Exploit Dev # 14 : Trigger STI Faults in PLC – Vulnerability @ Hack-the-Box

Trigger STI Faults triggered in micrologix 1400 plc

In Exploit : Trigger STI Faults , We’re tackling a significant vulnerability in the Allen-Bradley MicroLogix 1400 PLC, with a focus on the ability to remotely trigger a fault state.

The Selectable Timed Interrupt (STI), designed to handle time-critical control tasks with precision, can also be exploited if not properly secured.

From an exploit perspective, the STI mechanism can be manipulated to disrupt time-sensitive control operations. By triggering STI with maliciously crafted inputs or configurations, an attacker could induce faults or cause unintended behavior in the control logic. This could lead to system malfunctions, downtime, or even critical failures in industrial processes.

In this post, we’ll examine how these invalid values can disrupt PLC operations .

What is Selectable Timed Interrupt (STI) Function File ?

The Selectable Timed Interrupt (STI) offers a solution for time-critical control needs. It serves as a trigger mechanism, enabling the scanning or execution of control program logic that requires precise timing. refer here for more details

Selectable Timed Interrupt (STI) register fields

Objective

we’ve got key objectives:

  • Identify the function and command codes, file numbers, and file types.
  • Create a malicious payload

In this post, we will go though remotely trigger sti-fault state and auto-start in PLC.

  • Vulnerability Analysis: Overview of PLC systems, focusing on unauthorized access vulnerabilities.
  • Exploit Development: Developing a Python script to exploit the identified vulnerability.
  • Real-World Application: Demonstrating the exploit on real PLC hardware.
  • Hack-the-Box PoC: Concluding with a Hack-the-Box-style proof of concept.

MicroLogix 1400 PLC: Device under test (DUT)

The MicroLogix 1400 PLC by Allen-Bradley PLCs are crucial in many industries, and disruptions can halt critical processes and cause major equipment damage.

Identified Vulnerability: Improper DATA handling

STI register

Triggered STI Faults

vulnerability in certain Allen-Bradley PLCs related to the STI (Selectable Timed Interrupt) function files. Here’s a detailed explanation:

Vulnerability Overview

Affected Functions: STI
Required Key-switch State: REMOTE or PROG
Associated Fault Codes: 0023
Fault Type: Recoverable

Description

  • Function Files: The STI function files in Allen-Bradley PLCs contain specific bits that indicate whether a fault has occurred. These files also include a bit for signaling the module to auto-start.
  • Fault Triggering: Setting the fault-related bits in these modules and then moving the PLC into the run state triggers a fault. The fault codes associated with this issue are 0023. These codes indicate recoverable faults, meaning they can be cleared and do not necessarily lead to permanent damage.
  • Impact: When faults are triggered by setting these bits, it disrupts the normal operation of the PLC, potentially affecting the industrial processes it controls. While the faults are recoverable, they can still cause interruptions and require intervention to resolve.

All they need to do is send the right packet. And just to show you how it works,

CMD: 0x0F – PCCC command code

FNC: 0xAB – write operation

BYTE_SIZE: it decide how many byte data to be read/write

FILE TYPE & File Number:

This will decide that which register is going to be selected. please refer: phase 4 : DPI

File typeFile numberFile name
0xE20x00Function File – STI0

ELEMENT_NO

  • 0x00

SUB_ELEMENT_NO:

  • 0x02

for more info – refer to user manual

Confused? 🤔 Check Out These Phases for a Step-by-Step Guide!

Feeling a bit lost in the technical jungle? Don’t worry! If you find yourself tangled in the weeds of this phase, just take a detour and revisit our previous adventures:

  • Phase 1: Basic Network Discovery – – – – – – – – – –> [Explore Phase 1 ]
  • Phase 2: MITM Attack and Protocol Packet captuing – – – –> [Explore Phase 2 ]
  • Phase 3: Packet Communication Protocol Analysis – – – – – – – – –> [Explore Phase 3 ]
  • Phase 4: Deep Packet Inspection (DPI) – – – – – – – – – – – – –> [Explore Phase 4 ]
  • Phase 5: Exploit Development – – – – – – – – – – – – – – – – – – – – – – – –> [Explore Phase 5 ]

Exploit Development: Trigger STI Faults

Now I am explaining only important function. refer to previous phases to get detail insight of each function.

1. Create a Register session packet : Register_Session()

Registers a session with the PLC following the 3-way TCP handshake. This function sends registration data and retrieves a session handle.

Reference:[Explore Phase 4 🔍]

2. Build an ENIP packet : Build_Ethernet_instruction()

Crafts the Ethernet instruction structure from the Wireshark-captured packet (pcap) between SCADA and PLC. This structure remains consistent, so it doesn’t need to be rebuilt each time.

Reference:[Explore Phase 4 🔍].

3. Create a Function to send Packets: send_instruction()

Sends an instruction to the PLC and waits for a successful response. It’s like making a call and eagerly waiting for the answer.

4. main function routine : overview

  • Changing CPU Mode from Remote RUN to Remote Program:
    • This step is essential for modifying the PLC’s configuration.
  • Sending STI Configuration Payload:
    • This involves sending a payload to adjust settings related to the Selectable Timed Interrupt (STI).
  • Changing CPU Mode Back to Remote RUN:
    • Restores the PLC’s operation mode to execute control logic with the updated new STI settings.

Python POC for Malicious Payloads: Trigger STI Faults

POC Demo: Hacking PLCs with Python

As shown in the video, we’re able to trigger a fault state by modifying STI function file which make the PLC go to fault state.

Conclusion

In this section, we examined how to trigger STI faults in the Allen-Bradley MicroLogix 1400 PLC. We covered the process of triggering fault states by directly modifying function files and setting invalid values.

Thank you for reading. Stay tuned for more insights and practical applications in PLC security!

<—Prev

Exploit # 13: Invalid Float Faults

Next —->

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top