The Schneider Electric Modicon Quantum is a versatile PLC used in a wide variety of sectors including manufacturing, water/wastewater, oil and gas, chemical and more. It has a modular architecture so the size and cost can vary a great deal. The very basic Quantum pictured at the left cost $11,000 including the Unity software.
The Modicon Quantum Ethernet card is an embedded system running vxWorks 5.4 on a PowerPC processor (MPC870). The PLCs CPU module sports an x86 processor (the device tested in Basecamp had a 80486). Reid Wightman was the lead Project Basecamp researcher on this PLC, and he also developed the Metasploit Modules.
Metasploit Modules
modicon_command – Schneider Modicon Remote Start/Stop Command
The Schneider Modicon with Unity series of PLCs use Modbus function code 90 (0x5a) to perform administrative commands without authentication.
This module allows a remote user to change the state of the PLC between STOP and RUN. STOP will stop the CPU and will stop the PLC from monitoring and controlling the process. The CPU can be restarted with the RUN command.
modicon_password_recovery - Schneider Modicon Quantum Password Recovery
This Metasploit module retrieves the user-definable login names and passwords to a Schneider Modicon Quantum PLC and stores them in the Metasploit database. It uses a hard coded backdoor account to retrieve the account information via FTP (see ‘Backdoors’ below for a list of possible account names and passwords). Most account information is stored in plaintext.
Three types of credentials are currently retrieved by the modicon_password_recovery module: one is a username and password for the Modicon webserver login, and a second is just a password, which allows control operations to be performed via the web interface (called the ‘Write password’).
The third is a user-definable ftp account, the password of which is protected by the easily-cracked vxWorks loginDefaultEncrypt() hashing function. Recovering this password can be accomplished with the Metasploit framework’s vxworks password cracking tools. Note that the tool may give a ‘plaintext’ version of the password with non-ASCII characters. This is fine — these passwords may be used to log in to the device (although they won’t be typeable on a keyboard and will have to be used programmatically).
modicon_stux_transfer - Schneider Modicon Ladder Logic Upload/Download
The Schneider Modicon with Unity series of PLCs use Modbus function code 90 (0x5a) to send and receive ladder logic. The protocol is unauthenticated, and allows a rogue host to retrieve the existing logic and to upload new logic.
Two modes are supported: “SEND” and “RECV,” which behave as one might expect — use ‘set mode ACTIONAME’ to use either mode of operation.
In either mode, FILENAME must be set to a valid path to an existing file (for SENDing) or a new file (for RECVing), and the directory must already exist. The default, ‘modicon_ladder.apx’ is a blank ladder logic file which can be used for testing. It will overwrite existing ladder logic on the PLC.
This is the same PLC attack methodology as Stuxnet, hence stux in the module name. An attacker would need to gain access to PLC ladder logic, which is possible with the RECV mode in this module. The attacker would then determine how they want to change the process and code the corresponding ladder logic. Then the attacker would upload his rogue ladder logic using the SEND mode in this module.
Ports and Services
The device has a large number of open services by default.
| Port | State | Service |
| 21/tcp | open | ftp |
| 23/tcp | open | telnet |
| 80/tcp | open | http |
| 111/tcp | open | rpcbind |
| 502/tcp | open | asa-appl-proto / modbus |
| 67/udp | open|filtered | dhcps |
| 69/udp | open|filtered | tftp |
| 111/udp | open|filtered | rpcbind |
| 161/udp | open|filtered | snmp |
| 17185/udp | open|filtered | wdbrpc |
Fingerprinting
The Quantum series may be found on search engines such as Shodan and ERIPP using the Server: identifier “Schneider-WEB”.
Backdoors
The Quantum also contains a large number of backdoor accounts. For example following accounts may be used to log in to the Ethernet card via telnet and ftp:
ftpuser/password
qbf77101/hexakisoctahedron
When demonstrating the modicon_password_recovery metasploit module, it may be necessary to try several of these accounts. The exact backdoor account names and passwords vary between the different Ethernet module order numbers.
Protocol Fuzz Testing Results
The built-in webserver and ftp server have buffer overflow bugs. These vulnerabilities vary by device line, and may not affect all Modicon controllers. A recent report indicates that the M340 line does not crash under the conditions below (thanks to Arthur Gervais at Hatforce).
The Quantum is vulnerable to a simple denial of service (DoS) attack by sending a ‘GET’ request with a long filename to the webserver. This vulnerability is easily demonstrated using the BED (the Bruteforce Exploit Detector).
The built-in FTP server has a buffer overflow bug, which can also be found using BED.
Both the webserver and ftp server bugs crash the Ethernet device. These vulnerabilities may be further exploitable to allow remote code execution.
