Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

This article dives into the Schneider Electric Modicon Programmable Logic Controller (PLC).

Modbus is the standard for controlling PLCs in SCADA systems/ Modbus was designed in 1979, prior to people caring about security. The most widely used version of Modbus goes over IP (Modbus/TCP standard). Modicon chose to extend the Modbus implementation under a reserved Modbus function code with the UMAS.

UMAS reimplements the Modbus protocol but adds essential functionality for modern tech. In particular, binary data transfer, authentication, firmware updates and several other things were added. UMAS has several commands that require chains of proper commands; this is done with a reservation.

The reservation mechanism was created to synchronize modifications of the PLC’s program; this is a form of global locking over the entire system. Once a station had reserved something, a one-byte token was used to perform further modifications, but only if the PLC is modified.

The reservation had an issue though: this reservation used a hardcoded secret between software for the challenge-response method. As a result, enhanced reservation was created. The new version used an authentication method with a challenge-response way with a dynamically set password. Wow, that's a lot of background!

The first vulnerability is an authentication bypass. From reversing the firmware, they found a plethora of undocumented commands. One of these commands allowed for reading any address in physical memory with no auth. As a result, the hash of the application password could be stolen. This device can even be used to crash the device with bad address reads.

The authors of the article decided to understand the flow of the auth process. When an incorrect password was typed the software rejected the password without generating any traffic with the PLC. But how is this possible?

Prior to the reservations, a call to read the password hash from memory was done! Then, this hash is validated locally with the entered password. This is an obvious flaw with the authentication flow; an attacker can brute force the hash offline. So, this attack was successful TWICE.

The command WritePhysicalAddress allows for writing to any physical memory. Using this, they could get code execution by altering many different places in memory.

The command PrivateMessage allows for the calling of internal functions on the PLC by accessing C++ objects. This can be exploited by writing to somewhere in memory with the BlockWrite command. Then, referencing this object makes it easy to control the PC to pop a shell.

This article has nice pictures on what the modbus and UMAS protocols look like and great docs on the exploitation of this. The bugs for this were unique and worth the read. Great research!