PLC漏洞 工控安全

施耐德PLC以太网模块后门账户解密

早在两年前CVE-2011-4859等多个施耐德PLC硬编码漏洞,随着Basecamp的研究项目而曝光,硬编码问题存在于现运行的多个型号以太网模块中以及产品更新固件中。究其原因这还得得益于施耐德PLC以太网奇葩的升级模式。
image001
Unity Pro是施耐德系列PLC的编程软件,Unity Pro 附带的 OSLoader软件可以完成PLC的操作系统固件升级。
image003
工具可以使用如图中MODBUS,Uni‐Telway以及FTP协议与PLC交互完成固件升级,前两种非以太网模式。
image005
image007
选择FTP协议后,固件可以选择ftp以太网的方式下载,针对现已运行的低版本固件,输入IP后不需要验证(部分新版本以太网模块需要输入MAC地址确认),这里我们可以使用Wireshark截获传输的明文密码和通信数据,从图中不难看出OSloader会尝试多个默认口令,该默认登录的用户名和密码一般是按照不同的系列和型号区分。
image009
根据抓包OSLoader按顺序尝试如下fwupgrade/upgradefw,qbf771/fcsdfcsd,qbf77101/fcsdfcsd,qbf77111/fcsdfcsd,qbf77121/fcsdfcsd,fwupgrade/fwetzedus,fwupgrade/fwetzedus2,fwupgrade/00000000几组用户名和密码。根据CVE披露的受影响范围,不难看出77101,77111,77121为施耐德以太网模块的几个型号,如NOE 771 01等。
image011
image013
OSLoader登录设备后会尝试远程读取文件系统,这样即可实现远程上传下载,攻击者可以通过替换固件的方式轻松让PLC宕机。
image015
image017
image019
通过SHODAN等搜索引擎对设备特征的查找,将会让攻击者实现自动化攻击变得更加轻松,而厂商也只是在两年之后才发布了修正补丁。

以BMX P34 2020为例默认开放端口如图
image021
施耐德PLC其他型号以太网模块存在的默认口令集如下
Telnet 23
VxWorks login:ntpupdate
Password: ntpupdate
image021
HTTP 80
Schneider Web
username:USER
Password:USER
image023

外部链接
SHODAN
CVE-2011-4859
ICS-ALERT-11-346-01
ICS Vendor Fixes Hard-Coded Credential Bugs Nearly Two Years After Advisory

About Z-0ne

Leave a Reply

Your email address will not be published. Required fields are marked *

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据

最新工业控制系统漏洞

ICS-CERT Advisory Feed
Fujifilm FCR Capsula X/Carbon X

This medical advisory includes mitigations for uncontrolled resource consumption and improper access control vulnerabilities reported in Fujifilm’s. . . read more Tue, 23 Apr 2019 12:05:43 EDT

Rockwell Automation MicroLogix 1400 and CompactLogix 5370 Controllers

This advisory includes mitigations for an open redirect vulnerability reported in Rockwell Automation’s MicroLogix 1400 and CompactLogix 5370 contro. . . read more Tue, 23 Apr 2019 12:00:33 EDT

Delta Industrial Automation CNCSoft

This advisory includes mitigations for heap-based buffer overflow, out-of-bounds read, and stack-based buffer overflow vulnerabilities reported in Del. . . read more Tue, 16 Apr 2019 10:10:11 EDT

WAGO Series 750-88x and 750-87x

This advisory includes mitigations for a use of hard-coded credentials vulnerability reported in WAGO's 750-88x and 750-87x programmable logic co. . . read more Tue, 16 Apr 2019 10:05:55 EDT

PLC Cycle Time Influences

This advisory includes mitigations for an uncontrolled resource consumption vulnerability reported in ABB, Phoenix Contact, Schneider Electric, Siemen. . . read more Tue, 16 Apr 2019 10:00:24 EDT

Siemens SIMOCODE pro V EIP

This advisory includes mitigations for an uncontrolled resource consumption vulnerability reported in Siemens' SIMOCODE pro V EIP low-voltage mot. . . read more Tue, 09 Apr 2019 10:25:33 EDT

Siemens Spectrum Power 4.7

This advisory includes mitigations for a command injection vulnerability reported in Siemens' Spectrum Power 4.7 system.. . . read more Tue, 09 Apr 2019 10:20:24 EDT

Siemens Industrial Products with OPC UA

This advisory includes mitigations for an uncaught exception vulnerability in Siemens' Industrial Products using OPS UA communications protocol.. . . read more Tue, 09 Apr 2019 10:15:11 EDT

Siemens SINEMA Remote Connect

This advisory includes mitigations for incorrect calculation of buffer size, out-of-bounds read, stack-based buffer overflow, and improper handling of. . . read more Tue, 09 Apr 2019 10:10:11 EDT

Siemens RUGGEDCOM ROX II

This advisory includes mitigations for double free, out-of-bounds read, and uncontrolled resource consumption vulnerabilities reported in Siemens'. . . read more Tue, 09 Apr 2019 10:05:16 EDT

Siemens CP, SIAMTIC, SIMOCODE, SINAMICS, SITOP, and TIM

This advisory includes mitigations for an out-of-bounds read vulnerability reported in Siemens' CP, SIAMTIC, SIMOCODE, SINAMICS, SITOP, and TIM p. . . read more Tue, 09 Apr 2019 10:00:56 EDT

Omron CX-Programmer

This advisory includes mitigations for a use after free vulnerability reported in Omron's CX-Programmer PLC software.. . . read more Thu, 04 Apr 2019 10:15:11 EDT

Rockwell Automation Stratix 5400/5410/5700 and ArmorStratix 5700

This advisory includes mitigations for an uncontrolled resource consumption vulnerability reported in Rockwell Automation's Stratix and ArmorStra. . . read more Thu, 04 Apr 2019 10:10:11 EDT

Rockwell Automation Stratix 5400/5410/5700/8000/8300 and ArmorStratix 5700

This advisory includes mitigations for resource management errors and improper input validation vulnerabilities reported in Rockwell Automation's. . . read more Thu, 04 Apr 2019 10:05:19 EDT

Rockwell Automation Stratix 5950

This advisory includes mitigations for an improper input validation vulnerability reported in Rockwell Automation's Stratix 5950 security applian. . . read more Thu, 04 Apr 2019 10:00:23 EDT

Advantech WebAccess/SCADA

This advisory includes mitigations for command injection, stack-based buffer overflow, and improper access control vulnerabilities reported in Advante. . . read more Tue, 02 Apr 2019 10:00:11 EDT

Rockwell Automation PowerFlex 525 AC Drives

This advisory includes mitigations for a resource exhaustion vulnerability reported in Rockwell Automation's PowerFlex 525 AC drive.. . . read more Thu, 28 Mar 2019 10:00:11 EDT

Siemens SCALANCE X

This advisory includes mitigations for an expected behavior violation vulnerability reported in the Siemens SCALANCE X products.. . . read more Tue, 26 Mar 2019 10:15:18 EDT

PHOENIX CONTACT RAD-80211-XD

This advisory includes mitigations for a command injection vulnerability reported in Phoenix Contact's RAD-80211-XD WLAN wireless transceiver.. . . read more Tue, 26 Mar 2019 10:10:11 EDT

ENTTEC Lighting Controllers

This advisory includes mitigations for a missing authentication for critical function vulnerability reported in ENTTEC’s lighting controllers.. . . read more Tue, 26 Mar 2019 10:00:23 EDT