Exploit Dev # 15 : Trigger EII Faults in PLC – Vulnerability @ Hack-the-Box

Trigger EII Faults (Event Input Interrupt) in micrologix 1400 plc

In Exploit : Trigger EII Faults , We’re addressing a critical vulnerability in the Allen-Bradley MicroLogix 1400 PLC, specifically focusing on the capability to remotely trigger a fault state.

Event Input Interrupt (EII) is a powerful feature designed to trigger the scanning of specific program files or subroutines based on input conditions from field devices. While this functionality enhances real-time response and control, it also presents potential security risks if not properly managed.

By triggering EII with maliciously crafted inputs or configurations, an attacker could induce faults or cause unintended behavior in the control logic. This could lead to system malfunctions, downtime, or even critical failures in industrial processes.

In this post, we’ll examine how these invalid values can disrupt PLC operations .

What is Event Input Interrupt (EII) Function File ?

The Event Input Interrupt (EII) is a feature that enables scanning of a specific program file or subroutine in response to an input condition detected from a field device. refer here for more details

Event Input Interrupt register element

Objective

we’ve got key objectives:

  • Identify the function and command codes, file numbers, and file types.
  • Create a malicious payload

In this post, we will go though remotely trigger EII-fault state and restart in PLC.

  • Vulnerability Analysis: Overview of PLC systems with a focus on unauthorized access vulnerabilities.
  • Exploit Development: Creating a Python script to exploit the identified vulnerability.
  • Real-World Application: Demonstrating the exploit on actual PLC hardware.
  • Hack-the-Box PoC: Wrapping up with a Hack-the-Box-style proof of concept.

In our PLC setup, we’re dealing with MicroLogix 1400 PLC. For context, you can check other related to fault triggering in Exploit Development # 6 and Exploit Development # 14

MicroLogix 1400 PLC: Device under test (DUT)

The MicroLogix 1400 PLC by Allen-Bradley PLCs are crucial across industries, and disruptions can halt critical processes and cause significant equipment damage.

Identified Vulnerability: Improper DATA handling

eii reg - 1
Triggered EII Faults

vulnerability in certain Allen-Bradley PLCs related to the EII (Event Input Interrupt)function files. Here’s a detailed explanation:

Vulnerability Overview

Affected Functions: EII
Required Key-switch State: REMOTE or PROG
Associated Fault Codes: 002e
Fault Type: Recoverable

Description

  • Function Files: The EII function files in Allen-Bradley PLCs in Allen-Bradley PLCs include specific bits that indicate fault occurrence and a bit to signal the module for auto-start.
  • Fault Triggering: Setting the fault-related bits in these modules and then moving the PLC into the run state triggers a fault. The fault codes associated with this issue are 002e.
  • Impact: When faults are triggered by setting these bits, it disrupts the normal operation of the PLC, potentially affecting the industrial processes it controls.

All they need to do is send the right packet. And just to show you how it works,

CMD: 0x0F – PCCC command code

FNC: 0xAB – write operation

BYTE_SIZE: it decide how many byte data to be read/write

FILE TYPE & File Number:

This will decide that which register is going to be selected. please refer: phase 4 : DPI

File typeFile numberFile name
0xE30x00Function File – EII

ELEMENT_NO

  • 0x00

SUB_ELEMENT_NO:

  • 0x02

for more info – refer to user manual

Unsure? 🤔 Explore these phases for a clear, step-by-step walkthrough!

Feeling a bit lost in the technical jungle of hex code? No worries! If you’re getting stuck in this phase, take a step back and check out our earlier explorations:

  • Phase 1: Basic Network Discovery – – – – – – – – – –> [Explore Phase 1 ]
  • Phase 2: MITM Attack and Protocol Packet captuing – – – –> [Explore Phase 2 ]
  • Phase 3: Packet Communication Protocol Analysis – – – – – – – – –> [Explore Phase 3 ]
  • Phase 4: Deep Packet Inspection (DPI) – – – – – – – – – – – – –> [Explore Phase 4 ]
  • Phase 5: Exploit Development – – – – – – – – – – – – – – – – – – – – – – – –> [Explore Phase 5 ]

Exploit Development: Trigger EII Faults

Now, I’m focusing on the key functions. For more details, refer to the previous phases of exploit development.

1. Create a Register session packet : Register_Session()

Registers a session with the PLC following the 3-way TCP handshake. This function sends registration data and retrieves a session handle.

Reference: [Explore Phase 4 🔍]

2. Build an ENIP packet : Build_Ethernet_instruction()

Crafts the Ethernet instruction structure from the Wireshark-captured packet (pcap) between SCADA and PLC. This structure remains consistent, so it doesn’t need to be rebuilt each time.

Reference: [Explore Phase 4 🔍]

3. Create a Function to send Packets: send_instruction()

Sends an instruction to the PLC and waits for a valid success response. It’s like making a call and eagerly waiting for the answer.

4. main function routine : overview

  • Changing CPU Mode from Remote RUN to Remote Program:
    • This step is necessary to modify the PLC’s configuration.
  • Sending EII Configuration Payload:
    • This involves sending a payload to adjust settings related to the Event Input Interrupt (EII).
  • Changing CPU Mode Back to Remote RUN:
    • Restores the PLC’s operation mode to execute control logic with the updated EII settings.

Python POC for Malicious Payloads: Trigger EII Faults

POC Demo: Hacking PLCs with Python

As shown in the video, we’re able to trigger a fault state by modifying EII function file which make the PLC go to fault state.

Conclusion

In this post, we explored how to trigger EII faults in the Allen-Bradley MicroLogix 1400 PLC by directly modifying function files and setting invalid values.

Thank you for reading! Stay tuned for more insights and practical applications in PLC security.

<—Prev

Exploit # 14: trigger STI Faults

Next —->

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top