Shulou(Shulou.com)05/31 Report--

This article shows you how to PWN Scalance industrial control equipment, the content is concise and easy to understand, it will definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.

When testing the ship control system, we noticed that the control system is heavily dependent on Scalance industrial Ethernet switch, so we carried out in-depth research on it. It is found that the management password can be reversibly encrypted with a static key, and the user password can be reversibly encrypted with different keys.

Here is how we find the static key.

The research starts with the configuration file, and the password looks unusual and does not seem to be an one-way hash. There are vulnerabilities that can be used to restore configuration files and firmware, which means that an attacker can access this information:

The password is short, the length depends on the size of the password, and is populated to 8 characters. This means that a block cipher is used for encryption.

The 64-bit password used for testing indicates the use of DES or Blowfish as the encryption algorithm. It is also worth noting that the administrator account has two passwords.

Firmware reverse

The firmware file is an ARM ELF file. Run the "binwalk" command on the ELF file to find the version string of the "VxWorks" real-time operating system and LZMA compressed data.

The lzma compressed file is the main firmware of the device, and unzipping it shows that it is a binary file with no recognizable file signature. The extracted binary file of hexdump indicates that it is arm firmware.

Because the firmware is recognized and the format is readable, it can be loaded into IDA as an ARM Little-endian binary file.

A static analysis is performed on the firmware payload and there is no known information about the interior of the device. Therefore, the entry point of the firmware is not clear.

When this happens, you can use the default address 0x00000000 as the entry point. However, references to functions and data will be inaccurate.

Finding the entry point is important because it makes it easier to identify the code references and trace functions that are in use. There are many technologies available, and because the firmware uses the VxWorks real-time operating system, there are shortcuts.

The VxWorks symbol table provides function references that match string references, allowing each function in the firmware to have a name that defines its function. Use the "sysInit" function to find the entry point of the function by identifying the firmware startup.

The ram can be identified by the values set in the code, and the rest of the firmware can be analyzed with the help of ida.

Password encryption analysis

We can find a function reference to the word "password" or any function call similar to encryption, focusing on blowfish or des encryption. The values loaded into the parameter are tracked before the parameter is called, and for arm, these values are set in registers R0, R1, R2, and so on.

The blowfish function call is identified in the "clieditpasswordset" function, proving the use of reversible encryption. Blowfish test functions are identified using specific constants that can be searched online so that you can identify the exact blowfish library used, which can be downloaded from github.

The encryption key for blowfish can be tracked by identifying the value passed to register R1. Register R0 will contain the "ctx" variable, R1 will contain the key, and R2 will contain the length of the key.

The analysis shows that the encryption key for the administrator password is "els_key", but the attempt to decrypt the user's password using this string failed. Further analysis shows that the second key is used in encryption, but it can not be statically identified.

Static analysis is useful when dealing with relatively simple software, or when you have a lot of time to track each function call. In this case, we cannot identify the encryption method of the user's password through static analysis.

We purchased the scalance switch, identified the jtag on the motherboard, soldered the head, and connected it to the segger j-link jtag debugger.

Using segger gdb, you can add breakpoints and step through each element of the firmware. Thus, the exact variable used for encryption can be identified by checking the register setting when the function is called.

The following password encryption methods are determined:

1. The administrator password is encrypted with a static key "els_key"

2. The second administrator password is a static string "elsdebug", which is encrypted with the plaintext administrator password to ensure that the administrator password corresponds to the encryption used by the user password.

3. All other user passwords are also encrypted with the plaintext administrator password

The above content is how to PWN Scalance industrial control equipment, have you learned the knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.