WAGO IPC 758/870

The WAGO 870 series is really an embedded computer with PLC features.

It runs Linux kernel 2.4.31 with Real Time Linux additions and BusyBox as the OS, and comes complete with a DVI port, USB ports, and expansion ports to add IO modules.  It also has two Ethernet adapters, allowing it to act as a data aggregator/control bridge between a PLC network and a historian/HMI.  The device has only two built-in I/O points with a total of two digital inputs and two digital outputs.  More I/O may be added with expansion modules.

Ports and Services

Port State Service
21/tcp open ftp
23/tcp open telnet
80/tcp open http
502/tcp open modbus
502/udp open modbus
1024/udp open codesys/rtlplc_server
1200/tcp open codesys/rtlplc_server

Fingerprinting

The device runs what appears to be a standard Linux OS, making it difficult to differentiate from other Linux systems (besides, of course, the odd tcp/1200 and 502 open ports).

Backdoors

The device has three documented backdoor accounts.

guest/guest

user/user00

root/ko2003wa

The ‘guest’ and ‘user’ accounts may be used to log in via ftp and telnet.  The ‘root’ account cannot be used to log in directly to the device.  The user or guest account is needed to login, and then ‘su’ may be run to get root privileges.

The ‘user’ account is also a default account via the webserver.  The account password may be changed on the webserver but does not affect the system accounts for ftp/telnet access.  None of the backdoor ftp/telnet accounts can have their passwords changed by default.  The root filesystem ‘/’ is mounted read-only, and the /etc/shadow file must be written in order to change the passwords.  Attempts to change the password with the Busybox ‘passwd’ utility will result in a generic error.  Digital Bond has not attempted to remount the filesystem read+write due to fear of damaging the flash filesystem.  This step will be taken once a repair method has been established.

Ladder Logic

Ladder logic on the PLC is executed by 3S-Software’s CoDeSys engine.

Protocol Fuzzing Test Results

The embedded webserver was found to have no obvious vulnerabilities.  The web application has not bee thoroughly tested, although it has a previously disclosed cross-site request forgery vulnerability from DSecRG.  Other services will not been fuzz-tested until a firmware repair method is tested on the controller.