Resources
People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!
Bypassing Rockwell Automation Logix Controllers’ Local Chassis Security Protection
Sharon Brizinov - Team82Posted 1 Year Ago- ControlLogix 1756 is a series of programmable automation controllers from Rockwell for highly scalable industrial automation. This device is a chassis component that servers as the enclosure for lots of connections. It communicates using the Common Industrial Protocol (CIP).
- When an operator at an engineering workstation wants to communicate with the PLC, they will be routed over the CIP protocol with the CPU card connected to the same chassis network card. The chassis has a security feature called trusted slot that is designed to prevent untrusted network cards from being added into the network plane. The idea is that an untrusted network card will be refused data.
- In CIP routing, a path is the route or sequence of devices to where a message travels. This route requires a source device to a destination device. For the chassis, each slot has a unique path structure. Once on the chassis, checks are made to ensure that the network card is trusted or it will just drop the packet.
- Since all slots are connected to the backplane and CIP supports path routing, a packet could be generated that would be routed through a trusted card FIRST, before reaching the CPU. By going between other trusted slots first THEN routing to the untrusted slot, the CPU thought it was a valid route.
- An interesting abuse of built in mechanics within a protocol! A super fun bug within an important security feature. I wish they had a path example in the code but that's okay.
