Reid Wightman provided one last set of Project Basecamp tools before leaving for ioActive. This latest release are two tools for PLC’s running the CoDeSys ladder logic runtime, which is a list of 261 vendors.
- codesys-shell.py: just like it sounds, you get the CoDeSys command shell without authentication. Type ? and see all your options from this shell.
- codesys-transfer.py: read or write files to the PLC without authentication
Take a look at the CoDeSys Project Basecamp page for the details and to download the utilities.
This was actually a fascinating set of failure stories and one success story. The ladder logic runtime runs native on the OS and typically with a high privilege account. So this actually goes beyond the other Project Basecamp insecure by design issues. You can download a cron job to a *nix version or a file to the registry hive for Windows. It is much easier to turn the PLC running CoDeSys into a system to attack other devices on the ICS — in addition to affecting the process the PLC monitors and controls.
The CoDeSys ladder logic runtime works on a variety of operating systems. The main Wago product we used in our lab is running Linux on an x86, so we were curious if the tools would work with different operating systems. So far the answer appears to be yes, but we have only tested a handful of the 261 vendor products. For example, the tools worked with Windows CE running on an ARM. As you test the tools please send any results to us. As we get lists of devices affected and not affected we will post them on a Project Basecamp page.
We have received some updated code from the vendor that did not fix the problem in our lab system, but it may work for your product. We are talking about 261 vendors with different OS and different versions of the runtime so it will take a while to work out of this insecure by design problem.
I mentioned at the beginning a success story. The tools do not work on at least one of the vendor’s products, who chooses to remain anonymous. The vendor has a security development lifecycle (SDL) that included threat modeling. They identified the threat of uploading rogue ladder logic and other malicious files, saw that this was not addressed by the CoDeSys runtime, and added a “security envelope” around the runtime. So basically the user, or attacker, is required to authenticate before he can gain access to the port the CoDeSys runs on. This was all independent of Project Basecamp and part of their SDL. Well done anonymous vendor.
Final note – we will eventually convert these to Metasploit modules, but if anyone wants to volunteer to do that let me know.
Image by blackwing_de