E-SPIN McAfee Application Data Monitor Product Overview
0
/ Published in Brand, Immunity, Product

SCADA+ Exploitation Pack for CANVAS

Due to the product continuous update in nature, so we prepare this post for those who interest to know what is include inside. Latest update will be show on the top, while older update will be auto show below. This post will keep update and the post date will follow the latest date, so it will show one post date, rather than multiple post for hassle free reading in one post. This post is about CANVAS Exploitation Pack (CEP) SCADA+, it need to be use with CANVAS Exploitation Testing Framework. SCADA+ Exploitation Pack for CANVAS is a must for those conduct exploitation testing and security assessment on SCADA/ICS. Feel free to contact E-SPIN for product and related matters.

SCADA+ Exploitation Pack for CANVAS Product Overview

One of the current trends in exploitation is targeting SCADA systems (Stuxnet). The SCADA+ pack speaks to this new trend by providing its customers with exploits for both public vulnerabilities and 0day vulnerabilities in SCADA systems. If you serve an industry that does any type of automation, the SCADA+ pack should be on your radar for running the most realistic attack scenarios and penetration tests for your customers. Attackers are very interested in your clients’ SCADA systems, you have to be too. This is an attempt to collect ALL publicly available SCADA vulnerabilities in one exploit Pack. SCADA and related vulnerabilities are very special due to their sensitive nature and possible huge impact involved to successfull exploitation. SCADA Systems are also “hard to patch”, so even old vulnerabilities are actual.

The SCADA+ Pack features:

    • Growing value ~350 exploits currently

Due to low real systems patch rank exploits are actual for a longer time

    • We try to cover most of the public SCADA vulns!

Including old and newly discovered bugs

    • 0 Days for SCADA

We conduct our own in depth research

    • Focused on Industrial software & hardware environment

Not only SCADA, but also Industrial PCs, smart chips and industrial protocols are reviewed.

    • Weak points analyses

Many industrial things suffer from weaknesses like hardcoded password and etc.

2021-Dec-10 SCADA 2.20:
– ECOA Building Automation System Config file download. pub
– Digital Sentry Server Remote Arbitrary File Overwrite CVE-2021-27197
– Samkoon HMI Manager DoS [1 Day] – Siemens WinCC TIA Portal v13-v16 DoS CVE-2019-19282
WiSCADA TsDatabase [1 Day] DoS
and more…

2021-Nov-16 SCADA 2.19:
– ARSoft Visual IO SCADA DDE Server Denial of Service [1 Day] – B&R Automation Studio WebServer Denial of Service [1 Day] – SEL AcSELerator Architect 2.2.24 CPU Exhaustion Denial of Service CVE-2018-10608
– Unitronics VisiLogic_C File Create Vulnerability [1 Day]

2021-Oct-9 SCADA 2.18:
– mySCADA myPRO 7 infoleak CVE-2018-11517
– PROMOTIC SCADA v8.0.13 Remote Code Execution Vulnerability [1 day] ActiveX
– Pult Online v270 Information leak [0 day] – SmartPTT Local File Inclusion [1 Day] – SmartPTT SCADA 1.1.0.0 Remote Code Execution [1 Day] and more…

2021-Sep-12 SCADA 2.17 news:
– WebHMI Privilege Escalation and RCE. [1 Day] – MELSOFT Mediative Server DOS [1 Day] – Reliance4 SCADA Web Server Denial of Service [1 Day] – Schneider Electric Concept 2.6 XL Arbitrary File Overwrite [1 Day] – Citect SCADA (Facilities) Remote File Create

2021-Aug-4 SCADA+ 2.16:
– ioBroker 1.5.14 Directory Traversal Vulnerability. CVE-2019-10767
– OpenPLC 3 Remote Code Execution. pub
– ScadaBR 1.0 Arbitrary File Upload. pub
– SmartPTT Arbitrary File Upload. 1 Day
– SmartPTT Information Disclosure. 1 Day

2021-Jul-13 SCADA+ 2.15:
– GLPI 9.5 Unauthenticated Info Disclosure. 1 Day
– GLPI 9.5 Auth Bypass. 1 Day
– MICROSYS PROMOTIC 9.0.15.2 SCADA Remote File Owerwrite. 1 Day
– Movicon 11.6 Scada/HMI platform Directory Traversal. 1 Day
– Simp Light Scada Directory Traversal. 1 Day

2021-Jun-10 SCADA+ 2.14:
– WebHMI 4.0.7348 DoS. 1 Day
– Mitsubishi MC Works64 SCADA Remote Arbitrary empty File Create, unsafe ActiveX.1 Day
– ICONICS AlarmWorX32 Report ActiveX Remote Arbitrary empty File Create unsafe ActiveX. 1 Day
– FATEK Automation FvDownload DoS.1 Day

2021-May-11 SCADA+ 2.13:
– Beckhoff CP-Link 3 1.7.31.0 CplGfxClient Denial of Service. 1 Day
– Fernhill SCADA Server Denial of Service. 1 Day
– Merz MScada Server 2.1.15269.5804 Denial of Service. 1 Day
– WebHMI 4.0.7348 Persistent Cross-Site Scripting. 1 Day

2021-Apr-5 SCADA+ 2.12:
– Advantech iView Missing Authentication RCE (FIXED). CVE-2021-22652
ADwin software package, + Beckhoff TwinCAT 3x, + Schneider Electric ProWORX unsafe ActiveX methods [1Days]

2021-Mar-12 SCADA+ 2.11:
– ICPDAS eLogger software 2.0.0.0 Denial of Service.1 Day
– Point of View SCADA/HMI software Remote Code Execution Vulnerability.1 Day
– Yaskawa SigmaWinPlus 7 Remote Arbitrary File Overwrite.1 Day

2021-Jan-30 SCADA+ 2.10 :
– Advantech ActiveDAQ Pro AdvButton.dll Remote Code Execution Vulnerability usafe method. 1 Day
– Advantech ActiveDAQ Pro Remote Code Execution Vulnerability. unsafe method 1 Day

2020-Dec-04 SCADA 2.08:
– Schneider Electric ProWORX 32 .ocx Remote File Create Vulnerability. 1 Day
– SoftPLC Web Studio Mobile Access Denial of Service. 1 Day
– Advantech R-SeeNet 1.5.1-2.4.9 SQL Injection Info Disclosure. CVE-2020-25157

2020-Nov-14 SCADA 2.07:
– Schneider Electric TwidoSuite ModbusDrvSys Denial of Service. 1 Day
– BACnet Test Server 1.01 Remote Denial of Service. public

2020-Oct-05 SCADA 2.06:
– IntegraXor 8.010010 Stable SCADA Remote Denial of Service. 1 Day
– Schneider Electric Embedded Web Servers for Modicon Configuration Disclosure. CVE-2018-7812

2020-Sept-4 SCADA 2.05:
– InduSoft Web Studio < 8.1 SP3 and InTouch Edge HMI < 2017 Upd vuln to Arbitrary process execution. pub
– Solare Datensysteme Solar-Log Devices Credentials Disclosure Vulnerability. pub2020-Jul-30 SCADA 2.04:
– Honeywell XL1000C50 Information Disclosure. public
– Pro-face GP-Pro EX HMI v.4.01.000 WinGP.exe File Upload. old 0day of ours, probably now public.

2020-Jul-01 SCADA 2.03:
– OpenScada Password Hash Login. 1 Day
– OpenScada Command Execution. 1 Day

2020-Jun-02SCADA 2.02:
– UCanCode Visualization Suite 2020 ActiveX File Overwrite Vulnerability. 1 Day
– iniNet SpiderControl SCADA Editor Denial of Service. 1 Day
– Modbus SCADA ver 2.4.1 Directory Traversal Vulnerability. 1 Day

2020-Apr-30 SCADA 2.01:
– Inductive Automation Ignition 8.0.7 – Arbitrary File Upload. 1 Day
– Mozilla WebThings 0.10.0 Arbitrary File Delete. 1 Day

2020-Mar-30 SCADA 1.99:
– MajorDoMo 1.2.0b Command Injection. 1 Day
– Cogent DataHub 9.0.x Denial of Service. 1 Day

2020-Feb-29 1.99 SCADA Pack:

  • ThingsBoard 2.4.1 Remote Code Execution. [1Day]
  • Mitsubishi Electric smartRTU INEA ME-RTU Unauthenticated Configuration Download. CVE-2019-14927
  •  InTouch Edge HMI v8.1 MobileAccessTask DoS. [1Day]

2020-Jan-28 1.98 SCADA Pack:

  • MajorDoMo 1.2.0b Information Disclosure , SQLis… two [1Days] – ScadaLTS 1.1 Arbitrary File Upload/Remote Code Execution [1Day]

2019-Dec-31 1.97 SCADA pack:

  • Omron PLC 1.0.0 – Denial of Service. public
  •  MajorDoMo 1.2.0b – three nice exploits including RCE. [1Day]s

2019-Dec-5 1.96 SCADA pack:

  • Siemens SICAM A8000 Series Unauthenticated Remote Denial of Service. CVE-2018-13798
  • NetHome 3.0-6ae52 Arbitrary File Upload. [1Day]
  • LabCollector 5.423 – SQL Injection. public

2019-Nov-1 1.95 SCADA Pack:

  • RapidSCADA 5.7.0 ScadaServer – Directory Traversal. [1Day]
  • VxWorks TCP Urgent pointer = 0 integer underflow vulnerability. CVE-2019-12255
  • BACnet Stack 0.8.6 Denial of Service vulnerability. CVE-2019-12480

2019-Sep-29 1.94 SCADA Pack:

  •  FANUC Robotics Virtual Robot Controller. CVE-2019-13584
  • IntegraXor 8 Stable SCADA Remote Denial of Service [1Day]
  • XISOM X-Scada Directory Traversal [1Day]
  • FESTO Designer Studio DirTrav [1Day]

2019-Sep-1 1.93 SCADA pack:

  • ScadaLTS 1.1 XSS. [1Day]
  • ScadaLTS 1.1 Arbitrary File Upload/Remote Code Execution [1Day]
  • Loytec LGATE-902 Path traversal. CVE-2018-14918
  • AGG Software Web Server Plugin Directory Traversal. [1Day]

2019-Aug-10 1.92 SCADA Pack:

– ag_WellinTech_KingSCADA_stack_overflow – WellinTech KingSCADA stack-based buffer overflow Denial of Service. public
– ag_Newport_Electronics_iDRN_iDRX_Signal_Conditioners – Newport Electronics iDRN-iDRX Signal Conditioners ActiveX Control Remote File Overwrite Vulnerability.  [1Day]
– ag_lsis_XPServiceController_dos  – LSIS XP-Server XPServiceController Denial Of Service.  [1Day]
– ag_Cogent_DataHub_8x_DoS – Cogent Datahub 8.0.x Denial of Service.  [1Day]

2019-Jul-23 1.91 ver. of SCADA+ contains 4 modules. List:

– AGG Software OPC HTTP Gateway Premium Directory Traversal [1Day] – AGG Software OPC Scada Viewer Directory Traversal [1Day] – Inductive Automation Ignition 7.6.4 XXE [1Day] – Inductive Automation Ignition 7.5.4 XML External Entity [1Day]

2019-Jun-3 1.90 ver. of SCADA+ contains 3 modules. List:

– SpiderControl 6.50.00 SCADA Editor Directory Traversal Vulnerability [1Day]
– ScadaLTS 1.1 SQL Injection  [1Day] – Prosoft RadioLinx ControlScape FH ActiveX Remote Code Execution Vulnerability [1Day]

2019-May-21 1.89 ver. of SCADA+ contains 4 modules. List:

– WAGO PFC200 PLC series Denial Of Service. [CVE-2018-8836]
–  file upload and exec for Advantech webaccess [1Day]
– attacker can retrieve and delete arbitrary files from target [1Day]
– ICPDAS eLogger Arbitrary File Upload [1Day]
2019-Apr-2 1.88 SCADA+ :
– Inductive Automation Ignition 7.5.4 Blind SQL Injection. [1Day] – LeCroy LabWindows/CVI, LabVIEW, and other products ActiveX RCE. [1Day] – Newport Electronics iDRX ActiveX unsafe method [1Day] – Delta Industrial Automation COMMGR RCE. CVE-2018-10594
and more
2019-Feb-28 1.87 SCADA+ :
– Tibbo AggreGate SCADA DoS [1Day] – Advantech WebAccess blind SQL injection + arbitrary files read from target [1Day] – QuickHMI Server v3 Antelope Denial of Service [1Day] – Reliance 4 Control Server Denial of Service [1Day]
2019-Jan-28 1.86 SCADA+ 4 public vulns covered:
– Century Star SCADA httpsvr infoleak
– Schneider Electric InduSoft Web Studio and InTouch Machine Edition – DoS
– Siemens SCALANCE S613 – Remote DoS.
– Siemens SIMATIC S7-1500 CPU – Remote DoS
2018-Dec-26 1.85 ver. of SCADA+ contains 4 modules. List:
– IGSS Arbitrary File Disclosure. [1Day]
– Advantech webaccess exec –  remote users can upload and execute malicious .aspx file. [1Day]
– CyBroHttpServer Directory Traversal. [1Day]
– DataRate v4.1 fake project file allows for Code Execution. [1Day]
2018-Dec-12 1.84 ver. of SCADA+ contains 5 modules. List:
– ESA-Automation Crew Webserver Directory Traveral [1Day]
– Loytec LWEB-900 Directory Traversal [1Day]
– Visu RCE [1Day]
– WinTr v.5.52 trojan project generation. Code Execution [1Day]

– WinTr Scada Hardcoded Credentials + Directory Traversal. [1Day]

2018-Oct-26

1.83 ver. of Scada+ contains 5 modules. List:
– VBASE VOKSERVER Info Disclosure. [1Day]
– Do-more Designer Programming Software Emulator Denial of Service. [1Day]
– GP-Pro EX HMI WinGP Runtime Arbitrary File Disclosure. [1Day]
– GP-Pro EX HMI WinGP Runtime Arbitrary File Upload. [1Day]
– KOYO C-more Programming Software Emulator Denial of Service. [1Day]

2018-Sep-26

1.82 ver. of Scada+ contains 8 modules. List:
– Delta Industrial Automation Robot DRAStudio Arbitrary File Disclosure. [1Day]
– Delta Industrial Automation Robot DRAStudio Arbitrary File Upload. [1Day]
– Infrasightlabs vScopeServer Privilege Escalation. [1Day]
– Piltz PASvisu Arbitrary File Upload. [1Day]
– Productivity Suite Programming Software v3.0.1.1 – Code Execution. [1Day]
– Reliance4 SCADA Control Server Denial of Service. [1Day]
– Simple-Scada 2 Directory Traversal and file Delete. [1Day]
– WebPort BSQLi Privilege Escalation. [1Day]

2018-Aug-29 v1.81 1.81 Scada+ 8 exploits:

– LSIS wXP RCE, DoSes.- three [1Day] exploits
– Cogent Datahub 7.3.x DoS [1Day] – Cogent DataHub Log Poisoning RCE. [1Day] – CX-Supervisor v.3.41 – Code Exec[1Day] – IntegraXor Remote Project Management. [1Day] – logi.cals logi.RTS infoleak. [1Day]

2018-Jul-30 v1.80 1.80 SCADA+ contains 8 [1Day]s ! :

– S3 Scada Remote Runtime Stop
– Advantech WebAccess(8.3)
– 3 exploits (infoleaks + file upload)!
– IntegraXor SCADA – 2 exploits! (Infoleak + filedamage) – MyScada MyPRO RCE Day] – Remote Osciloscope DoS [1Day]

2018-Jun-25 v1.79 1.79 Scada+:

– Atvise Arbitrary File Disclosure [1Day] – Atvise Privilege Escalation [1Day] – Atvise Remote Project Management [1Day] – Cogent Datahub Blind SQLi [1Day] – Piltz PASvisu DoS [1Day] – WinPLC7 Webserver Arbitrary File Disclosure [1Day]

2018-May-28 v1.78 1.78 Scada+ contains 2 modules which were added previously to ZDA (marked 1Day ) and more:

– S3 Scada QNX Remote Command Execution [1-Day] – Moxa MX-AOPC UA Server File Corrupt or DoS [1-Day] – Siemens Sicam PAS < 8.0 Hardcode RCE [CVE-2016-8567]

2018-Apr-25  v1.77 1.77 Scada+ List:

– Dream Report RCE [0-Day] – Loytec L-Studio RCE [0-Day] – WebPort info leakage [0-Day] – SearchBlox v8.3 Unauthenticated Config Altering [0-Day] – UltiDev Cassini Web Server for ASP.NET 2.0 info leakage [0-Day]

2018-Mar-27 v1.76 1.76 Scada+ :

– Advantech WebAccess(8.3) Dashboard Viewer Info Disclosure [0-Day] – Mango Automation File Upload RCE [0-Day] – Citect Nexa Monitoring 6.10 – Code Exec [0-Day] – Industrial Energy Management System DIAEnergie Information Disclosure

2018-Feb-28 v1.75 v1.75 Scada+:

– UCanCode ActiveX [0-Day] – LAquis SCADA infoleak [0-Day] – Ecava IntegraXor Code Exec
– Automated Logic WebCTRL 6.1 . CVE-2017-9650

2018-Jan-27 v1.74 1.74 Scada+ four! [0-Day]`s. :

– Reliance 4 SCADA Code Execution Vulnerability 0-Day
– AutomationDirect Point Of View Remote Code Execution Vulnerability 0-Day
– KingView SCADA 7.5 Directory Traversal 0-Day
– Eaton ELCSoft ELCSimulator Stack-based Buffer Overflow 0-Day

 

Tagged under: , , , , , ,

What you can read next

Is Your Mobile Application Secure
Three Types of Client-Side Exploits
E-SPIN & Tenable Network Security CyberSecurity Transformation Challenges and Solutions
E-SPIN & Tenable Network Security CyberSecurity Transformation Challenges and Solutions
RSA GRC Audit Management Product Overview by E-SPIN

Leave a Reply

Your email address will not be published.