Gleg releases Ver 1.26 of the SCADA+ Exploit Pack for Immunity Canvas

Right on schedule with their next release just one month after their previous update ... Gleg announced on August 14 the release of version 1.26 of the SCADA+ Exploit Pack for the Immunity Canvas framework.

A summary of recent releases includes:

• Version 1.25 was released on July 5, 2013
• Version 1.24 was released on May 14, 2013
• Version 1.23 was released on April 22, 2013
• Version 1.22 was released on February 27, 2013
• Version 1.21 was released on February 7, 2013
• Version 1.20 was released on December 21, 2012
• Version 1.19 was released on November 8, 2012

SCADA+ 1.26 includes 3 new SCADA related 0-days against Siemens and Honeywell, plus one additional exploit for a previously disclosed Honeywell vulnerability.  This release is very interesting in that it targets the Honeywell UniSim (ShadowPlant) Dynamic Training Simulator package. This is one of the most popular high-fidelity simulators for process control, and could expose numerous other weaknesses to the knowledgeable attacker if exploited.

Knowing this, I believe that these 0-days represent a real threat to operational ICS and more important, the physical plant and associated intellectual property contained within the ICS.

SCADA+ 1.26 modules include:

• Siemens Solid Edge ST4/ST5 WebPartHelper ActiveX Control Remote Command Execution [0-day]
• Siemens ProTools Pro CS DoS [0-Day]
• Honeywell UniSim ShadowPlant Bridge DoS [0-Day]
• Honeywell ActiveX control code execution. CVE-2013-0108

The Siemens ProTool Pro package WAS the universal configuring software for all SIMATIC operator panels and for the HMI part of the SIMATIC C7.  It ran on Windows 98 SE/ME and Windows NT 4.0/2000/XP. Siemens announced the phase out of this product effective Oct. 1, 2007 with the discontinuation from sale effective Oct. 1, 2010, so this is an obsolete and unsupported product. It has been replaced by the WinCC Flexible package.

ICS-CERT does not appear to have released any Alerts or Advisories for either Honeywell UniSim or Siemens ProTool ICS products affected by these exploits.  The Honeywell ActiveX control vulnerability was previously disclosed in Advisory ICSA-13-053-02. Rapid7 released a Metasploit Framework exploit module for the Honeywell ActiveX vulnerability in March, 2013.

Additional details and references can be found for the other exploit modules include in the SCADA+ pack:

• Honeywell Products 'HscRemoteDeploy.dll' Activex Remote Code Execution Vulnerability (ICS-CERT / SecurityFocus / PacketStorm / OSVDB)

Information on the Gleg SCADA+ Exploit Pack can be found here, as well as information on Immunity's CANVAS here.

As always, please post your comments or suggestions to improve the usefulness of this information.