General Electric D20 ME

PLC HackingBackground

The General Electric D20ME is a widely used in the electric sector, particularly in substations. It is an ancient device with a CPU chip from 1987, actually a similar chip that was in the Macintosh II line, and a PSOS operating system that was end of support in 1999. It even had an old fashioned UV EPROM. All this obsolete technology cost $15,000 for an entry level version with just a couple of cards.

In addition to the obsolescence issues, the GE D20ME II (and likely previously generations of the D20, as well as the D25, the iBox, and possibly other General Electric equipment) have some rather serious designed-in security issues. Given the age of the software and hardware, it is almost impossible to fix the fragility and insecurity. Even GE has stated that there will not be security related fixes for the D20.

Our blunt advice – don’t deploy any new GE D20s and develop a plan to replace all of your GE D20s as soon as practical, in the next 1 to 3 years.

Tools

Metasploit Modules

All of the Metasploit modules are available in Rapid7′s Metasploit feed.

d20tftpbdGeneral Electric D20ME Asynchronous Command Line

This module automates a “feature” in the D20 that allows a user to send via TFTP a MONITOR:command.log file. The D20 will execute all of the commands in that file, and then return the results to the Monitor:response.log file.

This is very unusual and what Reid calls asynchronous command line — and there is no authentication. An attacker could craft a set of attack commands in a file and TFTP it to one or more GE D20′s.

The d20tftpbd module automates the process and the Metasploit users appears to have an interactive command line interface to the GE D20. Try typing the help command to see all the commands that can be run from this asynchronous command line interface.

This is an experimental module available in Metasploit’s testing branch. The module works fine, but it is so unusual that Rapid7 is trying to figure out the best way to include it in the framework.

d20pass – General Electric D20ME Credential Recovery

This module retrieves and displays the account usernames and passwords from the GE D20 device configuration.  The credentials can be used to perform any action on the device, including changing ladder logic. The credentials are just part of the plaintext configuration file that is downloaded. An attacker would have complete information on the process and the ability to make any changes.

d20_tftp_overflow - General Electric D20ME TFTP Server Buffer Overflow DoS

The D20 has numerous buffer overruns in its TFTP server. This module exploits the TFTP Server transfer-mode overflow and results in a denial of service condition on the D20. If successful you will see “TFTP – DoS complete, the D20 should fault after a timeout.” A reboot of the D20 is required to recover.

The filename also suffers from an overrun but seems unlikely to be exploitable.

Easy Scripts

d20cmd.py – A python script that provides an interactive command-line to the D20′s tftp backdoor command line.  Please read the comments in the header — this requires a new’ish python tftp library to work correctly — the version of the tftp library for python included with most major linux distros (Backtrack, Ubuntu, etc) is too old to work correctly.

This is the same capability provided in the d20tftpbd Metasploit module.

Buffer Overflow Tools

d20tftpbo – This module crashes the D20 tftp service.  The operating system catches the exception, but the damage is done — all processes are stopped and the D20′s network stack is disabled.

Fingerprinting Tools

telnet-fp.py – This is a generic telnet service fingerprinting tool, which may be used against any controller which supports the telnet protocol.  It actively tries all telnet options against the remote host, to determine what options are supported.  This may crash some controllers, so use it with care.

ged20-fp – The output of the above tool when run against a D20MEII.

Ports and Services

Port State Service
23/tcp open telnet
502/tcp open modbus
1024/tcp open logiclinx
69/udp open|filtered tftp
1024/udp open|filtered logiclinx
20000/udp open|filtered dnp3

 

Fingerprinting

SCAN(V=5.61TEST2%E=4%D=1/6%OT=1024%CT=1%CU=%PV=YG=YTM=4F07245D%P=i686-pc-linux-gnu)
SEQ(SP=109%GCD=1%ISR=107%TI=I%CI=I%II=I%SS=S%TS=U)
SEQ(CI=I%II=I)
OPS(O1=M5B4%O2=M5B4%O3=M5B4%O4=M5B4%O5=M5B4%O6=M5B4)
WIN(W1=FAF0%W2=FAF0%W3=FAF0%W4=FAF0%W5=FAF0%W6=FAF0)
ECN(R=Y%DF=N%TG=80%W=FAF0%O=M5B4%CC=N%Q=)
ECN(R=N)
T1(R=Y%DF=N%TG=80%S=O%A=S+%F=AS%RD=0%Q=)
T1(R=N)
T2(R=N)
T3(R=N)
T4(R=Y%DF=N%TG=80%W=7FFF%S=A%A=Z%F=R%O=%RD=0%Q=)
T5(R=Y%DF=N%TG=80%W=FAF0%S=O%A=S+%F=AR%O=%RD=0%Q=)
T6(R=Y%DF=N%TG=80%W=7FFF%S=A%A=Z%F=R%O=%RD=0%Q=)
T7(R=N)
U1(R=N)
IE(R=Y%DFI=N%TG=80%CD=S)

This nmap fingerprint closely matches the pSOS fingerprint, which may be found in current distributions of nmap.  It is close enough to match that signature.  The D20 is confirmed to run pSOS.

The TELNET service on this device is also fairly unique.  telnet-fp.py will fingerprint a telnet service.  The fingerprint for the D20 may also be downloaded above, the output is using the telnet-fp.py script.