The WAGO 870 series is really an embedded computer with PLC features.
It runs Linux kernel 2.4.31 with Real Time Linux additions and BusyBox as the OS, and comes complete with a DVI port, USB ports, and expansion ports to add IO modules. It also has two Ethernet adapters, allowing it to act as a data aggregator/control bridge between a PLC network and a historian/HMI. The device has only two built-in I/O points with a total of two digital inputs and two digital outputs. More I/O may be added with expansion modules.
Ports and Services
The device runs what appears to be a standard Linux OS, making it difficult to differentiate from other Linux systems (besides, of course, the odd tcp/1200 and 502 open ports).
The device has three documented backdoor accounts.
The ‘guest’ and ‘user’ accounts may be used to log in via ftp and telnet. The ‘root’ account cannot be used to log in directly to the device. The user or guest account is needed to login, and then ‘su’ may be run to get root privileges.
The ‘user’ account is also a default account via the webserver. The account password may be changed on the webserver but does not affect the system accounts for ftp/telnet access. None of the backdoor ftp/telnet accounts can have their passwords changed by default. The root filesystem ‘/’ is mounted read-only, and the /etc/shadow file must be written in order to change the passwords. Attempts to change the password with the Busybox ‘passwd’ utility will result in a generic error. Digital Bond has not attempted to remount the filesystem read+write due to fear of damaging the flash filesystem. This step will be taken once a repair method has been established.
Ladder logic on the PLC is executed by 3S-Software’s CoDeSys engine.
Protocol Fuzzing Test Results
The embedded webserver was found to have no obvious vulnerabilities. The web application has not bee thoroughly tested, although it has a previously disclosed cross-site request forgery vulnerability from DSecRG. Other services will not been fuzz-tested until a firmware repair method is tested on the controller.