Why WAGO in Project Basecamp? Answer: 3S CoDeSys

Yaridake Summit

On Friday I wrote on why the Stuxnet-type exploit module for the Modicon Quantum was important to show just how easy it is to upload rogue ladder logic. The other big news from Reid’s presentation, you can see the slides below, was the introduction of the WAGO IPC 758-870 below.

The WAGO product exploits are not as interesting as the more widely deployed GE, Rockwell, Schneider, and SEL products in Basecamp. But we didn’t select the WAGO product to provide a demonstration capability only for WAGO users. We selected WAGO because it has the CoDeSys ladder logic runtime from 3S. 3S says “Over 250 renowned device manufacturers from different industrial sectors program their automation devices with CoDeSys.” Many of the insecure by design issues in WAGO PLC are also in a large number of other vendor products, although a small number of vendors have build security on top of the 3S runtime.

The 3S ladder logic runtime suffers from the Stuxnet-type vulnerability of unauthenticated ladder logic upload. The engineer writes the ladder logic in a 3S provided development environment that you can think of as Visual Studio for the 3S runtime; compiles the ladder logic into a binary file; then uploads the compiled binary onto the PLC — WAGO or other 3S model. There is a checksum, but there is no authentication. Reid referred to this as potentially the “world’s longest NOP sled”.

Even more interesting is the WAGO PLC , and many other PLCs with the 3S runtime, runs on Linux. This means that an attacker can load Metasploit payloads onto the PLC. Less work for an attacker. You will be able to see and demonstrate this shortly when the Metasploit module is available. It will be the first Project Basecamp module that will be able to use the Metasploit payloads. The other PLCs in Project Basecamp had VxWorks, QNX and other OS not supported by Metasploit.

For those new to Metasploit, a device is exploited or compromised first. Project Basecamp has been developing modules that demonstrate how easy it is to exploit the PLC’s. Then after an exploit, the Metasploit framework will load a payload that lets you control the device after exploit. Some of the more popular payloads are the command shell, reverse VNC for demos, and Meterpreter. There are even payloads that let the Metasploit user pivot off of the compromised system to attack other systems. An attacker could compromise the PLC, and then use the PLC to attack other systems in the SCADA or DCS zone.

The good news is that 3S can fix this and the other insecure by design security issues and those fixes will flow down to a large number of vendor PLCs.

Note – click on the full screen icon to see the screen shots better.

On Wednesday I’ll put up Part 3 – The Future of Project Basecamp.

Leave a Reply