This presentation is intended to demonstrate that sophisticated attacks, such as Stuxnet or Triton, could be still carried out against other ICS manufacturers and devices.
By relying on our own CVEs, we will explain how to exploit them to reproduce the key stages of a new Stuxnet with the ability to execute unconstrained code on PLCs.
In this context, the first three vulnerabilities are used to perform a Remote Code Execution from an IT access to the engineering station through the PLC simulator.
From this station, the fourth vulnerability is intended to abuse a shared memory to gain SYSTEM rights. Finally, the fifth vulnerability allows us to execute unconstrained code on PLCs. Also for automating our attack, we used intrinsic functionalities (COM/DCOM) offered by the main software.
Nicolas Delhaye is a security researcher who has over 10 years of experience in reverse-engineering and vulnerability research. His work involves performing deep-dive analysis and looking for unknown vulnerabilities on Windows components.
He had previously found weaknesses such as the SMBLost vulnerability or a RPC trick for remotely enumerating every Windows network interfaces without any authentication.
Lately, he presented at Rump’in Rennes 2019 and GreHack 2020.
Flavian Dola is a vulnerability researcher of Airbus CyberSecurity specialized on embedded systems (IoT, ICS, On Board components, etc.). His field of expertise lies on the areas of reverse engineering, fuzzing and exploit development.
His works around Stuxnet-type attack were greeted by the ICS security community and press.
He is the creator of:
- IP2LoRa: an opensource software to acheive IP tunneling over LoRa
- afl_ghidra_emu: an opensource software that allows to fuzz exotic architecture using AFL++ and Ghidra emulation engine
Lately, he was a speaker at some conferences such as Rump'in Rennes 2019, GreHack 2020 and SSTIC rumps 2021.