Sunday, November 27, 2011

Gleg releases Ver 1.8 of the SCADA+ Exploit Pack for Immunity Canvas

On November 24, Gleg released version 1.8 of the SCADA+ Exploit Pack for the Immunity Canvas framework, along with a corresponding version 2.7 of the Agora Exploit Pack.

In SCADA+ 1.8 there are modules for several fresh public SCADA/ICS vulnerabilities, most of which were recently disclosed by Luigi Auriemma.  Many of these exploits appear to be denial-of-service (DoS) exploits, so this really is not something that I think is worth the money at this time.

SCADAhacker has noticed that the vulnerabilities included with Gleg SCADA+ 1.8 regarding the Optima APIFTP Server SCADA HMI application have not yet been disclosed by ICS-CERT.  I will be posting an out-of-band advisory on this vulnerability set within the next 24 hours, and will update this blog accordingly.

The Gleg Step Ahead customers receive some additional exploit modules, including one which allows them to decrypt users credentials in Promotic SCADA and an additional SCADA-related ActiveX exploit.

SCADA+ 1.8 modules include:
  • Beckhoff TwinCAT <=
  • Optima <= Denial of Service
  • OPC Systems.NET <= 4.00.0048 Denial of Service
  • Data Archiver service in GE Intelligent Platforms Proficy Historian <= 3.5 SIM 17 and 4.x <= 4.0 SIM 12 Stack Overflow Proof of Concept & Denial of Service
  • Atvise webMI2ADS <= 1.0 Denial of Service
  • another Atvise webMI2ADS <= 1.0 Denial of Service
  • Atvise webMI TestServer Directory Traversal
  • PcVue <= 10.0, SVUIGrd.ocx <= Code Execution
  • PROMOTIC <= 8.1.3 Directory Traversal leveraged to user credentials disclosure
It is worth mentioning that the SCADAhacker Vulnerability Reference List contains a great deal of information for most of these vulnerabilities and includes any publically-disclosed PoC code.
Other SCADA/ICS vulnerabilities disclosed by Luigi Auriemma covered in the SCADAhacker Vulnerability Reference List but not included in Gleg SCADA+ include:
As always, please post your comments or suggestions to improve the usefulness of this information.


  1. that list of "modules" is exactly the same available for free on my website (they admitted it too).

    nothing new as usual, so I don't understand why someone should waste money for something already publicly available.

    I have checked all their previous "releases" and everytime I notice that:
    - 85% of time it's just my stuff, this time it's 100%
    - 10% are other known public bugs with a public PoC or a trivial to code PoC (easy protocol/bug)
    - 5% are simple DoS bugs found by them often in unknown products

    that's what I noticed, maybe I'm wrong.

    so why giving them all this importance (advertising?) and space everytime if they try to sell something already known and public?

    if there is something new and good from them it's ok but this is not the case in my opinion.

    what you think about this Joel?

    Luigi Auriemma

  2. They stated on their website - "effort towards 100 % public bugs coverage, along with 0days"... so this is not strange that they write modules for Luigi's things. of course if copyright is in place.

  3. Good post.Thank you for this information. There are different kinds of SCADA systems and software available in the market. From the standard, free solutions to customizable and scalable ones, you can have different systems as per the nature of the industrial processes you would run.