弁財天

ゴフマン「専門家を信じるのではなく、自分自身で考えて判断せよ」

フクイチのウイルスの送信元は本当にロシアか?Windowsのゼロデイを使った三菱製SCADA攻略ActiveXモジュールがハッキングチームのウィキリークスから見つかる。 #HackingTeam update6

福島第一原発プログラム開発者 露からのサイバー攻撃明かす(NEWS ポストセブン) - Y!ニュース

A氏はシステムが回復した翌日から、ウイルスの送信元を突き止める作業を行なったという。

「われわれ安全システムの技術者は、“敵”であるハッカーのことを知るためにハッキングの技術も持っています。そこで、こちらから逆のルートで(害のない)ウイルスを送りつけることで、送り主がどこにいるのかを探りました。

発信拠点の大半は“北の寒い国”でした。システムを導入したのは6年前ですから、それ以降にロシアからサイバー攻撃を受けていたと考えられます」

プラウダ(pravda.ru)→Israeli general boasts authoring Stuxnet virus 22.02.2011(2011年2月22日)
英のテレグラフと仏のル・モンドはIsraeli daily Haaretz紙の記事を引用するかたちで、 国防軍の参謀総長であるガビ・アシュケナージがStuxnetワームが自分の仕業だと認めたと報道

Haaretzの記事によればガビ・アシュケナージは引退に際して自らのキャリアのマイルストーンをビデオにした
そのビデオはパーティで上映され、その中でStuxnet開発の監督責任者だったと述べた

abovetopsecret.com→Was Russia behind the Stuxnet Virus? You make the call...,(Jan, 16 2012)
「露はイランに科学者を送り込んでいる」
「露はイランを守っている。米がイランを攻撃すれば露は米を攻撃するだろう。冷戦2.0(cold war 2.0)」w

the-diplomat.com→ Was Russia Behind Stuxnet? December 10, 2011(December 10, 2011)
合衆国のインテリジェンス・コミュニティはパンツを下ろされた状態になっていると米空軍研究所が必死

2008年〜2009年のイランへのスタックスネット攻撃は米のオリンピックゲーム作戦で米軍がやったと海兵隊のジェームス・カートライト大将がニューヨークタイムスに最初のStuxnet攻撃が行われたことをリーク。後でFBIが逮捕。オバマが2017年1月大統領退任直前に恩赦。このロシアてどうやらNTTコムのニュー・スピーク(New Speak)らすいw。
【ディープステイト崩壊】NTTコムとHBGaryがつながりNTTが【反社会的勢力】であることが確定w。オバマ大統領誕生。Brexit国民投票。トランプ大統領誕生w

wlcentral.org→2011-02-14 HBGary & the Stuxnet Worm: What Emails Leaked By Anonymous Reveal(2011年2月14日)
Anonymousが暴露したHBGary社のメール

HBGary Federal Chief Operating Officer Greg Hoglund, Martin Pillion, President CEO of HBGary Federal President, and executive Phil Wallisch were sent an email from Barr on August 9, 2010:

Hey Guys,

Can I please get 1 or 2 copies of the Stuxnet malware?

Thanks,
Aaron

He received a reply from Pillion, which included an attachment, the code for Stuxnet.

Another employee, Charles Copeland, asks in an email on September 26, 2010, “Does anyone have a dropper I have been unable to find it." Phil Wallisch responds, “I’ve got this from July.” A “dropper” is program or malware designed to install some sort of malware (virus, backdoor, etc) to a target system.

Another exchange takes place in August 2010:

Greg,

Can I get the Stuxnet samples you and Phil have? There are some interesting things happening and I have been asked if I could provide samples to a certain government organization (not one of the ones you might think - an oversight group).

On August 6, Stuxnet data is presumably sent as a file attachment.

2010年8月時点でHBGaryはStuxnetを自社用途に応用するための検証をやっている。 NTTコムからHBGaryにStuxnetのカスタマイズ開発環境が渡ったのだ。

arstechnica.com→How one man tracked down Anonymous—and paid a heavy price

abovetopsecret.com→Is Serco behind Stuxnet?
Stuxnetは自分自身をアップデートするのにP2Pネットワークを使用するが、そのサイトがアイルランドのSercoだった
SercoってU.S.Army、U.S.Navy、U.S.Air Forceと高額の契約をしてる軍産複合体の企業
http://www.serco-na.com/
@Serco_Inc
@Serco_Inc Awarded $52M Army ACAP Contract
@Serco_Inc Wins $14M U.S. Air Force Materiel Command Contract to Provide Logistics Support...http://www.serco-na.com/AtriclesPopup.aspx?ID=514
@Serco_Inc Awarded $84M U.S. Navy ID/IQ Contract to Provide Hazardous Material Program Logistics Support...http://bit.ly/az6tt0
非常にわかりやすく、パンツを下ろされた状態にされている

Stuxnetの解析後ドロッパやP2P部品などワーム基盤が業界に出回った
イランを客と考えたとき、日本は露のライバル
米の作戦に見せかけてフクイチに感染させて核爆発
偏西風に乗って米に死の灰降下のおまけつき
SercoのP2Pサイトもバレた

SiemensのSCADA/PLCを操作する機能以外のStuxnetの基盤機能には
USBドライブやLANで自分を複製するドロッパ
LANでP2Pを使って自分自身を更新
コマンド&コントロールサーバ(C&C,Command and Control Server)に接続して実行コードをダウンロード実行する機能があり
それをHBGary社は自社製品に応用し始めた

wlcentral.org→2011-02-14 Team Themis - HBGary, Palantir, Berico's ambitious joint team mentions 'bots' and 'custom software'
Stuxnetをヒントにした、検出も除去も不可能な、ボットに似た、銀行向けrootkit
国家間のサイバー戦争というより、会社がカネの為ならなんでもやる状態

で、マイクロソフト社は4つのゼロデイを潰さないの?このまま放置するの?

crowdleaks.org→HBGary wanted to suppress Stuxnet research by @crowdleaks
StuxnetにはWindowsの4つのゼロデイと偽の証明書が使われている
ハッカーではなく、政府の要求でプロの開発チームが時間をかけてコーディングとテストを行ったもの

ウィルス検知ソフトはディスク上のファイルのシグニチャをガリガリチェックするやりかた
Stuxnetはそれを回避するために、独自のデータファイルから、加工してメモリ上に実行コードを展開する実装になってるから検知できないんじゃないかな
パスワードロックしたファイルみたいに

crowdleaks.org→W32.Duqu: 次なる Stuxnet の前兆
台湾のメーカーから秘密キーが盗まれたため有効な電子署名されたドライバとしてバラまかれる
証明書の有効好期限は有効期限は 2012 年 8 月 2 日だが、既に 2011 年 10 月 14 日に無効化

メガトンメガワット計画が進行中であることを考えれば露は同じステークホルダーに着いている。日本の原発で燃やしてるウラン燃料は露のHEUをダウンブレンドしたもの。なので露が大事なお客様に対してそんなことをやる訳がない。
原発が地震でふつうに壊れたことから陽動するための記事。

国会事故調の報告書に掲載されたフクイチ1号機のIC(非常用復水器)の操作盤 p208と

集中制御室 p128

StuxnetやDuquはWindowsに感染するウィルスだ。 しかしこのレトロな真空管と電球の原発に感染するとは思えない。www

この記事を書いたのは2012年3月30日だったのか。で、今日は2015年8月5日である。3年半も経過したのだ。

そしてNTTデータや三菱が関与してたハッキングチームのウィキリークスから 次のメールが見つかるのだ。
wikileaks.org→ [Canvas] SCADA pack 1.30, Agora 2.30 are out()

Hi list,SCADA+ ver 1.30 contains following new modules:[network and scada]:
- Western Digital My Net N600, N750, N900, N900C Get admin password. CVE-2013-5006- Schneider Electric PLC ETY Series Ethernet Controller - Denial of Service. public

- RuggedDirector 1.2 Remote Denial of Service [0Day].- Mitsubishi MC-WorkX 8.02 ActiveX Control (IcoLaunch) File Execution.

Agora pack ver 2.30 contains nice web and server stuff. List: - Lianja SQL db_netserver Denial of Service [0Day].
- Vino VNC Server - Denial of Service. CVE-2013-5745 - ALLMediaServer 0.8. Buffer Overflow Exploit for windows 7/XP
- aMSN 0.98.9 Local File Inclusion exploit
- ElitCMS 1.01 Standard Edition SQL Injection - VoipNow Local File Inclusion Vulnerability Best regards.Gleg's development team.

どうやら【SCADA pack 1.30, Agora 2.30】というのは露のSCADA攻略デモモジュールみたいだ。

- RuggedDirector 1.2 Remote Denial of Service [0Day].- Mitsubishi MC-WorkX 8.02 ActiveX Control (IcoLaunch) File Execution.
その中にウィンドウズのゼロディ[0Day]を利用した三菱製ActiveXが見つかるわけですな。

イポ表のときにStuxnetは日本が開発してたのではないのかなどと考えてたのだけど、それとも噛み合ってしまうのだな。

あ、これだわ。開発が公開されてるw
SCADA+ Pack Latest Updates

SCADA+ Pack Latest Updates

SCADA+ 1.44
SCADA+ pack is out with three new modules, including two 0Days:
- PeakHMI Runtime Buffer Overflow. 0day
- Infilink HMI Denial of Service. 0day
- WS10 Data Server SCADA <= 1.83 - Remote Code Execution


SCADA+ 1.43
SCADA+ 1.43 contains three 0Days and one public vuln. list :
- DAQFactory <= 5.91 Remote Denial Of Service Exploit. [0-Day]
- ANT Studio Web 2013 v.9190M Feb 26 2013 - DLL Hijacking. [0-Day]
- SCADA/HMI AggreGate <= v.5.11.03 - XXE . [0-Day]
- Advantech ADAMView <=v.4.3 - Buffer Overflow. ICS-ALERT-14-323-02


SCADA+ 1.42
SCADA+ is updated with four 0days, including excellent Mango automation exploit allowing administrative credentials retrieving. video available here https://vimeo.com/user7532837/videos
- B&B Electronics Vlinx ConnectPro Manager DoS [0-Day]
- Events SCADA HMI <= v.8.58 - reveals sensitive info [0-Day]
- Mango Automation get login and password list [0-Day]
- Panasonic Configurator DL DoS PoC [0-Day]


SCADA+ 1.41
3 New 0Days are available in 1.41 version !
- ScadaBR File Upload and command exec [0-Day]
- APT France SensorIP2 security weakness [0-Day]
- SCADA SpecView <= v2.5 Build 858 information leak [0-Day]


SCADA+ 1.40
SCADA+ 1.40 contains:
- ARTIS WaterMon (Last Update: 2013-04-18) - SQL Injection [0-Day]
- Web-Server Plugin <= v.4.0.6 build 512 for Advanced Serial Data Logger <= 4.1.6 build 1114 - Directory Traversal [0-Day]
- e.SCADA.r (Eramosa SCADA Reporting) <= v.0.32 - reveals sensitive info [0-Day]
- SCADA Mango Automation, by Infinite Automation <= v.2.5.0 - File Upload [0-Day]


SCADA+ 1.39
SCADA+ 1.39 contains:
- Sagem Fast 3304-V1 Denial Of Service Vulnerability
- ScadaBR (Last Update: 2014-06-02) - BruteForce
- Z-Scada Net2.0 0-Day
- SAP Netweaver Enqueue Server Trace Pattern Denial of Service Vulnerability 0-Day


SCADA+ 1.38
SCADA+ 1.38 contains:
- Emerson ROCLINK800 arpro2.dll ActiveX Control Remote Code Execution Vulnerability
- FANUC OlpcPRO Directory Traversal Vulnerability [0-day]
- NOVUS NConfig 1.3.3 [0-Day]
- D-Link DIR-300 DIR-600 DIR-615 routers Password Recovery


SCADA+ 1.37
SCADA+ 1.37 contains:
- Yokogawa CENTUM CS 3000 Remote Denial of Service
- IBM SPSS SamplePower Remote Arbitrary File Overwrite
- FESTO Robotino 0-Day DoS
- Cogent DataHub Directory Traversal Vulnerability 0-day


SCADA+ 1.36
SCADA+ 1.36 contains:
- Carlo Gavazzi PowerSoft Directory Traversal Vulnerability 0-day
- Advantech Domain Focused Configuration Tool 0-Day DoS
- ABB Test Signal Viewer CWGraph3D ActiveX Control Remote Code Execution Vulnerability


SCADA+ 1.35
SCADA+ 1.35 contains new nice 0Day modules for Siemens and Aspic industrial software. :
- Siemens Automation License Manager Service Denial Of Service Vulnerability. [0Day]
- Siemens Automation License Manager Remote Arbitrary File Overwrite. 2011-4529
- SCADA AspicManager (package: Aspic 3.30 - All in One SCADA HMI system) buffer overflow. [0Day]
- Aspic 3.30 - All in One SCADA HMI system telnet weakness. default pwd and more. [0Day]


SCADA+ 1.34
SCADA+ 1.34 pack contains nice 3 [0day] modules for famous CoDeSys framework software pieces (latest versions), soft is frequently used in SCADA industry:
- CoDeSys ENI Server ver 3.2.2.23 Stack Buffer Overflow [0Day]
- CoDeSys Webserver ver 1.1.9.14 Stack Buffer Overflow [0Day]
- CoDeSys Gateway Server Denial Of Service Vulnerability [0Day]
there are also videos for these modules available on https://vimeo.com/user7532837/videos


SCADA+ 1.33
SCADA pack 1.33 contains several [0day] net related vulns and a scada module:
[network]:
- PRTG Server.exe Remote Crash. [0day]. PoC
- IP POWER 9258 W2 Information Leak (admin creds). [0day]
- FrameFlow Server Monitor Denial Of Service Vulnerability. [0day]
[scada]:
- Tri-PLC Nano-10 r81 - Denial of Service


SCADA+ 1.32
SCADA 1.32 update contains pretty interesting 0days, including one for iOS scada system! List:
- ScadaMobile ONE v2.5.2 Directory Traversal Vulnerability [0Day]
- Ecava IntegraXor <= 4.1.4380 - Denial of Service. ICSA-14-016-01
- Delta Electronics Buffer Overflow Exploit [0Day]
- Advantech WebAccess ActiveX ProjectName() exploit [0Day]
- Ecava IntegraXor SCADA <= 4.1.4380 Information leak. [0Day]
Two new videos are also available on https://vimeo.com/user7532837

SCADA+ 1.31
SCADA 1.31 as always contains fresh public modules and 0day DoSes.
List:
- ABB MicroSCADA Remote Code Execution. public
- Eaton Network Shutdown Module Denial Of Service Vulnerability. [0Day]
- Ignition Gateway OPC-UA Server Denial Of Service. [0Day]
- Eaton Network Shutdown Module Remote Code Execution + creds steal. public


SCADA+ 1.30
SCADA+ ver 1.30 contains following new modules:
[network and scada]:
- Western Digital My Net N600, N750, N900, N900C Get admin password. CVE-2013-5006
- Schneider Electric PLC ETY Series Ethernet Controller - Denial of Service. public
- RuggedDirector 1.2 Remote Denial of Service [0Day].
- Mitsubishi MC-WorkX 8.02 ActiveX Control (IcoLaunch) File Execution.

SCADA+ 1.29
SCADA+ 1.29 released with two new network devices exploitation modules and two scada side exploits:
[network]:
- ONO Hitron CDE-30364 Router Denial Of Service. public
- ZeroShell Local File Disclosure Vulnerability. public
[scada]:
- Tri-PLC Nano-10 r81 Denial of Service. public
- wlcsystems.com Modbus SCADA Vulnerability. [0day]


SCADA+ 1.28
SCADA+ 1.28 is out with nice [0day] DoSes for Siemens, Moore Industries and Eaton software, and more. Modules list:
- Siemens WinCC TIA Portal miniweb.exe remote dos 0-Day
- Moore Industries NCS Configuration 0-Day DoS
- EATON VURemote 0-Day DoS.
- Galil-RIO Rio-47100 Denial of Service.
Happy DoSing


SCADA+ 1.27
SCADA+ 1.27:
contains 4 modules for 3S, pwStore, National Instruments industrial software.
This time all CVE listed.
- pwStore Denial of Service
- 3S CODESYS Gateway-Server <= 2.3.9.27 Directory traversal vulnerability.
- two modules for different National Instruments LabWindows/CVI,
LabVIEW, and other products ActiveXes.


SCADA+ 1.26
SCADA 1.26 is out with two 0day DoSes for Siemens and Honeywell pieces of industrial software. plus two ActiveX exploits (one of them is also 0day). Listing:
- SIEMENS Solid Edge ST4/ST5 WebPartHelper ActiveX Control Remote
Command Execution [0Day].
- Siemens ProTool Pro CS [0Day] DoS.
- Honeywell UniSim ShadowPlant Bridge DoS. [0Day]
- Honeywell ActiveX control code execution. CVE-2013-0108


SCADA+ 1.25
SCADA 1.25 is out with two 0day DoSes and 3 public sploits for Schneider Electric, Mikrotik and Moxa software.
ag_Mikrotik_Syslog_Server_DoS - Mikrotik Syslog Server for Windows 1.15 Denial of Service
ag_MOXA_AWK_Search_Utility_DoS - MOXA AWK Search Utility DoS [0Day] DoS
ag_schnider_factory_cast - Schneider Electric Ethernet Modules Multiple Service Default Hardcoded Credentials
ag_schnider_modbusdrv - Multiple Schneider Electric Products 'ModbusDrv.exe' Local Buffer Overflow Vulnerability
ag_schnider_modbussim - Schneider Electric PLC Simulator 'sim.exe' Remote denial-of-service [0Day]


SCADA+ 1.24
SCADA+ 1.24 pack version contains four new modules covering industrial related software.
Among them 2 0days: DoS for Moxa tool and buffer overflow exploit for Schnider Electric Web Designer.
List:
- Clorius Controls ICS SCADA Information Disclosure
- Mitsubishi MX ActiveX Component exploit
- MOXA Mass Configuration Tool Denial of Service [0Day]
- Schnider Electric Web Designer remote BOF bug [0Day]


SCADA+ 1.23
New SCADA+ 1.23 version is out with two 0days and two public DoSes for well known Scadas:
- Schneider Electric Accutech Manager Server Denial Of Service
- Ge Fanuc Proficy HMI/SCADA CIMPLICITY WebView/ThinView server DoS
- Schneider Electric Vijeo Web Gate Server vuln [0Day]
- Schneider Electric Vijeo Web Gate Server Denial Of Service [0Day]


SCADA+ 1.22
New modules are ready for your attention. Scada section inlcudes two 0day DoSes for IOServer and Netbiter Scadas.
You will also find a cool 0day AirTies routers exploit.
Listing:
[netdev]:
- AirTies rt series routers hardcoded credentials exploit [0day]
- Harbour Networks switch/router info disclosure. PoC. [0day]
[scada]:
- NetBiterConfig DoS 0day (PoC)
- IOServer OPC Server DoS 0-Day.
- IOServer Directory Traversal. CVE-2012-4680


SCADA+ 1.21
New SCADA+ pack 1.21 version is out with two 0days for eSolar system
and widely implemented Adroit SCADA.
listing:
- Adroit SCADA Intelligence Server [0day ]DoS
- Advantech Studio v7.0 Directory Traversal. public.
- C3-ilex EOScada Denial Of Service. public
- Esolar alternative energy management system [0day]


SCADA+ 1.20
SCADA+ Pack:
New 0day in ANT Studio and cve-listed Netbiter WebSCADA in scada
section and 0day for korean router for your fun... along with old but
still usefull in some scada installations QNX modules. List:
- iptime korean router DoS [0day].
[scada]:
- QNX QCONN Remote Shutdown
- QNX phrelay DoS
- Directory traversal vulnerability in cgi-bin/read.cgi in WebSCADA
WS100 and WS200. CVE-2010-4730
- ANT Studio denial of service [0day]


SCADA+ 1.19
SCADA+ 1.19 is out with two [0days] for SCADA!
We also continue to add info to network devices section... 3 modules this time along with 1 [0day].
Listing: [Network Devices]:
- [0day] AirTies rt104 router unauthorized download config
- Directory Traversal Vulnerability in Sitecom Home Storage Center
- Thomson twg850-4 Unauthenticated Backup File Access
[scada]:
- [0day] WINCC v7.0 SP2 CCEServer.exe denial of service
- [0day] Ge Fanuc Proficy HMI/SCADA CIMPLICITY WebView/ThinView server 8.10.0000.18236 info disclosure


SCADA+ 1.18
SCADA+ 1.18 is out with 3 new scada related 0days! and enhanced network devices exploitation tool.
Network devices modules include those for AirOS and famous Qlogic. Modules list
[Network devices]:
- Ubiquiti Networks AirOS Directory Traversal Vulnerability for AirOS 5, 4.0, 3.6.1
- Alpha Networks ADSL2/2+ Wireless Router ASL-26555 Password Disclosure
- QLogic SANsurfer FC HBA Manager Directory Traversal vulnerability.
- new version 1.1 of Automated network devices exploitation tool. see changelog for details
[scada]:
- [0day] Elipse E3 ActiveReports Remote Arbitrary File Replace
- [0day] Carel Plantvisor v.2.4.4 (possibly others) directory traversal vulnerability.
- [0day] QNX FTPD DoS

SCADA+ 1.17
SCADA+ 1.17 is out with a new network routers exploitation tool !
This tool scans network for routers and try to launch appropriate exploits of ours.
This should be really helpfull in automation of the testing process. Scada section includes excellent modules with two [0days]!

Modules list:
[Network devices]:
- Automated network devices exploitation tool! It utilizes nmap scanning and autolaunchs appropriate exploits.
[scada]:
- ABB WebWare RobNetScanHost.exe Remote Code Execution Exploit
- SpecView <= 2.5 build 853 Directory Traversal
- [0day] Ge Fanuc Proficy HMI/SCADA CIMPLICITY WebView/ThinView
server remote command execution
- [0day] KASKAD scada v.5.00 Remote Heap Overflow .


SCADA+ 1.16
This release is completely focused on network devices... Latest vulns for famous routers, including one 0day:
- Siemens Gigaset se551 authorization bypass [0day].
- Enigma2 Webinterface remote root file disclosure exploit
- Comtrend Router CT-5624 remote password disclosure vulnerability
- ASUS RT-N56U fw <= 1.0.1.4 remote password disclosure vulnerability
- ACTi ASOC 2200 Web Configurator <= v2.6 Remote Root Command Execution
- ZyXEL ZyWALL USG Appliance authentication bypass
- SAGEM ROUTER FAST 3304/3464/3504 - Telnet Authentication bypass
- Livebox TP Router Denial Of Service
- Linksys WAP610N fw.<=1.0.01 Unauthenticated Root Access Security Vulnerability


SCADA+ 1.15
SCADA+ is out with new network devices covered and pretty nice ICS stuff:
- PowerNet Twin Client <= 8.9 (RFSync 1.0.0.1) DoS
- RuggedCom devices password generator
- Sielco Sistemi Winlog Buffer Overflow
[Network devices]:
- 3Com OfficeConnect ADSL Wireless 11g Firewall Router authentication bypass 0day
- Cisco SA500 series SQL Injection
- Huawei HG866 GPON unauthenticated root pwd change


SCADA+ 1.14
SCADA+ professional 1.14 includes nice modules for SCADA and network devices,
featured modules are:
- PROMOTIC <= 8.1.3 directory traversal leveraged to user credentials steal !
- Siemens SIMATIC WinCC MiniWeb DoS. for ICS-ALERT-11-332-02.
- Pro-face Pro-Server EX WinGP PCRuntime <= 3.1.00 Invalid Memory Access DOS
[Network devices]:
- NetGear routers remote password disclosures
- WinRadius Server 2009 DoS


SCADA+ 1.13
SCADA+ 1.13 is out with:
- bunch of DoSes for IBM SolidDB. sometime this is also used in industrial soft. both fresh and old bugs covered.
- Advantech Studio [0day] DoS,
- xArrow multiple DoS,
- GeFanuc Proficy Portal directory traversal.


SCADA+ professional 1.12

NOTE: starting from this 1.12 version SCADA+ standard and Step-ahead licenses will be gradually merged into single "SCADA+ professional package"!

This time we include 3 step ahead scada modules from previous releases.
We have also powered this release with some modules for network devices.
Modules list:
- CEserver from Advantech Studio and Indusoft Web Studio buffer overflow. [0day]
- Carel Plant Visor Pro Hardcoded credentials vulnerability. [0day]
- Sunway ForceControl and pNetPower httpsvr.exe heap-based buffer overflow
modules for network devices:
- D-Link Wireless N Router (DIR-615) firmware 3.10NA apply.cgi Admin Authentication Bypass
- D-Link ShareCenter DNS-320 firmware v2.00b06 remote DoS
- D-Link Wireless G Router (WBR-1310) firmware 2.00 Authentication Bypass
- TRENDnet internet camera TV-IP201(P) firmware v2.00 Authentication Bypass


SCADA+ 1.11
SCADA+ 1.11 is available for download.
Five remote [0day] DoSes for remotely reachable services in famous SCADAs are available this time.
Covered are such vendors like GE Fanuc Proficy, Atvise, Trace Mode, xArrow.
Modules list:
- Ge Fanuc Proficy HMI/SCADA CIMPLICITY denial of service. [0day]
- Trace Mode v 6.06 RunTime monitor denial of service. [0day]
- Trace Mode v 6.06 RunTime monitor denial of service. [0day]
- Atvise v.2.1.16 denial of service. [0day]
- xArrow v3.2 DoS. [0day]

Step Ahead (professional) SCADA 1.11
Step Ahead (professional version) users additionally receive nice 0day in GE Fanuc Proficy, allowing scada users credentials steal and DoS in WinCC.
- Ge Fanuc Proficy HMI/SCADA CIMPLICITY scada users credentials steal. [0day]
- WINCC denial of service. [0day]


SCADA+ 1.10
Two fresh 0days for GE Fanuc and Broadwin\Advantech WebAccess, plus two 'old' 0days for Carel Plant Visor Pro (those were available previously in professional SCADA+ version).
Modules allow for sensitive information retrieving, such as SCADA users or admins names, database admin password hashes, configuration files.
- Ge Fanuc Real Time Portal v 3.0 SP1 sensitive information disclosure [0day]
- Broadwin\Advantech WebAccess v7.0 sensitive information disclosure [0day]
- Carel Plant Visor Pro critical information disclosure [0day]
- Carel Plant Visor Pro critical information disclosure [0day]


SCADA+ 1.9
New modules for public vulns in CoDeSys, Siemens WINCC and Samsung air conditioning Data manager server. Some allows full system compromise!
- Samsung Data Manager server (air conditioning systems) == 1.4.1 hardcoded credentials. [0day]
- CoDeSys SCADA v2.3 Webserver Stack Buffer Overflow. exploit allows full pwn.
- Siemens WINCC flexible runtime 2008 SP2 + SP 1, hmiload.exe directory traversal. exploit allows full pwn via troyan uploading.
- Siemens WINCC flexible runtime 2008 SP2 + SP 1, miniweb.exe Directory traversal. exploit allows arbitrary files downloading.
- Siemens WINCC flexible runtime 2008 SP2 + SP 1, miniweb.exe Denial of Service.
- LabStoRe <= 1.5.4 SQL Injection allowing admin + pwdhash retreiving.
- Samsung Data Manager server <= 1.4.2 multiple vulnerabilities (some critical).

Step Ahead (professional) SCADA 1.9
For step ahead (professional) SCADA+ users there are Three additional 0days for well known SCADAs ... all allowing full pwn!
- SCPSA Carel Plantvisor [0day]. full pwn!
- SCPSA KASKAD scada v.5.00 Remote Heap Overflow. [0day]. full pwn!
- SCPSA Ge Fanuc Proficy HMI/SCADA CIMPLICITY. [0day]. full pwn!


SCADA+ 1.8
In SCADA+ 1.8 there are modules for several fresh public vulns (mostly Luigi Auriemma's) in well known industrial soft. Mostly DoSes this time...
- Beckhoff TwinCAT <= 2.11.0.2004
- Optima <= 1.5.2.13 Denial of Service
- OPCSystems.net <= 4.00.0048 denial of service
- Data Archiver service in GE Intelligent Platforms Proficy Historian
<= 3.5 SIM 17 and 4.x <= 4.0 SIM 12 stack overflow proof of concept / DOS
- Atvise webMI2ADS <= 1.0 denial of service
- another Atvise webMI2ADS <= 1.0 denial of service
- Atvise webmitestserver directory traversal

Step Ahead (professional) SCADA 1.8
Step Ahead users also receive nice module, allowing to decrypt users credentials in Promotic SCADA! and nice scada related activex exploit.
- PcVue <= 10.0, SVUIGrd.ocx <= 1.5.1.0. allows code execution
SCPSA_promotic - PROMOTIC <= 8.1.3 directory traversal leveraged touser credentials steal.


SCADA+ 1.7
New modules this time include:
- Rockwell's RSLogix5000 Denial of Service. CVE listed.
- SCADAPRO buffer overflow / DOS. CVE listed
- Cogent Datahub. no CVE.
- Sunway httpsvr.exe unauthenticated remote command execution. no CVE
- Sunway AngelServer DOS. no CVE.
- Sunway SNMP NetDBServer stack-based buffer overflow. no CVE.

Step Ahead (professional) SCADA 1.7
Step ahead SCADA+ users additionally receive a 0day :
- Advantech Web Studio denial of service [0day].


SCADA+ 1.6
New SCADA+ version 1.6 is out with following stuff for newest CVE listed vulns. some of them were found by Luigi Auriemma:
- Cogent DataHub Directory traversal vulnerability. CVE-2011-3500.
- DAQFactory <= v.5.85 build 1853 stack based buffer overflow. CVE-2011-3492
- CarelDataServer Directory traversal vulnerability. CVE-2011-3487
- Procyon Core Server stack buffer overflow. CVE-2011-3322
- SCADAPRO <= v.4.0.0.0 unauthenticated remote command execution. no CVE, but public.

Step Ahead (professional) SCADA 1.6
Step ahead SCADA+ users additionally receive nice 0days :
- CEserver buffer overflow. [0day]. This software is available for most embedded systems. Exploit by now covers WinXP sp3 embedded.
- Carel Plant Visor Pro critical information disclosure. [0day] All scada users logins+pwds steal
- Carel Plant Visor Pro critical information disclosure. Second vuln. [0day] All scada users logins+pwds steal


SCADA+ 1.5
New SCADA+ modules include:
- 0day for Broadwin\Advantech WebAccess. error based SQL Injection with filters bypass. was available via Step Ahead ~ 1.5 monthes ago.
- glorious Labview (version 6 and possibly others) DoS via ipv6 query. old bug, for old but commonly used Labview version.
- Progea Movicon 11 remote DoS crashing the server.

Step Ahead (professional) SCADA 1.5
Step Ahead (professional SCADA) users additionally to all above receive
- 0day Carel Plant Visor Pro vulnerability. Used on nuclear plants e.g. in Canada. exploit allows credentials steal.
- Sunway ForceControl and pNetPower buffer overflow. vuln is known to exist (but details are not public), patch available. thousands of installations in Turkey and China http://gleg.net/httpsrv_shodan.png
しかし何なの?これって?
露でSCADA攻略デモ製品を売ってるGLEG.net
gleg.net/about.shtml

世界のプラントで使われているシーメンスのSCADAシステムに脆弱性があり、その対応を商売にしてるのか。うーむ。ハッキングチームやFinFisher社にゼロデイを売ってたVUPEN社みたいな紙一重の商売ですな。

2016.1.22 20:14更新 意図しない通信を検出→中国サーバーから通信 青森・六ケ所村の原子力関連施設、核物質情報流出を調査
 原発の核物質などを検査する公益財団法人「核物質管理センター」(東京都)は22日、同法人管轄の六ケ所保障措置センター(青森県六ケ所村)の職員用パソコンにファイル共有ソフトが入り込み、昨年8、9月に中国のサーバーから複数回アクセスを受けたと発表した。同法人はデータ記録から「機密情報は流出していない」としているが、その他の情報流出の可能性を調べている。

 同法人の内規では、情報流出の恐れがある場合、原子力規制庁への報告を義務付けているが、同法人は重要性を認識せず、報告を怠っていた。

 同法人によると、センターが情報セキュリティー会社の監視サービスを導入した昨年8月、意図しない通信を検出。調査の結果、昨年4月に購入した台湾製の外付けハードディスクに入っていた中国製のファイル共有ソフトが通信を繰り返していた。ハードディスクには購入時からソフトが導入されており、職員は知らずにディスクをつないだという。

またやってるわ。あほだわ。

投稿されたコメント:

コメント
コメントは無効になっています。