Nmap NSE to Detect CoDeSys Insecurity Issues

NmapReid Wightman and HD Moore wrote up an Nmap NSE script to detect if your PLC running the CoDeSys ladder logic runtime lacks effective authentication to access the application command shell, transfer files, … the insecure by design issues covered on the Project Basecamp CoDeSys page.

This Nmap script has both big endian and little endian probes so it should be more thorough than the python scripts for identifying if your PLC or controller. Of course the python scripts show the exploit so you should try those if you want to demonstrate to your organization why this is a serious insecure by design issue.

If the scan works you should see something like this:

map scan report for xxx.xxx.83.75
Host is up (0.18s latency).
PORT     STATE SERVICE
1200/tcp open  scol
|_codesys:
\xBB\xBB\xCE\x00\x00\x00C\x00\x01\x00\x00\x00\x00\x00\x00\x00\xB0\x0C\x00\x00\x00\x00\x02\x00~\x13\x00\x00\x88\x13\x00\x00\xF4\x01\x00\x00\x00\x04\x00\x00\xFA\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xC5\x06\x00\x00\x01\x00\x01\x00Windows\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00unknown
CE version [runtime por\x003S-Smart Software
Solutions\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\xFF\xFF\x00\x00\xC8\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x01\x00\x10\x00\x00\x00\x10\x00\x00\x00\x10\x00\x00\x00\x00`\x00\x00\x00@\x00\x01

The output shows the OS version and “3S-Smart Software Solutions” from a banner grab.

There is still a chance of a false negative with this tool. With more than 200 companies implementing this ladder logic runtime it is impossible to imagine every possible implementation option an engineer could select.

If you get results and are willing to share, send them to us.

Leave a Reply