SCADA+ Exploitation Pack for CANVAS

Due to the product continuous update in nature, so we prepare this post for those who interest to know what is include inside. Latest update will be show on the top, while older update will be auto show below. This post will keep update and the post date will follow the latest date, so it will show one post date, rather than multiple post for hassle free reading in one post. This post is about CANVAS Exploitation Pack (CEP) SCADA+, it need to be use with CANVAS Exploitation Testing Framework. SCADA+ Exploitation Pack for CANVAS is a must for those conduct exploitation testing and security assessment on SCADA/ICS. Feel free to contact E-SPIN for product and related matters.

SCADA+ Exploitation Pack for CANVAS Product Overview

One of the current trends in exploitation is targeting SCADA systems (Stuxnet). The SCADA+ pack speaks to this new trend by providing its customers with exploits for both public vulnerabilities and 0day vulnerabilities in SCADA systems. If you serve an industry that does any type of automation, the SCADA+ pack should be on your radar for running the most realistic attack scenarios and penetration tests for your customers. Attackers are very interested in your clients’ SCADA systems, you have to be too. This is an attempt to collect ALL publicly available SCADA vulnerabilities in one exploit Pack. SCADA and related vulnerabilities are very special due to their sensitive nature and possible huge impact involved to successfull exploitation. SCADA Systems are also “hard to patch”, so even old vulnerabilities are actual.

The SCADA+ Pack features:

• • Growing value ~350 exploits currently

Due to low real systems patch rank exploits are actual for a longer time

• • We try to cover most of the public SCADA vulns!

Including old and newly discovered bugs

• • 0 Days for SCADA

We conduct our own in depth research

• • Focused on Industrial software & hardware environment

Not only SCADA, but also Industrial PCs, smart chips and industrial protocols are reviewed.

• • Weak points analyses

Many industrial things suffer from weaknesses like hardcoded password and etc.

2021-Aug-4 SCADA+ 2.16:
– ioBroker 1.5.14 Directory Traversal Vulnerability. CVE-2019-10767
– OpenPLC 3 Remote Code Execution. pub
– ScadaBR 1.0 Arbitrary File Upload. pub
– SmartPTT Arbitrary File Upload. 1 Day
– SmartPTT Information Disclosure. 1 Day

2021-Jul-13 SCADA+ 2.15:
– GLPI 9.5 Unauthenticated Info Disclosure. 1 Day
– GLPI 9.5 Auth Bypass. 1 Day
– MICROSYS PROMOTIC 9.0.15.2 SCADA Remote File Owerwrite. 1 Day
– Movicon 11.6 Scada/HMI platform Directory Traversal. 1 Day
– Simp Light Scada Directory Traversal. 1 Day

2021-Jun-10 SCADA+ 2.14:
– WebHMI 4.0.7348 DoS. 1 Day
– Mitsubishi MC Works64 SCADA Remote Arbitrary empty File Create, unsafe ActiveX.1 Day
– ICONICS AlarmWorX32 Report ActiveX Remote Arbitrary empty File Create unsafe ActiveX. 1 Day
– FATEK Automation FvDownload DoS.1 Day

2021-May-11 SCADA+ 2.13:
– Beckhoff CP-Link 3 1.7.31.0 CplGfxClient Denial of Service. 1 Day
– Fernhill SCADA Server Denial of Service. 1 Day
– Merz MScada Server 2.1.15269.5804 Denial of Service. 1 Day
– WebHMI 4.0.7348 Persistent Cross-Site Scripting. 1 Day

2021-Apr-5 SCADA+ 2.12:
– Advantech iView Missing Authentication RCE (FIXED). CVE-2021-22652
ADwin software package, + Beckhoff TwinCAT 3x, + Schneider Electric ProWORX unsafe ActiveX methods [1Days]

2021-Mar-12 SCADA+ 2.11:
– ICPDAS eLogger software 2.0.0.0 Denial of Service.1 Day
– Point of View SCADA/HMI software Remote Code Execution Vulnerability.1 Day
– Yaskawa SigmaWinPlus 7 Remote Arbitrary File Overwrite.1 Day

2021-Jan-30 SCADA+ 2.10 :
– Advantech ActiveDAQ Pro AdvButton.dll Remote Code Execution Vulnerability usafe method. 1 Day
– Advantech ActiveDAQ Pro Remote Code Execution Vulnerability. unsafe method 1 Day

2020-Dec-04 SCADA 2.08:
– Schneider Electric ProWORX 32 .ocx Remote File Create Vulnerability. 1 Day
– SoftPLC Web Studio Mobile Access Denial of Service. 1 Day
– Advantech R-SeeNet 1.5.1-2.4.9 SQL Injection Info Disclosure. CVE-2020-25157

2020-Nov-14 SCADA 2.07:
– Schneider Electric TwidoSuite ModbusDrvSys Denial of Service. 1 Day
– BACnet Test Server 1.01 Remote Denial of Service. public

2020-Oct-05 SCADA 2.06:
– IntegraXor 8.010010 Stable SCADA Remote Denial of Service. 1 Day
– Schneider Electric Embedded Web Servers for Modicon Configuration Disclosure. CVE-2018-7812

2020-Sept-4 SCADA 2.05:
– InduSoft Web Studio < 8.1 SP3 and InTouch Edge HMI < 2017 Upd vuln to Arbitrary process execution. pub
– Solare Datensysteme Solar-Log Devices Credentials Disclosure Vulnerability. pub2020-Jul-30 SCADA 2.04:
– Honeywell XL1000C50 Information Disclosure. public
– Pro-face GP-Pro EX HMI v.4.01.000 WinGP.exe File Upload. old 0day of ours, probably now public.

2020-Jul-01 SCADA 2.03:
– OpenScada Password Hash Login. 1 Day
– OpenScada Command Execution. 1 Day

2020-Jun-02SCADA 2.02:
– UCanCode Visualization Suite 2020 ActiveX File Overwrite Vulnerability. 1 Day
– iniNet SpiderControl SCADA Editor Denial of Service. 1 Day
– Modbus SCADA ver 2.4.1 Directory Traversal Vulnerability. 1 Day

2020-Apr-30 SCADA 2.01:
– Inductive Automation Ignition 8.0.7 – Arbitrary File Upload. 1 Day
– Mozilla WebThings 0.10.0 Arbitrary File Delete. 1 Day

2020-Mar-30 SCADA 1.99:
– MajorDoMo 1.2.0b Command Injection. 1 Day
– Cogent DataHub 9.0.x Denial of Service. 1 Day

2020-Feb-29 1.99 SCADA Pack:

• ThingsBoard 2.4.1 Remote Code Execution. [1Day]
• Mitsubishi Electric smartRTU INEA ME-RTU Unauthenticated Configuration Download. CVE-2019-14927
•  InTouch Edge HMI v8.1 MobileAccessTask DoS. [1Day]

2020-Jan-28 1.98 SCADA Pack:

• MajorDoMo 1.2.0b Information Disclosure , SQLis… two [1Days] – ScadaLTS 1.1 Arbitrary File Upload/Remote Code Execution [1Day]

2019-Dec-31 1.97 SCADA pack:

• Omron PLC 1.0.0 – Denial of Service. public
•  MajorDoMo 1.2.0b – three nice exploits including RCE. [1Day]s

2019-Dec-5 1.96 SCADA pack:

• Siemens SICAM A8000 Series Unauthenticated Remote Denial of Service. CVE-2018-13798
• NetHome 3.0-6ae52 Arbitrary File Upload. [1Day]
• LabCollector 5.423 – SQL Injection. public

2019-Nov-1 1.95 SCADA Pack:

• RapidSCADA 5.7.0 ScadaServer – Directory Traversal. [1Day]
• VxWorks TCP Urgent pointer = 0 integer underflow vulnerability. CVE-2019-12255
• BACnet Stack 0.8.6 Denial of Service vulnerability. CVE-2019-12480

2019-Sep-29 1.94 SCADA Pack:

•  FANUC Robotics Virtual Robot Controller. CVE-2019-13584
• IntegraXor 8 Stable SCADA Remote Denial of Service [1Day]
• XISOM X-Scada Directory Traversal [1Day]
• FESTO Designer Studio DirTrav [1Day]

2019-Sep-1 1.93 SCADA pack:

• ScadaLTS 1.1 XSS. [1Day]
• ScadaLTS 1.1 Arbitrary File Upload/Remote Code Execution [1Day]
• Loytec LGATE-902 Path traversal. CVE-2018-14918
• AGG Software Web Server Plugin Directory Traversal. [1Day]

2019-Aug-10 1.92 SCADA Pack:

2019-Jul-23 1.91 ver. of SCADA+ contains 4 modules. List:

2019-Jun-3 1.90 ver. of SCADA+ contains 3 modules. List:

2019-May-21 1.89 ver. of SCADA+ contains 4 modules. List:

2018-Aug-29 v1.81 1.81 Scada+ 8 exploits:

– LSIS wXP RCE, DoSes.- three [1Day] exploits
– Cogent Datahub 7.3.x DoS [1Day] – Cogent DataHub Log Poisoning RCE. [1Day] – CX-Supervisor v.3.41 – Code Exec[1Day] – IntegraXor Remote Project Management. [1Day] – logi.cals logi.RTS infoleak. [1Day]

2018-Jul-30 v1.80 1.80 SCADA+ contains 8 [1Day]s ! :

– S3 Scada Remote Runtime Stop
– Advantech WebAccess(8.3)
– 3 exploits (infoleaks + file upload)!
– IntegraXor SCADA – 2 exploits! (Infoleak + filedamage) – MyScada MyPRO RCE Day] – Remote Osciloscope DoS [1Day]

2018-Jun-25 v1.79 1.79 Scada+:

– Atvise Arbitrary File Disclosure [1Day] – Atvise Privilege Escalation [1Day] – Atvise Remote Project Management [1Day] – Cogent Datahub Blind SQLi [1Day] – Piltz PASvisu DoS [1Day] – WinPLC7 Webserver Arbitrary File Disclosure [1Day]

2018-May-28 v1.78 1.78 Scada+ contains 2 modules which were added previously to ZDA (marked 1Day ) and more:

– S3 Scada QNX Remote Command Execution [1-Day] – Moxa MX-AOPC UA Server File Corrupt or DoS [1-Day] – Siemens Sicam PAS < 8.0 Hardcode RCE [CVE-2016-8567]

2018-Apr-25  v1.77 1.77 Scada+ List:

– Dream Report RCE [0-Day] – Loytec L-Studio RCE [0-Day] – WebPort info leakage [0-Day] – SearchBlox v8.3 Unauthenticated Config Altering [0-Day] – UltiDev Cassini Web Server for http://ASP.NET  2.0 info leakage [0-Day]

2018-Mar-27 v1.76 1.76 Scada+ :

– Advantech WebAccess(8.3) Dashboard Viewer Info Disclosure [0-Day] – Mango Automation File Upload RCE [0-Day] – Citect Nexa Monitoring 6.10 – Code Exec [0-Day] – Industrial Energy Management System DIAEnergie Information Disclosure

2018-Feb-28 v1.75 v1.75 Scada+:

– UCanCode ActiveX [0-Day] – LAquis SCADA infoleak [0-Day] – Ecava IntegraXor Code Exec
– Automated Logic WebCTRL 6.1 . CVE-2017-9650

2018-Jan-27 v1.74 1.74 Scada+ four! [0-Day]`s. :

– Reliance 4 SCADA Code Execution Vulnerability 0-Day
– AutomationDirect Point Of View Remote Code Execution Vulnerability 0-Day
– KingView SCADA 7.5 Directory Traversal 0-Day
– Eaton ELCSoft ELCSimulator Stack-based Buffer Overflow 0-Day