The primary goal of Project Basecamp is to make it abundantly clear that PLC’s are fragile and insecure so that the owner/operators demand that these devices be fixed by the vendor and replaced in the critical infrastructure.
To achieve this goal the Project Basecamp team is releasing tools to demonstrate this fragility and insecurity. One of the most effective tools are the Metasploit modules that work with the popular Metasploit framework. This allows any engineer, IT staff or security professional to easily demonstrate the serious availability and integrity issues with the PLC’s and other field devices.
All of the Metasploit modules are available in Rapid7′s Metasploit feed.
d20tftpbd – General Electric D20ME Asynchronous Command Line
This module automates a “feature” in the D20 that allows a user to send via TFTP a MONITOR:command.log file. The D20 will execute all of the commands in that file, and then return the results to the Monitor:response.log file.
This is very unusual and what Reid calls asynchronous command line — and there is no authentication. An attacker could craft a set of attack commands in a file and TFTP it to one or more GE D20′s.
The d20tftpbd module automates the process and the Metasploit users appears to have an interactive command line interface to the GE D20. Try typing the help command to see all the commands that can be run from this asynchronous command line interface.
This is an experimental module available in Metasploit’s testing branch. The module works fine, but it is so unusual that Rapid7 is trying to figure out the best way to include it in the framework.
d20pass - General Electric D20ME Credential Recovery
This module retrieves and displays the account usernames and passwords from the GE D20 device configuration. The credentials can be used to perform any action on the device, including changing ladder logic. The credentials are just part of the plaintext configuration file that is downloaded. An attacker would have complete information on the process and the ability to make any changes.
d20_tftp_overflow - General Electric D20ME TFTP Server Buffer Overflow DoS
The D20 has numerous buffer overruns in its TFTP server. This module exploits the TFTP Server transfer-mode overflow and results in a denial of service condition on the D20. If successful you will see “TFTP – DoS complete, the D20 should fault after a timeout.” A reboot of the D20 is required to recover.
The filename also suffers from an overrun but seems unlikely to be exploitable.
Koyo / DirectLOGIC ECOM
koyo_login - Koyo DirectLogic PLC Password Brute Force
This Metasploit module will bruteforce a Koyo password. It is likely that this will work against other devices from Automation Direct which support the DirectNet (aka HAP) protocol. Currently (14 Feb 2012) this module operates more slowly than we’d like — expect a new version soon that will greatly speed up password cracking.
With the recovered password an attacker can download ladder logic to learn about the project, modify the ladder logic to affect the availability or integrity of the process, and upload rogue ladder logic.
Rockwell Automation ControlLogix
multi_cip_command - Allen-Bradley/Rockwell Automation EtherNet/IP CIP Commands
This Metasploit module has four possible payloads. The first two payloads highlight the EtherNet/IP protocol “insecure by design” issue.
- Stop CPU – just like it sounds, this will take the ControlLogix out of service
- Reboot Ethernet Controller – a temporary outage of the ControlLogix Ethernet interface
There are many more request commands in the EtherNet/IP protocol that cause availability and integrity issues with the ControlLogix PLC. None of these commands are authenticated. This problem and attack will be effective on any EtherNet/IP device including other systems manufactured by Rockwell Automation, Schneider, Wago, and others.
The ODVA is responsible for the EtherNet/IP protocol and shows 300 vendors using the protocol. Unbelievably the ODVA has not even begun an effort to add basic security to the protocol. Vendors may need to look at tunnels or wrappers until ODVA starts taking integrity and availability seriously.
Not all of the payloads will work for all devices, but approximately 300 vendors will be affected.
The two other payloads are due to protocol stack errors in the ControlLogix. This will also affect any other equipment that uses the same protocol stack.
- Crash the PLC CPU
- Crash the Ethernet Controller
Schneider Electric Modicon Quantum
modicon_command – Schneider Modicon Remote Start/Stop Command
The Schneider Modicon with Unity series of PLCs use Modbus function code 90 (0x5a) to perform administrative commands without authentication.
This module allows a remote user to change the state of the PLC between STOP and RUN. STOP will stop the CPU and will stop the PLC from monitoring and controlling the process. The CPU can be restarted with the RUN command.
modicon_password_recovery - Schneider Modicon Quantum Password Recovery
This Metasploit module retrieves the user-definable login names and passwords to a Schneider Modicon Quantum PLC and stores them in the Metasploit database. It uses a hard coded backdoor account to retrieve the account information via FTP (see ‘Backdoors’ below for a list of possible account names and passwords). Most account information is stored in plaintext.
Two types of credentials are currently retrieved by the modiconpass module: one is a username and password for the Modicon webserver login, and a second is just a password, which allows control operations to be performed via the web interface (called the ‘Write password’).
There is also a user-definable ftp account that is protected by the easily-cracked vxWorks loginDefaultEncrypt() hashing function. Recovering this account is a future upgrade for this Metasploit module.
modicon_stux_transfer - Schneider Modicon Ladder Logic Upload/Download
The Schneider Modicon with Unity series of PLCs use Modbus function code 90 (0x5a) to send and receive ladder logic. The protocol is unauthenticated, and allows a rogue host to retrieve the existing logic and to upload new logic.
Two modes are supported: “SEND” and “RECV,” which behave as one might expect — use ‘set mode ACTIONAME’ to use either mode of operation.
In either mode, FILENAME must be set to a valid path to an existing file (for SENDing) or a new file (for RECVing), and the directory must already exist. The default, ‘modicon_ladder.apx’ is a blank ladder logic file which can be used for testing. It will overwrite existing ladder logic on the PLC.
This is the same PLC attack methodology as Stuxnet, hence stux in the module name. An attacker would need to gain access to PLC ladder logic, which is possible with the RECV mode in this module. The attacker would then determine how they want to change the process and code the corresponding ladder logic. Then the attacker would upload his rogue ladder logic using the SEND mode in this module.