lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Tue, 4 Apr 2017 13:51:46 +0200
From: Ralf Spenneberg <info@...t.de>
To: bugtraq@...urityfocus.com
Subject: OS-S-2017-01: The password for the application protection of the
 Schneider Modicon TM221CE16R can be retrieved without authentication.
 Subsequently the application may be arbitrarily downloaded, uploaded and
 modified. CVSS 10.

OpenSource Security Ralf Spenneberg
Am Bahnhof 3-5
48565 Steinfurt
info@...s.net

OS-S Security Advisory 2017-01
Date: April 4th, 2017
Authors: Simon Heming, Maik Brüggemann, Hendrik Schwartke, Ralf Spenneberg
CVE: not yet assigned
CVSS: 10
Affected Device: Schneider Modicon TM221CE16R, Firmware 1.3.3.3
Title: The password for the application protection of the Schneider
Modicon TM221CE16R can be retrieved without authentication. Subsequently
the application may be arbitrarily downloaded, uploaded and modified.
Severity: Critical. The protection of the application is not existant.
Ease of Exploitation: Trivial
Vulnerability type: Information Disclosure
Vendor contacted: December 23rd, 2016

Abstract
The Application Protection is used to prevent the transfer of the
application from a logic controller into a SoMachine Basic project. A
simple command (seen below) can be send via Modbus over TCP port 502 to
the logic controller and it will return the password unencrypted.

// bash command
echo -n -e '\x00\x01\x00\x00\x00\x05\x01\x5a\x00\x03\x00' | nc IP 502

After that the retrieved password can be entered in SoMachine Basic to
download, modify and subsequently upload again any desired application.

Vendor Contacted
We contacted the vendor. Apart from the first acknowledgement of the
receipt of the report we did not receive any further information.

PDF: https://www.os-s.net/advisories/OSS-2017-01.pdf
-- 
OpenSource Training Ralf Spenneberg     http://www.os-t.de
Am Bahnhof 3-5                          48565 Steinfurt         Germany
Fon: +49(0)2552 638 755                 Fax: +49(0)2552 638 757

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ