Exploit Dev # 12 : User Fault Routine Exploitation in PLCs – Vulnerability @ Hack-the-Box

User Fault Routine in PLC

In Exploit Development # 12 : User Fault Routine Exploitation , we’re tackling a significant vulnerability in the Allen Bradley Micrologix 1400 PLC. This time, our focus is on the ability to remotely trigger fault state.

In PLC configuration, even minor errors can cause major problems. A notable example is the vulnerability where setting invalid values—0x01 and 0x02—for the user fault routine in Allen-Bradley PLCs can trigger faults when the device is in the run state. This issue can’t be addressed through standard tools like RSLogix and requires direct file manipulation.

In this post, we’ll examine how these invalid values can disrupt PLC operations and explore ways to safeguard your systems against such vulnerabilities.

What is User Fault Routine?

The user fault routine gives you the option to help prevent a controller shutdown when a specific user fault occurs. The fault routine executes when any recoverable or nonrecoverable user fault occurs. The fault routine does execute for non-user faults. refer here for more details

Objective

we’ve got key objectives:

  • Identify the function and command codes, file numbers, and file types..
  • change cpu mode.
  • Create a malicious payload

In this post, we will go though remotely trigger fault state in PLC.

  • Vulnerability Analysis: Overview of PLC systems & vulnerability related to Unauthorized Access.
  • Exploit Development: Developing a Python script to exploit this vulnerability.
  • Real-World Application: Showcasing the exploit on actual PLC hardware.
  • Hack-the-Box PoC: Wrapping up with a Hack-the-Box style proof of concept.

In our PLC setup, we’re dealing with MicroLogix 1400 PLC. For context, you can check other related to NVRAM fault triggering in Exploit Development # 6

MicroLogix 1400 PLC: Device under test (DUT)

The MicroLogix 1400 PLC by Rockwell Automation’s Allen-Bradley is vital in many industries. Disruptions to its operation or configuration can lead to severe consequences, including halting critical processes and causing significant equipment damage.

Identified Vulnerability: User Fault Routine

User Fault Routine register
User Fault Routine triggered in micrologix 1400 plc

Major error halt 
invalid user fault routine

This vulnerability allows an attacker to set invalid values (0x01 and 0x02) for the user fault routine in the PLC configuration. Here’s a closer look at the details:

Impact: When the PLC is moved into a run state after setting these invalid values, a fault is triggered. This can disrupt operations and lead to potential downtime or system failures.

Invalid Values: The values 0x01 and 0x02 are not valid for the user fault routine in the PLC configuration. When these values are set, they cause the PLC to trigger a fault.

Direct File Modification: The vulnerability is exploited by directly writing these invalid values to the configuration file. This method bypasses normal software interfaces like RSLogix, which do not allow such changes.

All they need to do is send the right packet. And just to show you how it works,

CMD: 0x0F – PCCC command code

FNC: 0xAA – write operation

BYTE_SIZE: it decide how many byte data to be read/write

FILE TYPE & File Number:

This will decide that which register is going to be selected. please refer: phase 4 : DPI

File typeFile numberFile name
0x840x02Data File – STATUS

ELEMENT_NO

  • 0x1d we are selecting use fault routine of status register

SUB_ELEMENT_NO::

  • 0x00 we are selecting base register based on file number & file type.

for more info – refer to user manual

Confused? 🤔 Check Out These Phases for a Step-by-Step Guide!

Feeling a bit lost in the technical jungle? 🏞️ Don’t worry! If you find yourself tangled in the weeds of this phase, just take a detour and revisit our previous adventures:

  • Phase 1: Basic Network Discovery – – – – – – – – – –> [Explore Phase 1 ]
  • Phase 2: MITM Attack and Protocol Packet captuing – – – –> [Explore Phase 2 ]
  • Phase 3: Packet Communication Protocol Analysis – – – – – – – – –> [Explore Phase 3 ]
  • Phase 4: Deep Packet Inspection (DPI) – – – – – – – – – – – – –> [Explore Phase 4 ]
  • Phase 5: Exploit Development – – – – – – – – – – – – – – – – – – – – – – – –> [Explore Phase 5 ]

Exploit Development: User Fault Routine Exploitation

Here’s a closer look at the Python script that powers our exploit. We’ll walk through its key components, so you know exactly what’s happening under the hood.

1. Create a Register session packet : Register_Session()

Purpose: Registers a session with the PLC, much like signing up for a new club. This function sends a registration command and retrieves a session handle.

Details: Constructs and sends a registration request to the PLC, then processes the response to get the session handle. This handle is essential for subsequent communication.

Reference: Dive into [Explore Phase 4 🔍] for a detailed walkthrough of session registration and its importance in setting up your attack vector.

2. Build an ENIP packet : Build_Ethernet_instruction()

Purpose: Crafts the Ethernet instruction payload for the PLC. Think of this as assembling the perfect care package for your PLC—everything it needs in one neat little box.

Details: Builds a complete payload for sending instructions to the PLC, including encapsulation headers and PCCC command data. This function ensures the message is formatted correctly and includes all necessary information.

Reference: For a full breakdown of how to assemble these payloads, check out [Explore Phase 4 🔍]. It’s where we dissect and understand the intricacies of packet construction.

3. Create a Function to send Packets: send_instruction()

Purpose: Sends an instruction to the PLC and waits for a response. This is your direct line to the PLC, like making a call and eagerly waiting for the answer.

4. main function routine : overview

  • Change CPU Mode:
    • The operation starts by sending a command to change the CPU mode of the PLC. change CPU mode [Remote RUN -> Remote program].
  • Set Fault Routine:
    • Next, a command is issued to set the fault routine of the PLC. This is achieved by sending a command with function code 0xAA. The data associated with this command configures the fault routine to a specific state or behavior. The fault routine dictates how the PLC handles errors or faults.
  • Set CPU State to “Run”:
    • Finally, the CPU state is set to “Run” mode.

Python POC for Malicious Payloads: User Fault Routine Exploitation

POC Demo: Hacking PLCs with Python

Ever wondered what happens when you combine Python with a PLC ? It’s not a new programming language but a gateway to some serious digital shenanigans!

As shown in the video, we’re able to trigger a fault state by User Fault Routine Exploitation which make the PLC go to fault state.

Conclusion

In this , we examined the User Fault Routine Exploitation in the Allen-Bradley MicroLogix 1400 PLC. We covered how to trigger fault state By directly modifying user fault routine register with invalid values .

Thank you for reading. Stay tuned for more insights and practical applications in PLC security.

<—Prev

Exploit # 11: Change PLC IP remotely

Next —->

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top