From Pass-the-Hash to Code Execution on Schneider Electric M340 PLCs

The Schneider Electric industrial control systems architecture consists of Modicon PLCs which communicate with an engineering station and SCADA HMI on one side, and control industrial systems on the other side. After reverse-engineering the cryptographic protocol, we identify vulnerabilities through which we are able to masquerade as the engineering station to the PLC, cryptographically sign messages, and inject any messages favourable to the attacker. Moreover, we identify additional vulnerabilities in the PLC’s memory management. We demonstrate that these primitives lead to remote code execution, installation of persistent root-kits, and potential re-programming the boot firmware over the network.

By: Amir Zaltzman & Avishai Wool

Full Abstract & Presentation Materials:
https://www.blackhat.com/eu-24/briefings/schedule/#from-pass-the-hash-to-code-execution-on-schneider-electric-m340-plcs-42573Black HatRead More