SCADA+ Exploitation Pack for CANVAS

Due to the product continuous update in nature, so we prepare this post for those who interest to know what is include inside. Latest update will be show on the top, while older update will be auto show below. This post will keep update and the post date will follow the latest date, so it will show one post date, rather than multiple post for hassle free reading in one post. This post is about CANVAS Exploitation Pack (CEP) SCADA+, it need to be use with CANVAS Exploitation Testing Framework. SCADA+ Exploitation Pack for CANVAS is a must for those conduct exploitation testing and security assessment on SCADA/ICS. Feel free to contact E-SPIN for product and related matters.

SCADA+ Exploitation Pack for CANVAS Product Overview

One of the current trends in exploitation is targeting SCADA systems (Stuxnet). The SCADA+ pack speaks to this new trend by providing its customers with exploits for both public vulnerabilities and 0day vulnerabilities in SCADA systems. If you serve an industry that does any type of automation, the SCADA+ pack should be on your radar for running the most realistic attack scenarios and penetration tests for your customers. Attackers are very interested in your clients’ SCADA systems, you have to be too. This is an attempt to collect ALL publicly available SCADA vulnerabilities in one exploit Pack. SCADA and related vulnerabilities are very special due to their sensitive nature and possible huge impact involved to successfull exploitation. SCADA Systems are also “hard to patch”, so even old vulnerabilities are actual.

The SCADA+ Pack features:

• • Growing value ~350 exploits currently

Due to low real systems patch rank exploits are actual for a longer time

• • We try to cover most of the public SCADA vulns!

Including old and newly discovered bugs

• • 0 Days for SCADA

We conduct our own in depth research

• • Focused on Industrial software & hardware environment

Not only SCADA, but also Industrial PCs, smart chips and industrial protocols are reviewed.

• • Weak points analyses

Many industrial things suffer from weaknesses like hardcoded password and etc.

2022-Sep-24 SCADA 2.27:
– Comtrol RocketLinx ICRL-M Directory Traversal CVE-2020-12504
– CVE-2022-25359 – Sealevel Systems Inc. SeaConnect 370W Remote Denial of Service CVE-2021-21964

2022-Aug-18 SCADA+ 2.26:
– XISOM X-Scada Viewer Directory Traversal [1Day] – Ansys Scade Suite Version Student 2022 R1 Remote Denial of Service [1Day] – JUNG Smart Panel Designer Directory Traversal [1Day] – SolarView Compact 6.00 DirTrav CVE-2022-29298

2022-Jun-30 SCADA 2.25:
– Siemens A8000 Missing Authentication at File Download. CVE-2022-27480
– OAS CVE-2022-26833
– JUNG Smart Visu Server Path traversal. public

2022-May-19 SCADA pack 2.24:
– Yokogawa Centum CS3000 R3.08.50 Denial of Service. public
– Franklin Fueling LFI vuln CVE-2021-46417

2022-Apr-9 SCADA 2.23 :
– Delta Industrial Automation COMMGR (ModBus) 1.08 Denial of Service [1Day] – WebHMI 4.1.1.7662 Remote Code Execution. public
– Eaton Lean Automation XP12inDemoProgram Directory Traversal and file disclosure. [1Day]

2022-Feb-10 SCADA 2.22:
– Eaton Visual Designer v7.1 software Remote Code Execution Vulnerability [1Day] – ICPDAS NAPOPC_ST DA Server [1Day] DoS PoC – Keysight Communications Fabric Denial of Service [1Day] – Standa SMCVieW Remote Code Execution Vulnerability [1Day]

2022-Jan-19 SCADA pack 2.21:
– Brainchild Electronic Panel Studio Generated Projects Network DoS [1Day] – LEADTOOLS IltmmCapture 17.5 Arbitrary File Overwrite Vulnerability [1Day] – Mitsubishi Electric & INEA SmartRTU Source Code Disclose CVE-2021-40382 and more

2021-Dec-10 SCADA 2.20:
– ECOA Building Automation System Config file download. pub
– Digital Sentry Server Remote Arbitrary File Overwrite CVE-2021-27197
– Samkoon HMI Manager DoS [1 Day] – Siemens WinCC TIA Portal v13-v16 DoS CVE-2019-19282
WiSCADA TsDatabase [1 Day] DoS
and more…

2021-Nov-16 SCADA 2.19:
– ARSoft Visual IO SCADA DDE Server Denial of Service [1 Day] – B&R Automation Studio WebServer Denial of Service [1 Day] – SEL AcSELerator Architect 2.2.24 CPU Exhaustion Denial of Service CVE-2018-10608
– Unitronics VisiLogic_C File Create Vulnerability [1 Day]

2021-Oct-9 SCADA 2.18:
– mySCADA myPRO 7 infoleak CVE-2018-11517
– PROMOTIC SCADA v8.0.13 Remote Code Execution Vulnerability [1 day] ActiveX
– Pult Online v270 Information leak [0 day] – SmartPTT Local File Inclusion [1 Day] – SmartPTT SCADA 1.1.0.0 Remote Code Execution [1 Day] and more…

2021-Sep-12 SCADA 2.17 news:
– WebHMI Privilege Escalation and RCE. [1 Day] – MELSOFT Mediative Server DOS [1 Day] – Reliance4 SCADA Web Server Denial of Service [1 Day] – Schneider Electric Concept 2.6 XL Arbitrary File Overwrite [1 Day] – Citect SCADA (Facilities) Remote File Create

2021-Aug-4 SCADA+ 2.16:
– ioBroker 1.5.14 Directory Traversal Vulnerability. CVE-2019-10767
– OpenPLC 3 Remote Code Execution. pub
– ScadaBR 1.0 Arbitrary File Upload. pub
– SmartPTT Arbitrary File Upload. 1 Day
– SmartPTT Information Disclosure. 1 Day

2021-Jul-13 SCADA+ 2.15:
– GLPI 9.5 Unauthenticated Info Disclosure. 1 Day
– GLPI 9.5 Auth Bypass. 1 Day
– MICROSYS PROMOTIC 9.0.15.2 SCADA Remote File Owerwrite. 1 Day
– Movicon 11.6 Scada/HMI platform Directory Traversal. 1 Day
– Simp Light Scada Directory Traversal. 1 Day

2021-Jun-10 SCADA+ 2.14:
– WebHMI 4.0.7348 DoS. 1 Day
– Mitsubishi MC Works64 SCADA Remote Arbitrary empty File Create, unsafe ActiveX.1 Day
– ICONICS AlarmWorX32 Report ActiveX Remote Arbitrary empty File Create unsafe ActiveX. 1 Day
– FATEK Automation FvDownload DoS.1 Day

2021-May-11 SCADA+ 2.13:
– Beckhoff CP-Link 3 1.7.31.0 CplGfxClient Denial of Service. 1 Day
– Fernhill SCADA Server Denial of Service. 1 Day
– Merz MScada Server 2.1.15269.5804 Denial of Service. 1 Day
– WebHMI 4.0.7348 Persistent Cross-Site Scripting. 1 Day

2021-Apr-5 SCADA+ 2.12:
– Advantech iView Missing Authentication RCE (FIXED). CVE-2021-22652
ADwin software package, + Beckhoff TwinCAT 3x, + Schneider Electric ProWORX unsafe ActiveX methods [1Days]

2021-Mar-12 SCADA+ 2.11:
– ICPDAS eLogger software 2.0.0.0 Denial of Service.1 Day
– Point of View SCADA/HMI software Remote Code Execution Vulnerability.1 Day
– Yaskawa SigmaWinPlus 7 Remote Arbitrary File Overwrite.1 Day

2021-Jan-30 SCADA+ 2.10 :
– Advantech ActiveDAQ Pro AdvButton.dll Remote Code Execution Vulnerability usafe method. 1 Day
– Advantech ActiveDAQ Pro Remote Code Execution Vulnerability. unsafe method 1 Day

2020-Dec-04 SCADA 2.08:
– Schneider Electric ProWORX 32 .ocx Remote File Create Vulnerability. 1 Day
– SoftPLC Web Studio Mobile Access Denial of Service. 1 Day
– Advantech R-SeeNet 1.5.1-2.4.9 SQL Injection Info Disclosure. CVE-2020-25157

2020-Nov-14 SCADA 2.07:
– Schneider Electric TwidoSuite ModbusDrvSys Denial of Service. 1 Day
– BACnet Test Server 1.01 Remote Denial of Service. public

2020-Oct-05 SCADA 2.06:
– IntegraXor 8.010010 Stable SCADA Remote Denial of Service. 1 Day
– Schneider Electric Embedded Web Servers for Modicon Configuration Disclosure. CVE-2018-7812

2020-Sept-4 SCADA 2.05:
– InduSoft Web Studio < 8.1 SP3 and InTouch Edge HMI < 2017 Upd vuln to Arbitrary process execution. pub
– Solare Datensysteme Solar-Log Devices Credentials Disclosure Vulnerability. pub2020-Jul-30 SCADA 2.04:
– Honeywell XL1000C50 Information Disclosure. public
– Pro-face GP-Pro EX HMI v.4.01.000 WinGP.exe File Upload. old 0day of ours, probably now public.

2020-Jul-01 SCADA 2.03:
– OpenScada Password Hash Login. 1 Day
– OpenScada Command Execution. 1 Day

2020-Jun-02SCADA 2.02:
– UCanCode Visualization Suite 2020 ActiveX File Overwrite Vulnerability. 1 Day
– iniNet SpiderControl SCADA Editor Denial of Service. 1 Day
– Modbus SCADA ver 2.4.1 Directory Traversal Vulnerability. 1 Day

2020-Apr-30 SCADA 2.01:
– Inductive Automation Ignition 8.0.7 – Arbitrary File Upload. 1 Day
– Mozilla WebThings 0.10.0 Arbitrary File Delete. 1 Day

2020-Mar-30 SCADA 1.99:
– MajorDoMo 1.2.0b Command Injection. 1 Day
– Cogent DataHub 9.0.x Denial of Service. 1 Day

2020-Feb-29 1.99 SCADA Pack:

• ThingsBoard 2.4.1 Remote Code Execution. [1Day]
• Mitsubishi Electric smartRTU INEA ME-RTU Unauthenticated Configuration Download. CVE-2019-14927
•  InTouch Edge HMI v8.1 MobileAccessTask DoS. [1Day]

2020-Jan-28 1.98 SCADA Pack:

• MajorDoMo 1.2.0b Information Disclosure , SQLis… two [1Days] – ScadaLTS 1.1 Arbitrary File Upload/Remote Code Execution [1Day]

2019-Dec-31 1.97 SCADA pack:

• Omron PLC 1.0.0 – Denial of Service. public
•  MajorDoMo 1.2.0b – three nice exploits including RCE. [1Day]s

2019-Dec-5 1.96 SCADA pack:

• Siemens SICAM A8000 Series Unauthenticated Remote Denial of Service. CVE-2018-13798
• NetHome 3.0-6ae52 Arbitrary File Upload. [1Day]
• LabCollector 5.423 – SQL Injection. public

2019-Nov-1 1.95 SCADA Pack:

• RapidSCADA 5.7.0 ScadaServer – Directory Traversal. [1Day]
• VxWorks TCP Urgent pointer = 0 integer underflow vulnerability. CVE-2019-12255
• BACnet Stack 0.8.6 Denial of Service vulnerability. CVE-2019-12480

2019-Sep-29 1.94 SCADA Pack:

•  FANUC Robotics Virtual Robot Controller. CVE-2019-13584
• IntegraXor 8 Stable SCADA Remote Denial of Service [1Day]
• XISOM X-Scada Directory Traversal [1Day]
• FESTO Designer Studio DirTrav [1Day]

2019-Sep-1 1.93 SCADA pack:

• ScadaLTS 1.1 XSS. [1Day]
• ScadaLTS 1.1 Arbitrary File Upload/Remote Code Execution [1Day]
• Loytec LGATE-902 Path traversal. CVE-2018-14918
• AGG Software Web Server Plugin Directory Traversal. [1Day]

2019-Aug-10 1.92 SCADA Pack:

2019-Jul-23 1.91 ver. of SCADA+ contains 4 modules. List:

2019-Jun-3 1.90 ver. of SCADA+ contains 3 modules. List:

2019-May-21 1.89 ver. of SCADA+ contains 4 modules. List:

2018-Aug-29 v1.81 1.81 Scada+ 8 exploits:

– LSIS wXP RCE, DoSes.- three [1Day] exploits
– Cogent Datahub 7.3.x DoS [1Day] – Cogent DataHub Log Poisoning RCE. [1Day] – CX-Supervisor v.3.41 – Code Exec[1Day] – IntegraXor Remote Project Management. [1Day] – logi.cals logi.RTS infoleak. [1Day]

2018-Jul-30 v1.80 1.80 SCADA+ contains 8 [1Day]s ! :

– S3 Scada Remote Runtime Stop
– Advantech WebAccess(8.3)
– 3 exploits (infoleaks + file upload)!
– IntegraXor SCADA – 2 exploits! (Infoleak + filedamage) – MyScada MyPRO RCE Day] – Remote Osciloscope DoS [1Day]

2018-Jun-25 v1.79 1.79 Scada+:

– Atvise Arbitrary File Disclosure [1Day] – Atvise Privilege Escalation [1Day] – Atvise Remote Project Management [1Day] – Cogent Datahub Blind SQLi [1Day] – Piltz PASvisu DoS [1Day] – WinPLC7 Webserver Arbitrary File Disclosure [1Day]

2018-May-28 v1.78 1.78 Scada+ contains 2 modules which were added previously to ZDA (marked 1Day ) and more:

– S3 Scada QNX Remote Command Execution [1-Day] – Moxa MX-AOPC UA Server File Corrupt or DoS [1-Day] – Siemens Sicam PAS < 8.0 Hardcode RCE [CVE-2016-8567]

2018-Apr-25  v1.77 1.77 Scada+ List:

– Dream Report RCE [0-Day] – Loytec L-Studio RCE [0-Day] – WebPort info leakage [0-Day] – SearchBlox v8.3 Unauthenticated Config Altering [0-Day] – UltiDev Cassini Web Server for http://ASP.NET  2.0 info leakage [0-Day]

2018-Mar-27 v1.76 1.76 Scada+ :

– Advantech WebAccess(8.3) Dashboard Viewer Info Disclosure [0-Day] – Mango Automation File Upload RCE [0-Day] – Citect Nexa Monitoring 6.10 – Code Exec [0-Day] – Industrial Energy Management System DIAEnergie Information Disclosure

2018-Feb-28 v1.75 v1.75 Scada+:

– UCanCode ActiveX [0-Day] – LAquis SCADA infoleak [0-Day] – Ecava IntegraXor Code Exec
– Automated Logic WebCTRL 6.1 . CVE-2017-9650

2018-Jan-27 v1.74 1.74 Scada+ four! [0-Day]`s. :

– Reliance 4 SCADA Code Execution Vulnerability 0-Day
– AutomationDirect Point Of View Remote Code Execution Vulnerability 0-Day
– KingView SCADA 7.5 Directory Traversal 0-Day
– Eaton ELCSoft ELCSimulator Stack-based Buffer Overflow 0-Day