Debug7: Leveraging a Firmware Modification Attack for Remote Debugging of Siemens S7 PLCs
Вставка
- Опубліковано 8 лис 2024
- Industry 4.0 and smart manufacturing led to the emergence of a new type of PLCs, called software PLCs. In our previous work, sOfT7, presented in Black Hat USA 2022, we found that Siemens' leading software PLC, ET 200SP, utilizes a hypervisor that controls two virtual machines:
1) Windows Embedded, that communicates with the upper Purdue Model layers.
2) An encrypted Adonis Linux (SWCPU), that runs the programmable control logic and operates the
field devices.
In sOfT7 we presented a method that decrypts the SWCPU. A tool that implements sOfT7 was published in recent research from Black Hat Europe 2023. Our current research shows that a remote attacker who gains control over the Windows VM can perform a runtime modification of the software PLC (SWCPU) and use it for remote debugging of the S7-1500 firmware.
Despite being a major focal point for attackers and researchers, until now, there is no known method to perform dynamic runtime analysis of the SWCPU. Our research brings to light a novel method for debugging various firmware versions of Siemens S7 PLCs. Our analysis exposed a forgotten debug flag, that allows an attacker to replace the encrypted SWCPU with an arbitrary ELF file. We exploited this vulnerability and modified the firmware by hooking various system calls and latching onto an existing HTTP session exposed by Siemens' proprietary web server. This allowed us to communicate with the SWCPU and control it remotely. Using this communication channel, we developed a novel debugger, which can set breakpoints in the SWCPU during runtime and read/write the content of memory and registers. Due to the lack of a secure boot, we were able to persist the debugger's installation.
The debugger we built has a tremendous impact on the future research of the whole Siemens S7 PLCs product line, as the firmware we analyzed is shared across many of them. Additionally, any remote attacker that controls the Windows VM can replace the SWCPU and use the communication channel that we implemented to establish a connection with a malicious C&C server and control the PLC.
By:
Eyal Semel | Faculty of Computer Science, Technion, Israel Institute of Technology
Ron Semel | B.Sc. Student, Technion, Israel Institute of Technology
Alon Dankner | Security Researcher, Technion, Israel Institute of Technology
Sara Bitan | Dr., Technion & CyCloak, Israel Institute of Technology
Eli Biham | Prof., Technion, Israel Institute of Technology
Full Abstract & Presentation Materials:
www.blackhat.c...