Gleg releases Version 1.4 of the SCADA+ Pack for Canvas

On July 21, Gleg Ltd. annouced the availability of Release 1.4 of the SCADA+ pack for Immunity's Canvas.  This confirms a trend by which Gleg appears to be offering an updated SCADA+ pack about every month. Details of v1.2 - 1.3 are also provided below.

ICS-CERT also released an alert ICS-ALERT-11-230-01 on August 18 which provides some additional details on the SCADA+ Pack.  Though there were no alerts or updates for SCADA+ Versions 1.2 and 1.3, the ICS-CERT update and this blog should provide good revision control.

Here are the details of the release contents cover two (2) 0-days and one (1) public vuln:

• ICSCADA blind error based SQL Injection (public, unpatched) results in admin password retrieving
• Broadwin\Advantech WebAccess7.0 multiple ActiveXs vulnerabilities (zero day)
• Broadwin WebAccess DoS PoC (zero day)

STEP AHEAD users receive an additional module:

• Broadwin\Advantech WebAccess blind error based SQL Injection with filters bypass - allows admin's password retrieving. (zero day)

On June 23, Gleg released Version 1.3 of the SCADA+ Pack, which added the following modules:

• Wintr SQL injection (zero day)
• IntegraXOR 3.6.4000 SQL Injection
• Broadwin\Advantech SCADA product ActiveX Control Buffer Overflow (zero day)
• Advantech Studio ISSymbol ActiveX Control Buffer Overflow Multiple
  Vulnerabilities

On May 17, Gleg released Version 1.2 of the SCADA Pack, which included some minor fixes and offered some added functionality. It included an exploit for old, but still frequently used ENIServer version. It is included in CoDeSys software resulting in "full pwn"! "ENIServer" Shodan search gives more than hundred systems exposed to the Internet worldwide.

Additional modules include:

• Remote exploit for CoDeSys ENI Server ver 1.1.4.0. full pwn (zero day)
• RealWin SCADA Memory Corruption (this time DoS against 910/tcp) (probable zero day)
• CACHE database DoS (zero day)
• Another vector for CACHE Database DoS (zero day)