WAGO PFC 200 Series Authentication Bypass

`  
SEC Consult Vulnerability Lab Security Advisory < 20171130-0 >  
=======================================================================  
title: Critical CODESYS vulnerabilities  
product: WAGO PFC 200 Series, see "Vulnerable / tested versions"  
vulnerable version: plclinux_rt 2.4.7.0, see "Vulnerable / tested versions"  
fixed version: PFC200 FW11  
CVE number: -  
impact: critical  
homepage: https://www.codesys.com  
found: 2017-07-28  
by: T. Weber (Office Vienna)  
SEC Consult Vulnerability Lab  
  
An integrated part of SEC Consult  
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow  
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich  
  
https://www.sec-consult.com  
  
=======================================================================  
  
Vendor description:  
-------------------  
"The WAGO-I/O-SYSTEM is a flexible fieldbus-independent solution for  
decentralized automation tasks. With the relay, function and interface  
modules, as well as overvoltage protection, WAGO provides a suitable interface  
for any application."  
  
Source: http://global.wago.com/en/products/product-catalog/  
components-automation/overview/index.jsp  
  
"The PFC family of controllers offers advanced compact, computing power for PLC  
programming and process visualization. Programmable in accordance with IEC 61131-3  
600, PFC controllers feature a 600 MHz ARM Cortex A8 processor that offers high  
speed processing and support of 64 bit variables."  
  
Source:  
http://www.wago.us/products/components-for-automation/modular-io-system-series-750-753/programmable-fieldbus-controller/pfc200/index.jsp  
  
  
  
Business recommendation:  
------------------------  
Because of the use in industrial and safety-critical environments the patch has  
to be applied as soon as it is available. We explicitly point out to all users  
in this sector that this device series in the mentioned device series with  
firmware 02.07.07(10) should not be connected directly to the internet (or even  
act as gateway) since it is very likely that an attacker can compromise the  
whole network via such an device.  
  
SEC Consult recommends not to use this product in a production environment  
until a thorough security review has been performed by security professionals.  
  
  
Vulnerability overview/description:  
-----------------------------------  
The "plclinux_rt" service accepts different unauthenticated actions.  
  
This vulnerability contains the architectural security problems described by  
Reid Wightman. The SDK of "plclinux_rt" is written by the same vendor (3S).  
Therefore, the file commands of "Digital Bond's 3S CODESYS Tools", created  
around 2012 are applicable.  
(See https://ics-cert.us-cert.gov/advisories/ICSA-13-011-01)  
  
The CODESYS command-line is protected with login credentials, that's why the  
shell of the mentioned tools does not provide root access out of the box. But  
after some investigation it was clear that there are further functions which  
are reachable without using the command-line and without any authentication.  
  
These functions in "plclinux_rt" can be triggered by sending the correct  
TCP payload on the bound port (by default 2455).  
  
Some of the triggerable functions are:  
* Arbitrary file read/write/delete (also covered by "Digital Bond's Tools")  
* Step over a function in the currently executed PLC program  
* Cycle step any function in the currently executed PLC program  
* Delete the current variable list of the currently executed PLC program  
* And more functions...  
  
Since SSH is activated by default, an unauthenticated attacker can rewrite  
"/etc/shadow" and gain root privileges easily via these attack vectors!  
  
  
1) Critical Improper Authentication / Design Issue  
Files can be fetched, written and deleted. Running tasks on the PLC can be  
restarted, stepped and crashed.  
  
An attacker can therefore replace the password hash in the shadow file. A  
memory corruption (and potential reverse-shell) is also possible via arbitrary  
TCP packets.  
  
There are potentially more commands which can be triggered, but this was not  
covered by the short security crash test.  
  
  
Proof of concept:  
-----------------  
As there is no patch available yet, the detailed proof of concept information has  
been removed from this advisory.  
  
1) Critical Improper Authentication / Design Issue  
Two payloads are specified here as proof of concept for file manipulation.  
Four payloads for live program manipulation are also listed.  
  
File read and delete without any authentication.  
  
Read "/etc/shadow":  
echo '[PoC removed]' | xxd -r -p | nc <PLC-IP> <Port>  
  
Delete "/etc/test":  
echo '[PoC removed]' | xxd -r -p | nc <PLC-IP> <Port>  
  
Runnning PLC tasks could be modified with the following payloads:  
  
Step over function:  
echo '[PoC removed]' | xxd -r -p | nc <PLC-IP> <Port>  
  
Cycle step function:  
echo '[PoC removed]' | xxd -r -p | nc <PLC-IP> <Port>  
  
Delete variable list (produces stack-trace / denial of service):  
echo '[PoC removed]' | xxd -r -p | nc <PLC-IP> <Port>  
  
The actual function is chosen by the 7th byte in the latter payloads. E.g.:  
0x31 -> read file  
0x36 -> delete file  
0x0a -> step over  
0x24 -> cycle step  
0x15 -> delete variable list  
  
There are much more functions hidden in the "plclinux_rt" binary. This  
is just an excerpt of a few available functions.  
  
These functions can be examined from "SrvComputeService". Two pseudo code  
snippets generated by IDA Pro shows some examples (the functionality can be  
quickly determined from the corresponding debug message):  
[PoC removed from this advisory]  
  
  
Vulnerable / tested versions:  
-----------------------------  
WAGO PFC200 Series / Firmware 02.07.07(10)  
(17 affected devices)  
750-8202  
750-8202/025-000  
750-8202/025-001  
750-8202/025-002  
750-8202/040-001  
750-8203  
750-8203/025-000  
750-8204  
750-8204/025-000  
750-8206  
750-8206/025-000  
750-8206/025-001  
750-8207  
750-8207/025-000  
750-8207/025-001  
750-8208  
750-8208/025-000  
  
The WAGO contact stated during a call that all PLCs of the 750-88X Series are not  
vulnerable due to a custom fix from WAGO. The contact also stated that the PLCs  
of the 750-810X (PFC100) series are also not vulnerable because they have  
CODESYS 3.5 deployed.  
  
Devices of any other vendor which use the CODESYS 2.3.X/2.4.X runtime are  
potentially prone to the same vulnerability.  
  
  
Vendor contact timeline:  
------------------------  
2017-08-02: Contacting vendor through [email protected] and set the  
publication date to 2017-09-21.  
2017-08-09: Sending a reminder to [email protected]  
2017-08-16: Found a dedicated security contact of WAGO. Contacting  
this employee via e-mail.  
2017-08-17: Contact responds that he will read the redirected e-mail  
from [email protected]. Sending e-mail to contact that the  
message sent to [email protected] does not contain the actual  
advisory and that an encrypted channel should be used for  
transmission.  
2017-08-22: Sending reminder to contact and re-transmitting the  
responsible disclosure policy and all possible ways  
to transmit the advisory.  
2017-08-29: Uploading advisory to WAGO ShareFile.  
2017-09-15: Telephone call with WAGO contact. Discussion about the  
vulnerability. Fix will be available in the next firmware  
version. Vendor clarified that series 750-88X is not prone  
to the reported vulnerability. Set the publication date to  
2017-09-28.  
2017-09-26: Telephone call with vendor. Vendor is working on a fix of  
the vulnerabilities. Set the publication date to 2017-10-12.  
2017-10-06: Sending a reminder to the vendor; No answer.  
2017-10-11: Sending a reminder to the vendor. Vendor states that they  
are working on an update and a timeline for the fix will  
be provided on 2017-10-13.  
2017-10-13: Asked for an update; No answer.  
2017-10-17: Informing the vendor that the publication date was set to  
2017-10-23.  
2017-10-19: Vendor responds that vulnerability in PFC200 series will be  
patched in firmware version FW12. Set publication date to  
2017-10-27 and asked the vendor for a time-line regarding  
the PFC100 series.  
2017-10-20: Vendor responds that PFC100 series is not vulnerable since  
it does not contain CODESYS 2.4 run-time. Vendor corrected  
the firmware to version FW11. The patch will be available  
in January 2018.  
2017-10-30: Informed vendor that the advisory will be published on  
2017-11-30.  
2017-11-30: Advisory release  
  
  
Solution:  
---------  
Update your WAGO PFC200 Series to firmware version FW11 as soon as it is  
available. In the meantime, see the workaround section.  
  
  
Workaround:  
-----------  
Delete "plclinux_rt" or close the programming port (2455).  
Network access to the device should be restricted.  
  
  
Advisory URL:  
-------------  
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
SEC Consult Vulnerability Lab  
  
SEC Consult  
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow  
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich  
  
About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It  
ensures the continued knowledge gain of SEC Consult in the field of network  
and application security to stay ahead of the attacker. The SEC Consult  
Vulnerability Lab supports high-quality penetration testing and the evaluation  
of new offensive and defensive technologies for our customers. Hence our  
customers obtain the most current information about vulnerabilities and valid  
recommendation about the risk profile of new technologies.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://www.sec-consult.com/en/career/index.html  
  
Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://www.sec-consult.com/en/contact/index.html  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Mail: research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult  
  
EOF T. Weber / @2017  
  
  
`