PLC漏洞 工控安全

施耐德PLC以太网模块后门账户解密

早在两年前CVE-2011-4859等多个施耐德PLC硬编码漏洞,随着Basecamp的研究项目而曝光,硬编码问题存在于现运行的多个型号以太网模块中以及产品更新固件中。究其原因这还得得益于施耐德PLC以太网奇葩的升级模式。
image001
Unity Pro是施耐德系列PLC的编程软件,Unity Pro 附带的 OSLoader软件可以完成PLC的操作系统固件升级。
image003
工具可以使用如图中MODBUS,Uni‐Telway以及FTP协议与PLC交互完成固件升级,前两种非以太网模式。
image005
image007
选择FTP协议后,固件可以选择ftp以太网的方式下载,针对现已运行的低版本固件,输入IP后不需要验证(部分新版本以太网模块需要输入MAC地址确认),这里我们可以使用Wireshark截获传输的明文密码和通信数据,从图中不难看出OSloader会尝试多个默认口令,该默认登录的用户名和密码一般是按照不同的系列和型号区分。
image009
根据抓包OSLoader按顺序尝试如下fwupgrade/upgradefw,qbf771/fcsdfcsd,qbf77101/fcsdfcsd,qbf77111/fcsdfcsd,qbf77121/fcsdfcsd,fwupgrade/fwetzedus,fwupgrade/fwetzedus2,fwupgrade/00000000几组用户名和密码。根据CVE披露的受影响范围,不难看出77101,77111,77121为施耐德以太网模块的几个型号,如NOE 771 01等。
image011
image013
OSLoader登录设备后会尝试远程读取文件系统,这样即可实现远程上传下载,攻击者可以通过替换固件的方式轻松让PLC宕机。
image015
image017
image019
通过SHODAN等搜索引擎对设备特征的查找,将会让攻击者实现自动化攻击变得更加轻松,而厂商也只是在两年之后才发布了修正补丁。

以BMX P34 2020为例默认开放端口如图
image021
施耐德PLC其他型号以太网模块存在的默认口令集如下
Telnet 23
VxWorks login:ntpupdate
Password: ntpupdate
image021
HTTP 80
Schneider Web
username:USER
Password:USER
image023

外部链接
SHODAN
CVE-2011-4859
ICS-ALERT-11-346-01
ICS Vendor Fixes Hard-Coded Credential Bugs Nearly Two Years After Advisory

About Z-0ne

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

最新工业控制系统漏洞

ICS-CERT Advisory Feed
Omron CX-Supervisor

This advisory includes mitigations for improper restriction of operations within the bounds of a memory buffer, out-of-bounds read, use-after-free, an. . . read more Wed, 17 Oct 2018 08:55:45 EDT

LCDS – Leão Consultoria e Desenvolvimento de Sistemas Ltda ME LAquis SCADA

This advisory includes mitigations for untrusted pointer dereference, out-of-bounds read, integer overflow to buffer overflow, path traversal, out-of-. . . read more Tue, 16 Oct 2018 14:44:39 EDT

NUUO NVRmini2 and NVRsolo

This advisory includes mitigations for stack-based buffer overflow and leftover debug code vulnerabilities in NUUO's NVRmini2 and NVRsolo network. . . read more Thu, 11 Oct 2018 10:10:11 EDT

NUUO CMS

This advisory includes mitigations for use of insufficiently random values, use of obsolete function, incorrect permission assignment for critical res. . . read more Thu, 11 Oct 2018 10:05:11 EDT

Delta Industrial Automation TPEditor

This advisory includes mitigations for out-of-bounds write and stack-based buffer overflow vulnerabilities in the Delta Industrial Automation TPEditor. . . read more Thu, 11 Oct 2018 10:00:20 EDT

GE iFix

This advisory includes mitigations for an unsafe ActiveX control marked safe for scripting vulnerability in a Gigasoft component affecting GE’s iFix. . . read more Tue, 09 Oct 2018 10:30:34 EDT

Siemens SCALANCE W1750D

This advisory includes mitigations for a cryptographic issues vulnerability in Siemens' SCALANCE W1750D direct access point hardware.. . . read more Tue, 09 Oct 2018 10:25:37 EDT

Siemens ROX II

This advisory includes mitigations for improper privilege management vulnerabilities in the Siemens ROX II products.. . . read more Tue, 09 Oct 2018 10:20:19 EDT

Siemens SIMATIC S7-1200 CPU Family Version 4

This advisory includes mitigations for a cross-site request forgery vulnerability in the Siemens SIMATIC S7-1200 CPU products.. . . read more Tue, 09 Oct 2018 10:15:18 EDT

Siemens SIMATIC S7-1500, SIMATIC S7-1500 Software Controller and SIMATIC ET 200SP Open Controller

This advisory includes mitigations for a denial of service from improper input validation vulnerability in the Siemens SIMATIC S7-1500, SIMATIC S7-150. . . read more Tue, 09 Oct 2018 10:10:22 EDT

Hangzhou Xiongmai Technology Co., Ltd XMeye P2P Cloud Server

This advisory includes information on the predictable from observable state, hidden functionality, and missing encryption of sensitive data vulnerabil. . . read more Tue, 09 Oct 2018 10:05:48 EDT

Fuji Electric Energy Savings Estimator

This advisory includes mitigations for an uncontrolled search path element (DLL Hijacking) vulnerability in the Fuji Electric Energy Savings Estimator. . . read more Tue, 09 Oct 2018 10:00:12 EDT

Carestream Vue RIS

This advisory includes mitigations for an information exposure through an error message vulnerability in the Carestream Vue RIS, a web-based radiology. . . read more Thu, 04 Oct 2018 10:10:11 EDT

Change Healthcare PeerVue Web Server

This advisory includes mitigations for an information exposure through an error message vulnerability in the Change Healthcare PeerVue Web Server.. . . read more Thu, 04 Oct 2018 10:05:49 EDT

WECON PI Studio

This advisory includes information on stack-based buffer overflow, out-of-bounds write, and out-of-bounds read vulnerabilities in WECON’s PI Studio. . . read more Thu, 04 Oct 2018 10:00:35 EDT

Delta Electronics ISPSoft

This advisory includes mitigations for a stack-based buffer overflow vulnerability in the Delta Electronics ISPSoft software.. . . read more Tue, 02 Oct 2018 10:10:16 EDT

GE Communicator

This advisory includes mitigations for a heap-based buffer overflow vulnerability in GE's Communicator, an application for programming and monito. . . read more Tue, 02 Oct 2018 10:05:06 EDT

Entes EMG 12

This advisory includes mitigations for improper authentication and information exposure through query strings in GET request vulnerabilities in the En. . . read more Tue, 02 Oct 2018 10:00:15 EDT

Emerson AMS Device Manager

This advisory includes mitigations for improper access control and improper privilege management vulnerabilities in the Emerson AMS Device Manager sof. . . read more Thu, 27 Sep 2018 10:15:51 EDT

Fuji Electric Alpha5 Smart Loader

This advisory includes information on classic buffer overflow and heap-based buffer overflow vulnerabilities in Fuji Electric's Alpha5 Smart Load. . . read more Thu, 27 Sep 2018 10:10:45 EDT