替换固件的方式轻松让PLC宕机。
image015
image017
image019
通过SHODAN等搜索引擎对设备特征的查找,将会让攻击者实现自动化攻击变得更加轻松,而厂商也只是在两年之后才发布了修正补丁。

以BMX P34 2020为例默认开放端口如图
image021
施耐德PLC其他型号以太网模块存在的默认口令集如下
Telnet 23
VxWorks login:ntpupdate
Password: ntpupdate
image021
HTTP 80
Schneider Web
username:USER
Password:USER
image023

外部链接
SHODAN
CVE-2011-4859
ICS-ALERT-11-346-01
ICS Vendor Fixes Hard-Coded Credential Bugs Nearly Two Years After Advisory

About Z-0ne

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

最新工业控制系统漏洞

ICS-CERT Advisory Feed
ABB Panel Builder 800

This advisory includes mitigation recommendations for an improper input validation vulnerability in the ABB Panel Builder 800.. . . read more Tue, 17 Jul 2018 10:10:45 EDT

WAGO e!DISPLAY Web-Based-Management

This advisory includes mitigation recommendations for cross-site scripting, unrestricted upload of file with dangerous type, and incorrect permissions. . . read more Tue, 17 Jul 2018 10:05:54 EDT

PEPPERL+FUCHS VisuNet RM, VisuNet PC, and Box Thin Client

This advisory includes mitigation recommendations for an improper authentication vulnerability in the PEPPERL+FUCHS VisuNet RM, VisuNet PC, Box Thin C. . . read more Tue, 17 Jul 2018 10:00:37 EDT

Eaton 9000X Drive

This advisory includes mitigation recommendations for a stack-based buffer overflow vulnerability in the Eaton 9000X Drive.. . . read more Thu, 12 Jul 2018 10:00:01 EDT

Universal Robots Robot Controllers

This advisory includes mitigation recommendations for use of hard-coded credentials and missing authentication for critical function vulnerabilities r. . . read more Tue, 10 Jul 2018 10:10:05 EDT

Schweitzer Engineering Laboratories, Inc. Compass and AcSELerator Architect

This advisory includes mitigations for incorrect default permissions, XXE, and resource exhaustion vulnerabilities in Schweitzer Engineering's Co. . . read more Tue, 10 Jul 2018 10:00:01 EDT

Rockwell Automation Allen-Bradley Stratix 5950

This advisory includes mitigations for improper input validation, improper certificate validation, and resource management error vulnerabilities in th. . . read more Tue, 03 Jul 2018 11:01:56 EDT

Medtronic MyCareLink Patient Monitor

This advisory includes mitigation recommendations for hard-coded password and exposed dangerous method or function vulnerabilities reported in Medtron. . . read more Thu, 28 Jun 2018 10:00:01 EDT

Delta Electronics Delta Industrial Automation COMMGR

This advisory includes mitigations for a stack-based buffer overflow vulnerability in the Delta Electronics Delta Industrial Automation COMMGR softwar. . . read more Thu, 21 Jun 2018 10:00:42 EDT

Rockwell Automation Allen-Bradley CompactLogix and Compact GuardLogix (Update A)

This updated advisory is a follow-up to the original advisory titled ICSA-18-172-02 Rockwell Automation Allen-Bradley CompactLogix and Compact GuardLo. . . read more Thu, 21 Jun 2018 09:55:36 EDT

Natus Xltek NeuroWorks

This medical device advisory includes mitigations for stack-based buffer overflow and out-of-bounds read vulnerabilities in the Natus Xltek NeuroWorks. . . read more Thu, 14 Jun 2018 12:05:47 EDT

Siemens SCALANCE X Switches, RUGGEDCOM WiMAX, RFID 181-EIP, and SIMATIC RF182C

This advisory includes mitigation recommendations for a permissions, privileges, and access controls vulnerability reported in Siemens SCALANCE X swit. . . read more Thu, 14 Jun 2018 10:10:00 EDT

Schneider Electric U.motion Builder

This advisory includes mitigations for a command injection, cross-site scripting, and improper input validation vulnerabilities in the Schneider Elect. . . read more Tue, 12 Jun 2018 14:31:11 EDT

Siemens SCALANCE X Switches

This advisory includes mitigation recommendations for a cross-site scripting vulnerability reported in Siemens SCALANCE X switches.. . . read more Tue, 12 Jun 2018 11:28:10 EDT

Rockwell Automation RSLinx Classic and FactoryTalk Linx Gateway

This advisory contains mitigation recommendations for an unquoted search path or element vulnerability in the Rockwell Automation RSLinix Classic soft. . . read more Thu, 07 Jun 2018 11:55:09 EDT

Philips' IntelliVue Patient and Avalon Fetal Monitors

This medical device advisory includes mitigations for improper authentication, information exposure, and stack-based buffer overflow vulnerabilities i. . . read more Tue, 05 Jun 2018 10:05:11 EDT

ABB IP Gateway

This advisory contains mitigation recommendations for improper authentication, cross-site request forgery, and unprotected storage of credentials vuln. . . read more Tue, 05 Jun 2018 10:00:07 EDT

Delta Industrial Automation DOPSoft

This advisory contains mitigation recommendations for out-of-bounds read, heap-based buffer overflow, and stack-based buffer overflow vulnerabilities. . . read more Thu, 31 May 2018 10:10:11 EDT

GE MDS PulseNET and MDS PulseNET Enterprise

This advisory includes mitigations for improper authentication, improper restriction of XML external entity reference ('XXE'), and relative. . . read more Thu, 31 May 2018 10:05:11 EDT

Yokogawa STARDOM Controllers

This advisory includes mitigations for a hard-coded credentials vulnerability in the Yokogawa STARDOM Controller products.. . . read more Thu, 31 May 2018 10:00:11 EDT