Exploit Dev # 13 : Trigger Invalid Float Faults in PLC – Vulnerability @ Hack-the-Box

Trigger Invalid Float Faults

In Exploit Development # 13 : Trigger Invalid Float Faults , we’re tackling a significant vulnerability in the Allen Bradley Micrologix 1400 PLC. This time, our focus is on the ability to remotely trigger fault state.

In PLC configuration, even minor errors can cause major problems. One such issue is the vulnerability associated with setting invalid float values in Allen-Bradley PLCs. Specifically, using the value 0xffffffff—which represents NaN (Not a Number)—can trigger faults within the PLC.

In this post, we’ll examine how these invalid values can disrupt PLC operations and explore ways to safeguard your systems against such vulnerabilities.

What is Floating Point (FP) Data File ?

Floating point files contain IEEE-754 floating point data elements. One floating point element is shown in Table 70. You can have up to 256 of these elements in each floating point file. refer here for more details

Float data register

Objective

we’ve got key objectives:

  • Identify the function and command codes, file numbers, and file types..
  • Create a malicious payload
  • Write all the bit of float register to 1

In this post, we will go though remotely trigger fault state in PLC.

  • Vulnerability Analysis: Overview of PLC systems & vulnerability related to Unauthorized Access.
  • Exploit Development: Developing a Python script to exploit this vulnerability
  • Real-World Application: Showcasing the exploit on actual PLC hardware
  • Hack-the-Box PoC: Wrapping up with a Hack-the-Box style proof of concept.

In our PLC setup, we’re dealing with MicroLogix 1400 PLC. For context, you can check other related to fault triggering in Exploit Development # 6 and Exploit Development # 12

By the end of this post, you’ll have a solid understanding of how to develop, test, and analyze a PLC exploit, enriched with practical insights and hands-on experience

MicroLogix 1400 PLC: Device under test (DUT)

The MicroLogix 1400 PLC by Rockwell Automation’s Allen-Bradley is vital in many industries. Disruptions to its operation or configuration can lead to severe consequences, including halting critical processes and causing significant equipment damage.

Identified Vulnerability: Improper DATA handling

Float data file plc

this describes a vulnerability in certain Allen-Bradley PLCs related to handling invalid float values. Here’s a breakdown of the issue:

Vulnerability Overview


Affected Devices: Allen-Bradley PLCs
Required Key-switch State: REMOTE, PROG, or RUN
Fault Trigger: Invalid float value 0xffffffff

Description

  • Invalid Float Value: In the context of PLCs, 0xffffffff is considered an invalid value for the float data type. It represents a “Not a Number” (NaN) condition in floating-point operations.
  • Fault Triggering: Setting a float element to this invalid value will cause the PLC to trigger a fault when this value is used in operations. This fault disrupts normal operation and can lead to system instability or failure.
  • Tool Restriction: This issue cannot be resolve through the standard programming tool RSLogix, which means that the invalid value must be set through other means, such as direct file manipulation or specialized tools

All they need to do is send the right packet. And just to show you how it works,

CMD: 0x0F – PCCC command code

FNC: 0xAA – write operation

BYTE_SIZE: it decide how many byte data to be read/write

FILE TYPE & File Number:

This will decide that which register is going to be selected. please refer: phase 4 : DPI

File typeFile numberFile name
0x8A0x08Data File – FLOAT

ELEMENT_NO

  • 0x00 we are selecting float data file register

SUB_ELEMENT_NO::

  • 0x00 we are selecting base register based on file number & file type.

for more info – refer to user manual

Confused? 🤔 Check Out These Phases for a Step-by-Step Guide!

Feeling a bit lost in the technical jungle? 🏞️ Don’t worry! If you find yourself tangled in the weeds of this phase, just take a detour and revisit our previous adventures:

  • Phase 1: Basic Network Discovery – – – – – – – – – –> [Explore Phase 1 ]
  • Phase 2: MITM Attack and Protocol Packet captuing – – – –> [Explore Phase 2 ]
  • Phase 3: Packet Communication Protocol Analysis – – – – – – – – –> [Explore Phase 3 ]
  • Phase 4: Deep Packet Inspection (DPI) – – – – – – – – – – – – –> [Explore Phase 4 ]
  • Phase 5: Exploit Development – – – – – – – – – – – – – – – – – – – – – – – –> [Explore Phase 5 ]

Exploit Development: Trigger Invalid Float Faults

Here’s a closer look at the Python script that powers our exploit. We’ll walk through its key components, so you know exactly what’s happening under the hood.

1. Create a Register session packet : Register_Session()

Purpose: Registers a session with the PLC, much like signing up for a new club. This function sends a registration command and retrieves a session handle.

Reference: Dive into [Explore Phase 4 🔍] for a detailed walkthrough of session registration and its importance in setting up your attack vector.

2. Build an ENIP packet : Build_Ethernet_instruction()

Purpose: Crafts the Ethernet instruction payload for the PLC. Think of this as assembling the perfect care package for your PLC—everything it needs in one neat little box.

Reference: For a full breakdown of how to assemble these payloads, check out [Explore Phase 4 🔍]. It’s where we dissect and understand the intricacies of packet construction.

3. Create a Function to send Packets: send_instruction()

Purpose: Sends an instruction to the PLC and waits for a response. This is your direct line to the PLC, like making a call and eagerly waiting for the answer.

4. main function routine : overview

  • Header Information:
    • The initial bytes \x04\x08\x8a\x00\x00 are likely related to identifying the target element or data structure in the PLC where the float value will be set.
  • Float Value:
    • The bytes \xff\xff\xff\xff represent the NaN (Not a Number) value in IEEE 754 floating-point format. In this format, 0xffffffff is interpreted as NaN for float types.

Python POC for Malicious Payloads: Trigger Invalid Float Faults

POC Demo: Hacking PLCs with Python

Ever wondered what happens when you combine Python with a PLC ? It’s not a new programming language but a gateway to some serious digital shenanigans!

As shown in the video, we’re able to trigger a fault state by setting NaN to float register which make the PLC go to fault state.

Conclusion

In this , we examined the Trigger Invalid Float Faults in the Allen-Bradley MicroLogix 1400 PLC. We covered how to trigger fault state By directly modifying configuration files and setting invalid values .

Thank you for reading. Stay tuned for more insights and practical applications in PLC security.

<—Prev

Exploit # 12: User Fault Routine

Next —->

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top