Authentication bypass and remote escalated I/O command attacks

Ryan Grandgenett, William Mahoney, Robin Gandhi

Research output: Chapter in Book/Report/Conference proceedingConference contribution

10 Scopus citations


The Common Industrial Protocol (CIP) is a widely used Open DeviceNet Vendors Association (ODVA) standard [14]. CIP is an application-level protocol for communication between components in an industrial control setting such as a Supervisory Control And Data Acquisition (SCADA) environment. We present exploits for authentication and privileged I/O in a CIP implementation. In particular, Allen Bradley's implementation of CIP communications between its programming software and Programmable Logic Controllers (PLCs) is the target of our exploits. Allen Bradley's RSLogix 5000 software supports programming and centralized monitoring of Programmable Logic Controllers (PLCs) from a desktop computer. In our test bed, ControlLogix EtherNet/IP Web Server Module (1756-EWEB) allows the PLC Module (5573-Logix) to be programmed, monitored and controlled by RSLogix 5000 over an Ethernet LAN. Our vulnerability discovery process included examination of CIP network traffic and reverse engineering the RSLogix 5000 software. Our findings have led to the discovery of several vulnerabilities in the protocol, including denial-of-service attacks, but more significantly and recently the creation of an authentication bypass and remote escalated privileged I/O command exploit. The exploit abuses RSLogix 5000's use of hard-coded credentials for outbound communication with other SCADA components. This paper provides a first public disclosure of the vulnerability, exploit development process, and results.

Original languageEnglish (US)
Title of host publicationProceedings of the 10th Annual Cyber and Information Security Research Conference, CISRC 2015
PublisherAssociation for Computing Machinery
ISBN (Electronic)9781450333450
StatePublished - Apr 7 2015
Event10th Annual Cyber and Information Security Research Conference, CISRC 2015 - Oak Ridge, United States
Duration: Apr 6 2015Apr 8 2015

Publication series

NameACM International Conference Proceeding Series


Other10th Annual Cyber and Information Security Research Conference, CISRC 2015
Country/TerritoryUnited States
CityOak Ridge


  • Control systems
  • EtherNet/IP
  • Remote code execution

ASJC Scopus subject areas

  • Software
  • Human-Computer Interaction
  • Computer Vision and Pattern Recognition
  • Computer Networks and Communications


Dive into the research topics of 'Authentication bypass and remote escalated I/O command attacks'. Together they form a unique fingerprint.

Cite this