Manipulating memory of ICS Siemens Simatic S7-300 (and others)

First of all, I would like to give thanks to all Siemens' team for its support in this topic of memory manipulation because they were available all the time to discuss this with me, and I received much help from them.

I would also like to highlight that image below describes the key to patch the vulnerabilities of this post. For this, you have to increase the security of Siemens Simatic S7-300 devices to Level 3 (which by default is level 1). This provides full protection against both read and write memory. Another option is not publish TCP port 102 to Internet.

https://cache.industry.siemens.com/dl/files/462/77507462/att_84907/v1/pcs7_compendium_part_f_en-US.pdf

Having said this, I will continue explaining. For example, the devices that I used are the following:

- SIMATIC S7-300, CPU 315-2DP 
- SIMATIC S7-300 CPU 313C-2 DP
- SIMATIC S7-300 CPU CPU 315-2 PN/DP

In summary, it is possible to write to the memory of these logical controllers remotely without the mechanism of authentication through TCP port 102. You, as an attacker, can write whatever you want. In the picture below, you can see the script that I developed to exploit this vulnerability. 

In the above image it is possible to see the numbered rectangles which correspond to the explanations below point by point:

1. In this case, "hola" is written in Base64 encoding character by character (byte by byte) once the connection with the PLC has been made in its memory. These characters will be sent one by one to the memory of this device by selecting database 3, from position 1 to position 8. 

2. With the command client.db_read(<db_number>,<start_address>,<size>), the contents of the first 256 bytes are read from position 1 of database 3.

3. As can be seen in the image, the string "aG9sYQ==" is loaded into the memory, which means "hola".

4. Then the characters inserted in the db are read from position 1 to position 8, and stored in the variable "datar".

5. The content of data containing the string that is stored in the PLC is displayed.

The second script can be used to upload one file called "PoC.zip" which should be converted to a "string" in base64 in order to upload byte by byte in the PLC. Afterwards, this file can be downloaded from the device. The only limitation that one has is the device memory size that one uses.


Also it is possible to read sensitive information with the other script:


If you follow the first steps to modify the memory you will be able to manage modifying, in this case, the emails and receive the notifications that may be generated on the devices.

And that's all, Siemens recommends setting protection level 3 and this post simply shows why it is so important to set it and not publish these devices directly on the Internet.

I hope you enjoy this post and happy hacking!

Contribución gracias a Carlos Antonini

Comentarios