Authentication bypass and remote escalated I/O command attacks

Ryan Grandgenett, William Mahoney, Robin Gandhi

Research output: Chapter in Book/Report/Conference proceedingConference contribution

4 Citations (Scopus)

Abstract

The Common Industrial Protocol (CIP) is a widely used Open DeviceNet Vendors Association (ODVA) standard [14]. CIP is an application-level protocol for communication between components in an industrial control setting such as a Supervisory Control And Data Acquisition (SCADA) environment. We present exploits for authentication and privileged I/O in a CIP implementation. In particular, Allen Bradley's implementation of CIP communications between its programming software and Programmable Logic Controllers (PLCs) is the target of our exploits. Allen Bradley's RSLogix 5000 software supports programming and centralized monitoring of Programmable Logic Controllers (PLCs) from a desktop computer. In our test bed, ControlLogix EtherNet/IP Web Server Module (1756-EWEB) allows the PLC Module (5573-Logix) to be programmed, monitored and controlled by RSLogix 5000 over an Ethernet LAN. Our vulnerability discovery process included examination of CIP network traffic and reverse engineering the RSLogix 5000 software. Our findings have led to the discovery of several vulnerabilities in the protocol, including denial-of-service attacks, but more significantly and recently the creation of an authentication bypass and remote escalated privileged I/O command exploit. The exploit abuses RSLogix 5000's use of hard-coded credentials for outbound communication with other SCADA components. This paper provides a first public disclosure of the vulnerability, exploit development process, and results.

Original languageEnglish (US)
Title of host publicationProceedings of the 10th Annual Cyber and Information Security Research Conference, CISRC 2015
PublisherAssociation for Computing Machinery
ISBN (Electronic)9781450333450
DOIs
StatePublished - Apr 7 2015
Event10th Annual Cyber and Information Security Research Conference, CISRC 2015 - Oak Ridge, United States
Duration: Apr 6 2015Apr 8 2015

Publication series

NameACM International Conference Proceeding Series
Volume06-08-April-2015

Other

Other10th Annual Cyber and Information Security Research Conference, CISRC 2015
CountryUnited States
CityOak Ridge
Period4/6/154/8/15

Fingerprint

Authentication
Network protocols
Programmable logic controllers
Ethernet
Data acquisition
Reverse engineering
Communication
Computer programming
Local area networks
Personal computers
Servers
Monitoring

Keywords

  • Control systems
  • EtherNet/IP
  • Remote code execution
  • SCADA

ASJC Scopus subject areas

  • Software
  • Human-Computer Interaction
  • Computer Vision and Pattern Recognition
  • Computer Networks and Communications

Cite this

Grandgenett, R., Mahoney, W., & Gandhi, R. (2015). Authentication bypass and remote escalated I/O command attacks. In Proceedings of the 10th Annual Cyber and Information Security Research Conference, CISRC 2015 [2] (ACM International Conference Proceeding Series; Vol. 06-08-April-2015). Association for Computing Machinery. https://doi.org/10.1145/2746266.2746268

Authentication bypass and remote escalated I/O command attacks. / Grandgenett, Ryan; Mahoney, William; Gandhi, Robin.

Proceedings of the 10th Annual Cyber and Information Security Research Conference, CISRC 2015. Association for Computing Machinery, 2015. 2 (ACM International Conference Proceeding Series; Vol. 06-08-April-2015).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Grandgenett, R, Mahoney, W & Gandhi, R 2015, Authentication bypass and remote escalated I/O command attacks. in Proceedings of the 10th Annual Cyber and Information Security Research Conference, CISRC 2015., 2, ACM International Conference Proceeding Series, vol. 06-08-April-2015, Association for Computing Machinery, 10th Annual Cyber and Information Security Research Conference, CISRC 2015, Oak Ridge, United States, 4/6/15. https://doi.org/10.1145/2746266.2746268
Grandgenett R, Mahoney W, Gandhi R. Authentication bypass and remote escalated I/O command attacks. In Proceedings of the 10th Annual Cyber and Information Security Research Conference, CISRC 2015. Association for Computing Machinery. 2015. 2. (ACM International Conference Proceeding Series). https://doi.org/10.1145/2746266.2746268
Grandgenett, Ryan ; Mahoney, William ; Gandhi, Robin. / Authentication bypass and remote escalated I/O command attacks. Proceedings of the 10th Annual Cyber and Information Security Research Conference, CISRC 2015. Association for Computing Machinery, 2015. (ACM International Conference Proceeding Series).
@inproceedings{33e131dca35c4f5db057b56f1c1ba9c6,
title = "Authentication bypass and remote escalated I/O command attacks",
abstract = "The Common Industrial Protocol (CIP) is a widely used Open DeviceNet Vendors Association (ODVA) standard [14]. CIP is an application-level protocol for communication between components in an industrial control setting such as a Supervisory Control And Data Acquisition (SCADA) environment. We present exploits for authentication and privileged I/O in a CIP implementation. In particular, Allen Bradley's implementation of CIP communications between its programming software and Programmable Logic Controllers (PLCs) is the target of our exploits. Allen Bradley's RSLogix 5000 software supports programming and centralized monitoring of Programmable Logic Controllers (PLCs) from a desktop computer. In our test bed, ControlLogix EtherNet/IP Web Server Module (1756-EWEB) allows the PLC Module (5573-Logix) to be programmed, monitored and controlled by RSLogix 5000 over an Ethernet LAN. Our vulnerability discovery process included examination of CIP network traffic and reverse engineering the RSLogix 5000 software. Our findings have led to the discovery of several vulnerabilities in the protocol, including denial-of-service attacks, but more significantly and recently the creation of an authentication bypass and remote escalated privileged I/O command exploit. The exploit abuses RSLogix 5000's use of hard-coded credentials for outbound communication with other SCADA components. This paper provides a first public disclosure of the vulnerability, exploit development process, and results.",
keywords = "Control systems, EtherNet/IP, Remote code execution, SCADA",
author = "Ryan Grandgenett and William Mahoney and Robin Gandhi",
year = "2015",
month = "4",
day = "7",
doi = "10.1145/2746266.2746268",
language = "English (US)",
series = "ACM International Conference Proceeding Series",
publisher = "Association for Computing Machinery",
booktitle = "Proceedings of the 10th Annual Cyber and Information Security Research Conference, CISRC 2015",

}

TY - GEN

T1 - Authentication bypass and remote escalated I/O command attacks

AU - Grandgenett, Ryan

AU - Mahoney, William

AU - Gandhi, Robin

PY - 2015/4/7

Y1 - 2015/4/7

N2 - The Common Industrial Protocol (CIP) is a widely used Open DeviceNet Vendors Association (ODVA) standard [14]. CIP is an application-level protocol for communication between components in an industrial control setting such as a Supervisory Control And Data Acquisition (SCADA) environment. We present exploits for authentication and privileged I/O in a CIP implementation. In particular, Allen Bradley's implementation of CIP communications between its programming software and Programmable Logic Controllers (PLCs) is the target of our exploits. Allen Bradley's RSLogix 5000 software supports programming and centralized monitoring of Programmable Logic Controllers (PLCs) from a desktop computer. In our test bed, ControlLogix EtherNet/IP Web Server Module (1756-EWEB) allows the PLC Module (5573-Logix) to be programmed, monitored and controlled by RSLogix 5000 over an Ethernet LAN. Our vulnerability discovery process included examination of CIP network traffic and reverse engineering the RSLogix 5000 software. Our findings have led to the discovery of several vulnerabilities in the protocol, including denial-of-service attacks, but more significantly and recently the creation of an authentication bypass and remote escalated privileged I/O command exploit. The exploit abuses RSLogix 5000's use of hard-coded credentials for outbound communication with other SCADA components. This paper provides a first public disclosure of the vulnerability, exploit development process, and results.

AB - The Common Industrial Protocol (CIP) is a widely used Open DeviceNet Vendors Association (ODVA) standard [14]. CIP is an application-level protocol for communication between components in an industrial control setting such as a Supervisory Control And Data Acquisition (SCADA) environment. We present exploits for authentication and privileged I/O in a CIP implementation. In particular, Allen Bradley's implementation of CIP communications between its programming software and Programmable Logic Controllers (PLCs) is the target of our exploits. Allen Bradley's RSLogix 5000 software supports programming and centralized monitoring of Programmable Logic Controllers (PLCs) from a desktop computer. In our test bed, ControlLogix EtherNet/IP Web Server Module (1756-EWEB) allows the PLC Module (5573-Logix) to be programmed, monitored and controlled by RSLogix 5000 over an Ethernet LAN. Our vulnerability discovery process included examination of CIP network traffic and reverse engineering the RSLogix 5000 software. Our findings have led to the discovery of several vulnerabilities in the protocol, including denial-of-service attacks, but more significantly and recently the creation of an authentication bypass and remote escalated privileged I/O command exploit. The exploit abuses RSLogix 5000's use of hard-coded credentials for outbound communication with other SCADA components. This paper provides a first public disclosure of the vulnerability, exploit development process, and results.

KW - Control systems

KW - EtherNet/IP

KW - Remote code execution

KW - SCADA

UR - http://www.scopus.com/inward/record.url?scp=84958763787&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84958763787&partnerID=8YFLogxK

U2 - 10.1145/2746266.2746268

DO - 10.1145/2746266.2746268

M3 - Conference contribution

T3 - ACM International Conference Proceeding Series

BT - Proceedings of the 10th Annual Cyber and Information Security Research Conference, CISRC 2015

PB - Association for Computing Machinery

ER -