Tuesday, October 8, 2013

Gleg releases Ver 1.28 of the SCADA+ Exploit Pack for Immunity Canvas

Wow ... they are really providing a steady stream of updates as Gleg announced today (October 8) the release of version 1.28 of the SCADA+ Exploit Pack for the Immunity Canvas framework.

A summary of recent releases includes:
  • Version 1.27 was released on September 6, 2013
  • Version 1.26 was released on August 14, 2013
  • Version 1.25 was released on July 5, 2013
  • Version 1.24 was released on May 14, 2013
  • Version 1.23 was released on April 22, 2013
  • Version 1.22 was released on February 27, 2013
  • Version 1.21 was released on February 7, 2013
  • Version 1.20 was released on December 21, 2012
  • Version 1.19 was released on November 8, 2012
SCADA+ 1.28 includes 3 new 0-days targeting a copy of new ICS "victims" including Moore Industries and Eaton, along with our long-time friend Siemens!

SCADA+ 1.28 modules include:
  • Moore Industries NCS (NET Concentrator System) Configuration DoS [0-day]
  • Eaton HMi VU Remote DoS [0-day]
  • Siemens WinCC TIA Portal miniweb.exe Remote DoS [0-day]
  • Galil RIO-47000 DoS
This is an interesting release, as neither the Eaton nor Moore Industries vulnerabilities appear to have been identified by ICS-CERT (maybe it is because of the hiatus!).  Information on the versatile Moore NCS product is available on YouTube. There are several PDF documents available (links not included here) on the Eaton HMi VU for reference. These could be interesting exploits, as there appears to be little documented on this vuln from the typical sources. 

The Galil vulnerability is discussed in ICS-CERT Advisory ICSA-13-116-01 originally disclosed by Jon Christmas of Solera Networks published on April 26, 2013.  Some interesting information on the RIO-47xxx can be found here.

It is difficult to tell whether or not the Siemens WinCC vulnerability has been previously identified and document by ICS-CERT, since there are multiple entires in 2012 and 2013 relating to the TIA Portal web services. 

Additional details and references can be found for the exploit modules included in the SCADA+ pack:
Information on the Gleg SCADA+ Exploit Pack can be found here, as well as information on Immunity's CANVAS here.

As always, please post your comments or suggestions to improve the usefulness of this information.

1 comment:

  1. It has been quite sometime since ICS-CERT directly addressed a 0-day exploit from Gleg. While they have modified advisories to list some Metasploit coverage they haven't even done this for Gleg. It makes one wonder if maybe they are trying to ignore Gleg out of existence.