Program routine DoS attack on PLCs @ExpDev-18

DoS Attack

Today, we’ll explore a program routine DoS attack ( denial of service) vulnerability in the Allen-Bradley Micrologix 1400 Series B, specifically affecting firmware version 21.2 and earlier.

When a new program is downloaded to the PLC, it follows a specific routine to secure editing rights. If errors occur during this process, the PLC enters a fault state. By sending the ‘Execute Command List’ packet without the required ‘Download Complete’ packet, the PLC can be forced to stay in the download state for one minute before switching to a fault state.

cause fault state & delete ladder logic program from PLC memory—all triggered by sending unauthenticated packet.

What is denial of service (DoS) attack ?

A Denial of Service (DoS) attack is like overloading a device or network with too much data or the wrong kind of data, making it stop working properly. In the case of a PLC, this can cause the system to reboot or enter an error state, disrupting the normal operations and potentially causing loss of important settings or programs. It’s a simple but effective way for attackers to cause serious trouble without needing direct access to the device.

Objective

we’ve got key objectives:

  • identification of program routine
  • sending incomplete packet

In this post, we will go though remotely break the existing connection b/w PLC & SCADA through program routine DoS.

MicroLogix 1400 PLC: Device under test

The micrologix 1400 PLC @Allen-Bradley are critical in many industries.

Identified Vulnerability: program routine DoS

Vulnerability Overview

This issue involves how the PLC deals with packets sent over its Ethernet port (44818/TCP). we can exploit this by sending a specially crafted packet that causes a denial of service. It affects the program download function of the device.

By sending an ‘Execute Command List’ packet (CMD 0x0F, FNC 0x88) without the ‘Download Complete’ packet (CMD 0x0F, FNC 0x52), the device treats this as a failure. This leads the device to enter a fault mode, stopping normal operations and deleting all stored logic.

This means the PLC can be easily knocked offline and lose its program, which can cause major disruptions in industrial environment where it is critical.

Program routine:

In our case, we are sending only execute command list packet. no other.

program routine of plc

Attack Scenario

Exploiting this vulnerability is straightforward. By sending a single unauthenticated packet containing the right command sequence, we can force the PLC into a fault state.

Impact on PLC

This vulnerability highlights the risk of improperly improper handling of industrial control system networks. Since this issue is related to how the PLC processes download commands.

Python POC & Exploit Development: DoS attack

Now I am explaining only important function. refer to previous phases of exploit dev. For detail, refer Exploit development 4.

The script establishes a TCP connection to a PLC (Programmable Logic Controller) and interacts with it using the EtherNet/IP protocol. Here’s a breakdown of its functionality:

  1. Session Registration:
    • Purpose: Establishes a communication session with the PLC.
    • Process: Sends a registration request to the PLC, receives a session handle in response, which is needed for further communication.
  2. Instruction Building:
    • Purpose: Prepares and structures the instructions to be sent to the PLC.
    • Process: Constructs a payload that includes the encapsulation header, command-specific data, and Common Industrial Protocol (CIP) information. This payload is tailored based on the specific command and function required.
  3. Sending Instructions:
    • Purpose: Sends the constructed instructions to the PLC and receives responses.
    • Process: Uses the established session to send commands such as changing the PLC’s CPU mode and executing multiple commands. It handles the communication with the PLC and processes the responses received.
  4. Programming the PLC:
    • Purpose: Executes a series of commands to change the PLC’s mode and perform specific operations.
    • Process: Sends commands to switch the PLC to remote programming mode and then executes multiple commands, as specified by the instructions.

Overall, the script sets up a session with the PLC, sends instructions to control and program it, and handles the communication protocol to interact with the PLC effectively.

POC Demo: DoS attack on plc

As shown in the video, we’re able to break connection by DoS which make the PLC go to communication lost state.

Conclusion

This vulnerability highlights the need for strong network security. Users of the Allen-Bradley Micrologix 1400 Series B should review and improve their network defenses to reduce risks. Securing network ports and adding extra protection can help prevent disruptions and keep your PLC systems reliable.

Thank you for reading. Stay tuned for more insights and practical applications in PLC security!

<—Prev

Exploit # 17: ethernet DoS attack PLC

Next —->

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top