Recognizing Modbus functions
Below we present a few strategies that, based on the response readings to modbus/tcp requests, makes it possible to identify the protocol functions that would be implemented in a PLC.
SCADA/ICS
[Siemens] OZW672: Undocumented user ("Back door"), with weak password (CVE-2017-6872)
Affected device (Tested): OZW672.06
OZW devices are used for the remote monitoring of building control equipment. For example, for monitoring heating or air conditioning systems.
[Siemens] Climatix, BACnet Communication Card, Multiples #XSS - (CVE-2020-7574 & CVE-2020-7575)
Climatix - BACnet Communication Card (by Siemens Building Technologies): this device is a module that allows communication via BACnet / IP.
[KMC Controls] Backdoor in "BACnet Building Controller" (CVE-2020-7233)
The KMC BACnet Building Controller BAC-A1616BC has a "backdoor" on the embedded web service.
[Siemens] SIMATIC S7-200; DOS via modbus injection ( CVE-2020-7584 )
In our laboratory we were able to identify and reproduce a vulnerability which enables the construction and delivery of Modbus protocol frames to...
[OMRON] "NS WEB Interface": Login Bypass (CVE-2018-6624)
Today we will be presenting a vulnerability classified as critical found in Omron NS 1.1 / 1.2 / 1.3 which allows remote attackers to bypass authentication via a direct request to the resource "/monitor.html"
[Schneider] Multiple (and known) vulnerabilities
We will be reviewing some known vulnerabilities present in various Schneider Electric devices.
[Schneider] TM241CE24R & TM251MESE: Login Bypass
Today we are showcasing a few interesting facts regarding the PLC, TM241CE24R (M241) and TM251MESE (M251).
[Schneider] PowerLogic PM5560: Cross Site Script via Cross Protocol Injections ( CVE-2018-7795 )
The PowerLogic PM5560 product has several embedded services for remote management, one of which is web. This service has some inputs vulnerable to JS...
