Authentication bypass and remote escalated I/O command attacks

Ryan Grandgenett; William Mahoney; Robin Gandhi

doi:10.1145/2746266.2746268

Authentication bypass and remote escalated I/O command attacks

Ryan Grandgenett, William Mahoney, Robin Gandhi

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

9 Scopus citations

Abstract

The Common Industrial Protocol (CIP) is a widely used Open DeviceNet Vendors Association (ODVA) standard [14]. CIP is an application-level protocol for communication between components in an industrial control setting such as a Supervisory Control And Data Acquisition (SCADA) environment. We present exploits for authentication and privileged I/O in a CIP implementation. In particular, Allen Bradley's implementation of CIP communications between its programming software and Programmable Logic Controllers (PLCs) is the target of our exploits. Allen Bradley's RSLogix 5000 software supports programming and centralized monitoring of Programmable Logic Controllers (PLCs) from a desktop computer. In our test bed, ControlLogix EtherNet/IP Web Server Module (1756-EWEB) allows the PLC Module (5573-Logix) to be programmed, monitored and controlled by RSLogix 5000 over an Ethernet LAN. Our vulnerability discovery process included examination of CIP network traffic and reverse engineering the RSLogix 5000 software. Our findings have led to the discovery of several vulnerabilities in the protocol, including denial-of-service attacks, but more significantly and recently the creation of an authentication bypass and remote escalated privileged I/O command exploit. The exploit abuses RSLogix 5000's use of hard-coded credentials for outbound communication with other SCADA components. This paper provides a first public disclosure of the vulnerability, exploit development process, and results.

Original language	English (US)
Title of host publication	Proceedings of the 10th Annual Cyber and Information Security Research Conference, CISRC 2015
Publisher	Association for Computing Machinery
ISBN (Electronic)	9781450333450
DOIs	https://doi.org/10.1145/2746266.2746268
State	Published - Apr 7 2015
Event	10th Annual Cyber and Information Security Research Conference, CISRC 2015 - Oak Ridge, United States Duration: Apr 6 2015 → Apr 8 2015

Publication series

Name	ACM International Conference Proceeding Series
Volume	06-08-April-2015

Other

Other	10th Annual Cyber and Information Security Research Conference, CISRC 2015
Country/Territory	United States
City	Oak Ridge
Period	4/6/15 → 4/8/15

Keywords

Control systems
EtherNet/IP
Remote code execution
SCADA

ASJC Scopus subject areas

Software
Human-Computer Interaction
Computer Vision and Pattern Recognition
Computer Networks and Communications

Access to Document

10.1145/2746266.2746268

Cite this

Grandgenett, R., Mahoney, W., & Gandhi, R. (2015). Authentication bypass and remote escalated I/O command attacks. In Proceedings of the 10th Annual Cyber and Information Security Research Conference, CISRC 2015 Article 2 (ACM International Conference Proceeding Series; Vol. 06-08-April-2015). Association for Computing Machinery. https://doi.org/10.1145/2746266.2746268

Authentication bypass and remote escalated I/O command attacks. / Grandgenett, Ryan; Mahoney, William; Gandhi, Robin.
Proceedings of the 10th Annual Cyber and Information Security Research Conference, CISRC 2015. Association for Computing Machinery, 2015. 2 (ACM International Conference Proceeding Series; Vol. 06-08-April-2015).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Grandgenett, R, Mahoney, W & Gandhi, R 2015, Authentication bypass and remote escalated I/O command attacks. in Proceedings of the 10th Annual Cyber and Information Security Research Conference, CISRC 2015., 2, ACM International Conference Proceeding Series, vol. 06-08-April-2015, Association for Computing Machinery, 10th Annual Cyber and Information Security Research Conference, CISRC 2015, Oak Ridge, United States, 4/6/15. https://doi.org/10.1145/2746266.2746268

@inproceedings{33e131dca35c4f5db057b56f1c1ba9c6,

title = "Authentication bypass and remote escalated I/O command attacks",

abstract = "The Common Industrial Protocol (CIP) is a widely used Open DeviceNet Vendors Association (ODVA) standard [14]. CIP is an application-level protocol for communication between components in an industrial control setting such as a Supervisory Control And Data Acquisition (SCADA) environment. We present exploits for authentication and privileged I/O in a CIP implementation. In particular, Allen Bradley's implementation of CIP communications between its programming software and Programmable Logic Controllers (PLCs) is the target of our exploits. Allen Bradley's RSLogix 5000 software supports programming and centralized monitoring of Programmable Logic Controllers (PLCs) from a desktop computer. In our test bed, ControlLogix EtherNet/IP Web Server Module (1756-EWEB) allows the PLC Module (5573-Logix) to be programmed, monitored and controlled by RSLogix 5000 over an Ethernet LAN. Our vulnerability discovery process included examination of CIP network traffic and reverse engineering the RSLogix 5000 software. Our findings have led to the discovery of several vulnerabilities in the protocol, including denial-of-service attacks, but more significantly and recently the creation of an authentication bypass and remote escalated privileged I/O command exploit. The exploit abuses RSLogix 5000's use of hard-coded credentials for outbound communication with other SCADA components. This paper provides a first public disclosure of the vulnerability, exploit development process, and results.",

keywords = "Control systems, EtherNet/IP, Remote code execution, SCADA",

author = "Ryan Grandgenett and William Mahoney and Robin Gandhi",

note = "Funding Information: Ryan Grandgenett has been previously supported through NSF CNS-1062995, {"}REU Site: Site for Extensive and Collaborative Undergraduate Research Experience (SECURE){"}, and currently is supported by NSF DUE-1027412, {"}Information Assurance Scholarships for Service (SfS) at the University of Nebraska at Omaha{"}. William Mahoney and Robin Gandhi have been partially supported via AFOSR FA9550-10-1-0341 {"}Cyber Security of Critical Control Networks{"}.; 10th Annual Cyber and Information Security Research Conference, CISRC 2015 ; Conference date: 06-04-2015 Through 08-04-2015",

year = "2015",

month = apr,

day = "7",

doi = "10.1145/2746266.2746268",

language = "English (US)",

series = "ACM International Conference Proceeding Series",

publisher = "Association for Computing Machinery",

booktitle = "Proceedings of the 10th Annual Cyber and Information Security Research Conference, CISRC 2015",

}

TY - GEN

T1 - Authentication bypass and remote escalated I/O command attacks

AU - Grandgenett, Ryan

AU - Mahoney, William

AU - Gandhi, Robin

N1 - Funding Information: Ryan Grandgenett has been previously supported through NSF CNS-1062995, "REU Site: Site for Extensive and Collaborative Undergraduate Research Experience (SECURE)", and currently is supported by NSF DUE-1027412, "Information Assurance Scholarships for Service (SfS) at the University of Nebraska at Omaha". William Mahoney and Robin Gandhi have been partially supported via AFOSR FA9550-10-1-0341 "Cyber Security of Critical Control Networks".

PY - 2015/4/7

Y1 - 2015/4/7

N2 - The Common Industrial Protocol (CIP) is a widely used Open DeviceNet Vendors Association (ODVA) standard [14]. CIP is an application-level protocol for communication between components in an industrial control setting such as a Supervisory Control And Data Acquisition (SCADA) environment. We present exploits for authentication and privileged I/O in a CIP implementation. In particular, Allen Bradley's implementation of CIP communications between its programming software and Programmable Logic Controllers (PLCs) is the target of our exploits. Allen Bradley's RSLogix 5000 software supports programming and centralized monitoring of Programmable Logic Controllers (PLCs) from a desktop computer. In our test bed, ControlLogix EtherNet/IP Web Server Module (1756-EWEB) allows the PLC Module (5573-Logix) to be programmed, monitored and controlled by RSLogix 5000 over an Ethernet LAN. Our vulnerability discovery process included examination of CIP network traffic and reverse engineering the RSLogix 5000 software. Our findings have led to the discovery of several vulnerabilities in the protocol, including denial-of-service attacks, but more significantly and recently the creation of an authentication bypass and remote escalated privileged I/O command exploit. The exploit abuses RSLogix 5000's use of hard-coded credentials for outbound communication with other SCADA components. This paper provides a first public disclosure of the vulnerability, exploit development process, and results.

AB - The Common Industrial Protocol (CIP) is a widely used Open DeviceNet Vendors Association (ODVA) standard [14]. CIP is an application-level protocol for communication between components in an industrial control setting such as a Supervisory Control And Data Acquisition (SCADA) environment. We present exploits for authentication and privileged I/O in a CIP implementation. In particular, Allen Bradley's implementation of CIP communications between its programming software and Programmable Logic Controllers (PLCs) is the target of our exploits. Allen Bradley's RSLogix 5000 software supports programming and centralized monitoring of Programmable Logic Controllers (PLCs) from a desktop computer. In our test bed, ControlLogix EtherNet/IP Web Server Module (1756-EWEB) allows the PLC Module (5573-Logix) to be programmed, monitored and controlled by RSLogix 5000 over an Ethernet LAN. Our vulnerability discovery process included examination of CIP network traffic and reverse engineering the RSLogix 5000 software. Our findings have led to the discovery of several vulnerabilities in the protocol, including denial-of-service attacks, but more significantly and recently the creation of an authentication bypass and remote escalated privileged I/O command exploit. The exploit abuses RSLogix 5000's use of hard-coded credentials for outbound communication with other SCADA components. This paper provides a first public disclosure of the vulnerability, exploit development process, and results.

KW - Control systems

KW - EtherNet/IP

KW - Remote code execution

KW - SCADA

UR - http://www.scopus.com/inward/record.url?scp=84958763787&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84958763787&partnerID=8YFLogxK

U2 - 10.1145/2746266.2746268

DO - 10.1145/2746266.2746268

M3 - Conference contribution

AN - SCOPUS:84958763787

T3 - ACM International Conference Proceeding Series

BT - Proceedings of the 10th Annual Cyber and Information Security Research Conference, CISRC 2015

PB - Association for Computing Machinery

T2 - 10th Annual Cyber and Information Security Research Conference, CISRC 2015

Y2 - 6 April 2015 through 8 April 2015

ER -

Authentication bypass and remote escalated I/O command attacks

Abstract

Publication series

Other

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this