SCADA+ Pack Latest Updates
SCADA+ 1.52SCADA+ 1.52 contains two 0day modules for Iocomp and Clear Scada software and two interesting modules for Centreon and Beckhoff:
- Centreon Blind SQL Injection, Arbitrary File Download, Remote Command Execution. public
- Clear scada information disclosure. [0day]
- Iocomp Software ActiveX Control Remote Code Execution Vulnerability. [0day]
- Beckhoff CX9020 CPU Module Reboot. public
SCADA+ 1.51SCADA+ 1.51 contains nice module with jsp shell uploading for Mango automation, and 0day vuln in Interactive Graphical SCADA
- Mango Automation File Upload Vulnerability. shell uploading vector
- Interactive Graphical SCADA System v.11.0. Remote vuln PoC [0Day]
SCADA+ 1.50SCADA+ pack 1.50 is out with three new exploits. This time for Mango Automation and Yokogawa Production Control System:
- Mango Automation 2.6.0 Unprotected Debug Log View Vulnerability
- Yokogawa CENTUM CS 3000 Integrated Production Control System Buffer Overflow.
- Yokogawa CENTUM CS 3000 another Buffer Overflow..
all modules for public vulns this time.
SCADA+ 1.49SCADA+ 1.49 contains two new 0day vulns:
- Reliance 4 Control Server Denial Of Service Vulnerability [0day]
- Lanmisoft Home Automation Information Disclosure [0day]
SCADA+ 1.48SCADA+ pack 1.48 is out with three new modules for DataNet, IPESOFT and Twincat pieces of sfotware. with two 0days:
- DataNet OPC HTTP Server Info disclosure [0day]
- IPESOFT D2000 SCADA Info disclosure [0day]
- TwinCAT PLC Control CodeMeter WIBU-SYSTEMS AG Denial Of Service Vulnerability. public
SCADA+ 1.47SCADA+ 1.47 contains 3 new [0day] modules for following SCADA software and tools:
- Century Star SCADA httpsvr infoleak Vulnerability. [0-Day]
- Modbus SCADA (WLC Systems) DLL Hijacking. [0-Day]
- MOXA SoftCMS AspWebServer Denial Of Service Vulnerability. [0-Day]
SCADA+ 1.46SCADA+ 1.46 contains two fresh new modules including one 0day:
- UCanCode E-XD++ Visualization Enterprise Suite Remote Code Execution Vulnerability. [0Day]
- Soitec SmartEnergy 1.4 SCADA Login SQL Injection Authentication Bypass. public. (no CVE)
SCADA+ 1.45Excellent 0day remote auth bypass in ClearSCADA and pretty funny public vuln for DLink routers in 1.45 release:
- ClearSCADA Remote Authentication Bypass Exploit. [0Day]
- SCADA Elipse DLL Hijacking. public
- DLink Unauthenticated Remote DNS Change Exploit.
SCADA+ 1.44SCADA+ pack is out with three new modules, including two 0Days:
- PeakHMI Runtime Buffer Overflow. 0day
- Infilink HMI Denial of Service. 0day
- WS10 Data Server SCADA <= 1.83 - Remote Code Execution
SCADA+ 1.43SCADA+ 1.43 contains three 0Days and one public vuln. list :
- DAQFactory <= 5.91 Remote Denial Of Service Exploit. [0-Day]
- ANT Studio Web 2013 v.9190M Feb 26 2013 - DLL Hijacking. [0-Day]
- SCADA/HMI AggreGate <= v.5.11.03 - XXE . [0-Day]
- Advantech ADAMView <=v.4.3 - Buffer Overflow. ICS-ALERT-14-323-02
SCADA+ 1.42SCADA+ is updated with four 0days, including excellent Mango automation exploit allowing administrative credentials retrieving. video available here https://vimeo.com/user7532837/videos
- B&B Electronics Vlinx ConnectPro Manager DoS [0-Day]
- Events SCADA HMI <= v.8.58 - reveals sensitive info [0-Day]
- Mango Automation get login and password list [0-Day]
- Panasonic Configurator DL DoS PoC [0-Day]
SCADA+ 1.413 New 0Days are available in 1.41 version !
- ScadaBR File Upload and command exec [0-Day]
- APT France SensorIP2 security weakness [0-Day]
- SCADA SpecView <= v2.5 Build 858 information leak [0-Day]
SCADA+ 1.40SCADA+ 1.40 contains:
- ARTIS WaterMon (Last Update: 2013-04-18) - SQL Injection [0-Day]
- Web-Server Plugin <= v.4.0.6 build 512 for Advanced Serial Data Logger <= 4.1.6 build 1114 - Directory Traversal [0-Day]
- e.SCADA.r (Eramosa SCADA Reporting) <= v.0.32 - reveals sensitive info [0-Day]
- SCADA Mango Automation, by Infinite Automation <= v.2.5.0 - File Upload [0-Day]
SCADA+ 1.39SCADA+ 1.39 contains:
- Sagem Fast 3304-V1 Denial Of Service Vulnerability
- ScadaBR (Last Update: 2014-06-02) - BruteForce
- Z-Scada Net2.0 0-Day
- SAP Netweaver Enqueue Server Trace Pattern Denial of Service Vulnerability 0-Day
SCADA+ 1.38SCADA+ 1.38 contains:
- Emerson ROCLINK800 arpro2.dll ActiveX Control Remote Code Execution Vulnerability
- FANUC OlpcPRO Directory Traversal Vulnerability [0-day]
- NOVUS NConfig 1.3.3 [0-Day]
- D-Link DIR-300 DIR-600 DIR-615 routers Password Recovery
SCADA+ 1.37SCADA+ 1.37 contains:
- Yokogawa CENTUM CS 3000 Remote Denial of Service
- IBM SPSS SamplePower Remote Arbitrary File Overwrite
- FESTO Robotino 0-Day DoS
- Cogent DataHub Directory Traversal Vulnerability 0-day
SCADA+ 1.36SCADA+ 1.36 contains:
- Carlo Gavazzi PowerSoft Directory Traversal Vulnerability 0-day
- Advantech Domain Focused Configuration Tool 0-Day DoS
- ABB Test Signal Viewer CWGraph3D ActiveX Control Remote Code Execution Vulnerability
SCADA+ 1.35SCADA+ 1.35 contains new nice 0Day modules for Siemens and Aspic industrial software. :
- Siemens Automation License Manager Service Denial Of Service Vulnerability. [0Day]
- Siemens Automation License Manager Remote Arbitrary File Overwrite. 2011-4529
- SCADA AspicManager (package: Aspic 3.30 - All in One SCADA HMI system) buffer overflow. [0Day]
- Aspic 3.30 - All in One SCADA HMI system telnet weakness. default pwd and more. [0Day]
SCADA+ 1.34SCADA+ 1.34 pack contains nice 3 [0day] modules for famous CoDeSys framework software pieces (latest versions), soft is frequently used in SCADA industry:
- CoDeSys ENI Server ver 220.127.116.11 Stack Buffer Overflow [0Day]
- CoDeSys Webserver ver 18.104.22.168 Stack Buffer Overflow [0Day]
- CoDeSys Gateway Server Denial Of Service Vulnerability [0Day]
there are also videos for these modules available on https://vimeo.com/user7532837/videos
SCADA+ 1.33SCADA pack 1.33 contains several [0day] net related vulns and a scada module:
- PRTG Server.exe Remote Crash. [0day]. PoC
- IP POWER 9258 W2 Information Leak (admin creds). [0day]
- FrameFlow Server Monitor Denial Of Service Vulnerability. [0day]
- Tri-PLC Nano-10 r81 - Denial of Service
SCADA+ 1.32SCADA 1.32 update contains pretty interesting 0days, including one for iOS scada system! List:
- ScadaMobile ONE v2.5.2 Directory Traversal Vulnerability [0Day]
- Ecava IntegraXor <= 4.1.4380 - Denial of Service. ICSA-14-016-01
- Delta Electronics Buffer Overflow Exploit [0Day]
- Advantech WebAccess ActiveX ProjectName() exploit [0Day]
- Ecava IntegraXor SCADA <= 4.1.4380 Information leak. [0Day]
Two new videos are also available on https://vimeo.com/user7532837
SCADA+ 1.31SCADA 1.31 as always contains fresh public modules and 0day DoSes.
- ABB MicroSCADA Remote Code Execution. public
- Eaton Network Shutdown Module Denial Of Service Vulnerability. [0Day]
- Ignition Gateway OPC-UA Server Denial Of Service. [0Day]
- Eaton Network Shutdown Module Remote Code Execution + creds steal. public
SCADA+ 1.30SCADA+ ver 1.30 contains following new modules:
[network and scada]:
- Western Digital My Net N600, N750, N900, N900C Get admin password. CVE-2013-5006
- Schneider Electric PLC ETY Series Ethernet Controller - Denial of Service. public
- RuggedDirector 1.2 Remote Denial of Service [0Day].
- Mitsubishi MC-WorkX 8.02 ActiveX Control (IcoLaunch) File Execution.
SCADA+ 1.29SCADA+ 1.29 released with two new network devices exploitation modules and two scada side exploits:
- ONO Hitron CDE-30364 Router Denial Of Service. public
- ZeroShell Local File Disclosure Vulnerability. public
- Tri-PLC Nano-10 r81 Denial of Service. public
- wlcsystems.com Modbus SCADA Vulnerability. [0day]
SCADA+ 1.28SCADA+ 1.28 is out with nice [0day] DoSes for Siemens, Moore Industries and Eaton software, and more. Modules list:
- Siemens WinCC TIA Portal miniweb.exe remote dos 0-Day
- Moore Industries NCS Configuration 0-Day DoS
- EATON VURemote 0-Day DoS.
- Galil-RIO Rio-47100 Denial of Service.
SCADA+ 1.27SCADA+ 1.27:
contains 4 modules for 3S, pwStore, National Instruments industrial software.
This time all CVE listed.
- pwStore Denial of Service
- 3S CODESYS Gateway-Server <= 22.214.171.124 Directory traversal vulnerability.
- two modules for different National Instruments LabWindows/CVI,
LabVIEW, and other products ActiveXes.
SCADA+ 1.26SCADA 1.26 is out with two 0day DoSes for Siemens and Honeywell pieces of industrial software. plus two ActiveX exploits (one of them is also 0day). Listing:
- SIEMENS Solid Edge ST4/ST5 WebPartHelper ActiveX Control Remote
Command Execution [0Day].
- Siemens ProTool Pro CS [0Day] DoS.
- Honeywell UniSim ShadowPlant Bridge DoS. [0Day]
- Honeywell ActiveX control code execution. CVE-2013-0108
SCADA+ 1.25SCADA 1.25 is out with two 0day DoSes and 3 public sploits for Schneider Electric, Mikrotik and Moxa software.
ag_Mikrotik_Syslog_Server_DoS - Mikrotik Syslog Server for Windows 1.15 Denial of Service
ag_MOXA_AWK_Search_Utility_DoS - MOXA AWK Search Utility DoS [0Day] DoS
ag_schnider_factory_cast - Schneider Electric Ethernet Modules Multiple Service Default Hardcoded Credentials
ag_schnider_modbusdrv - Multiple Schneider Electric Products 'ModbusDrv.exe' Local Buffer Overflow Vulnerability
ag_schnider_modbussim - Schneider Electric PLC Simulator 'sim.exe' Remote denial-of-service [0Day]
SCADA+ 1.24SCADA+ 1.24 pack version contains four new modules covering industrial related software.
Among them 2 0days: DoS for Moxa tool and buffer overflow exploit for Schnider Electric Web Designer.
- Clorius Controls ICS SCADA Information Disclosure
- Mitsubishi MX ActiveX Component exploit
- MOXA Mass Configuration Tool Denial of Service [0Day]
- Schnider Electric Web Designer remote BOF bug [0Day]
SCADA+ 1.23New SCADA+ 1.23 version is out with two 0days and two public DoSes for well known Scadas:
- Schneider Electric Accutech Manager Server Denial Of Service
- Ge Fanuc Proficy HMI/SCADA CIMPLICITY WebView/ThinView server DoS
- Schneider Electric Vijeo Web Gate Server vuln [0Day]
- Schneider Electric Vijeo Web Gate Server Denial Of Service [0Day]
SCADA+ 1.22New modules are ready for your attention. Scada section inlcudes two 0day DoSes for IOServer and Netbiter Scadas.
You will also find a cool 0day AirTies routers exploit.
- AirTies rt series routers hardcoded credentials exploit [0day]
- Harbour Networks switch/router info disclosure. PoC. [0day]
- NetBiterConfig DoS 0day (PoC)
- IOServer OPC Server DoS 0-Day.
- IOServer Directory Traversal. CVE-2012-4680
SCADA+ 1.21New SCADA+ pack 1.21 version is out with two 0days for eSolar system
and widely implemented Adroit SCADA.
- Adroit SCADA Intelligence Server [0day ]DoS
- Advantech Studio v7.0 Directory Traversal. public.
- C3-ilex EOScada Denial Of Service. public
- Esolar alternative energy management system [0day]
SCADA+ 1.20SCADA+ Pack:
New 0day in ANT Studio and cve-listed Netbiter WebSCADA in scada
section and 0day for korean router for your fun... along with old but
still usefull in some scada installations QNX modules. List:
- iptime korean router DoS [0day].
- QNX QCONN Remote Shutdown
- QNX phrelay DoS
- Directory traversal vulnerability in cgi-bin/read.cgi in WebSCADA
WS100 and WS200. CVE-2010-4730
- ANT Studio denial of service [0day]
SCADA+ 1.19SCADA+ 1.19 is out with two [0days] for SCADA!
We also continue to add info to network devices section... 3 modules this time along with 1 [0day].
Listing: [Network Devices]:
- [0day] AirTies rt104 router unauthorized download config
- Directory Traversal Vulnerability in Sitecom Home Storage Center
- Thomson twg850-4 Unauthenticated Backup File Access
- [0day] WINCC v7.0 SP2 CCEServer.exe denial of service
- [0day] Ge Fanuc Proficy HMI/SCADA CIMPLICITY WebView/ThinView server 8.10.0000.18236 info disclosure
SCADA+ 1.18SCADA+ 1.18 is out with 3 new scada related 0days! and enhanced network devices exploitation tool.
Network devices modules include those for AirOS and famous Qlogic. Modules list
- Ubiquiti Networks AirOS Directory Traversal Vulnerability for AirOS 5, 4.0, 3.6.1
- Alpha Networks ADSL2/2+ Wireless Router ASL-26555 Password Disclosure
- QLogic SANsurfer FC HBA Manager Directory Traversal vulnerability.
- new version 1.1 of Automated network devices exploitation tool. see changelog for details
- [0day] Elipse E3 ActiveReports Remote Arbitrary File Replace
- [0day] Carel Plantvisor v.2.4.4 (possibly others) directory traversal vulnerability.
- [0day] QNX FTPD DoS
SCADA+ 1.17SCADA+ 1.17 is out with a new network routers exploitation tool !
This tool scans network for routers and try to launch appropriate exploits of ours.
This should be really helpfull in automation of the testing process. Scada section includes excellent modules with two [0days]!
- Automated network devices exploitation tool! It utilizes nmap scanning and autolaunchs appropriate exploits.
- ABB WebWare RobNetScanHost.exe Remote Code Execution Exploit
- SpecView <= 2.5 build 853 Directory Traversal
- [0day] Ge Fanuc Proficy HMI/SCADA CIMPLICITY WebView/ThinView
server remote command execution
- [0day] KASKAD scada v.5.00 Remote Heap Overflow .
SCADA+ 1.16This release is completely focused on network devices... Latest vulns for famous routers, including one 0day:
- Siemens Gigaset se551 authorization bypass [0day].
- Enigma2 Webinterface remote root file disclosure exploit
- Comtrend Router CT-5624 remote password disclosure vulnerability
- ASUS RT-N56U fw <= 126.96.36.199 remote password disclosure vulnerability
- ACTi ASOC 2200 Web Configurator <= v2.6 Remote Root Command Execution
- ZyXEL ZyWALL USG Appliance authentication bypass
- SAGEM ROUTER FAST 3304/3464/3504 - Telnet Authentication bypass
- Livebox TP Router Denial Of Service
- Linksys WAP610N fw.<=1.0.01 Unauthenticated Root Access Security Vulnerability
SCADA+ 1.15SCADA+ is out with new network devices covered and pretty nice ICS stuff:
- PowerNet Twin Client <= 8.9 (RFSync 188.8.131.52) DoS
- RuggedCom devices password generator
- Sielco Sistemi Winlog Buffer Overflow
- 3Com OfficeConnect ADSL Wireless 11g Firewall Router authentication bypass 0day
- Cisco SA500 series SQL Injection
- Huawei HG866 GPON unauthenticated root pwd change
SCADA+ 1.14SCADA+ professional 1.14 includes nice modules for SCADA and network devices,
featured modules are:
- PROMOTIC <= 8.1.3 directory traversal leveraged to user credentials steal !
- Siemens SIMATIC WinCC MiniWeb DoS. for ICS-ALERT-11-332-02.
- Pro-face Pro-Server EX WinGP PCRuntime <= 3.1.00 Invalid Memory Access DOS
- NetGear routers remote password disclosures
- WinRadius Server 2009 DoS
SCADA+ 1.13SCADA+ 1.13 is out with:
- bunch of DoSes for IBM SolidDB. sometime this is also used in industrial soft. both fresh and old bugs covered.
- Advantech Studio [0day] DoS,
- xArrow multiple DoS,
- GeFanuc Proficy Portal directory traversal.
SCADA+ professional 1.12
NOTE: starting from this 1.12 version SCADA+ standard and Step-ahead licenses will be gradually merged into single "SCADA+ professional package"!
This time we include 3 step ahead scada modules from previous releases.
We have also powered this release with some modules for network devices.
- CEserver from Advantech Studio and Indusoft Web Studio buffer overflow. [0day]
- Carel Plant Visor Pro Hardcoded credentials vulnerability. [0day]
- Sunway ForceControl and pNetPower httpsvr.exe heap-based buffer overflow
modules for network devices:
- D-Link Wireless N Router (DIR-615) firmware 3.10NA apply.cgi Admin Authentication Bypass
- D-Link ShareCenter DNS-320 firmware v2.00b06 remote DoS
- D-Link Wireless G Router (WBR-1310) firmware 2.00 Authentication Bypass
- TRENDnet internet camera TV-IP201(P) firmware v2.00 Authentication Bypass
SCADA+ 1.11SCADA+ 1.11 is available for download.
Five remote [0day] DoSes for remotely reachable services in famous SCADAs are available this time.
Covered are such vendors like GE Fanuc Proficy, Atvise, Trace Mode, xArrow.
- Ge Fanuc Proficy HMI/SCADA CIMPLICITY denial of service. [0day]
- Trace Mode v 6.06 RunTime monitor denial of service. [0day]
- Trace Mode v 6.06 RunTime monitor denial of service. [0day]
- Atvise v.2.1.16 denial of service. [0day]
- xArrow v3.2 DoS. [0day]
Step Ahead (professional) SCADA 1.11Step Ahead (professional version) users additionally receive nice 0day in GE Fanuc Proficy, allowing scada users credentials steal and DoS in WinCC.
- Ge Fanuc Proficy HMI/SCADA CIMPLICITY scada users credentials steal. [0day]
- WINCC denial of service. [0day]
SCADA+ 1.10Two fresh 0days for GE Fanuc and Broadwin\Advantech WebAccess, plus two 'old' 0days for Carel Plant Visor Pro (those were available previously in professional SCADA+ version).
Modules allow for sensitive information retrieving, such as SCADA users or admins names, database admin password hashes, configuration files.
- Ge Fanuc Real Time Portal v 3.0 SP1 sensitive information disclosure [0day]
- Broadwin\Advantech WebAccess v7.0 sensitive information disclosure [0day]
- Carel Plant Visor Pro critical information disclosure [0day]
- Carel Plant Visor Pro critical information disclosure [0day]
SCADA+ 1.9New modules for public vulns in CoDeSys, Siemens WINCC and Samsung air conditioning Data manager server. Some allows full system compromise!
- Samsung Data Manager server (air conditioning systems) == 1.4.1 hardcoded credentials. [0day]
- CoDeSys SCADA v2.3 Webserver Stack Buffer Overflow. exploit allows full pwn.
- Siemens WINCC flexible runtime 2008 SP2 + SP 1, hmiload.exe directory traversal. exploit allows full pwn via troyan uploading.
- Siemens WINCC flexible runtime 2008 SP2 + SP 1, miniweb.exe Directory traversal. exploit allows arbitrary files downloading.
- Siemens WINCC flexible runtime 2008 SP2 + SP 1, miniweb.exe Denial of Service.
- LabStoRe <= 1.5.4 SQL Injection allowing admin + pwdhash retreiving.
- Samsung Data Manager server <= 1.4.2 multiple vulnerabilities (some critical).
Step Ahead (professional) SCADA 1.9For step ahead (professional) SCADA+ users there are Three additional 0days for well known SCADAs ... all allowing full pwn!
- SCPSA Carel Plantvisor [0day]. full pwn!
- SCPSA KASKAD scada v.5.00 Remote Heap Overflow. [0day]. full pwn!
- SCPSA Ge Fanuc Proficy HMI/SCADA CIMPLICITY. [0day]. full pwn!
SCADA+ 1.8In SCADA+ 1.8 there are modules for several fresh public vulns (mostly Luigi Auriemma's) in well known industrial soft. Mostly DoSes this time...
- Beckhoff TwinCAT <= 184.108.40.2064
- Optima <= 220.127.116.11 Denial of Service
- OPCSystems.net <= 4.00.0048 denial of service
- Data Archiver service in GE Intelligent Platforms Proficy Historian
<= 3.5 SIM 17 and 4.x <= 4.0 SIM 12 stack overflow proof of concept / DOS
- Atvise webMI2ADS <= 1.0 denial of service
- another Atvise webMI2ADS <= 1.0 denial of service
- Atvise webmitestserver directory traversal
Step Ahead (professional) SCADA 1.8Step Ahead users also receive nice module, allowing to decrypt users credentials in Promotic SCADA! and nice scada related activex exploit.
- PcVue <= 10.0, SVUIGrd.ocx <= 18.104.22.168. allows code execution
SCPSA_promotic - PROMOTIC <= 8.1.3 directory traversal leveraged touser credentials steal.
SCADA+ 1.7New modules this time include:
- Rockwell's RSLogix5000 Denial of Service. CVE listed.
- SCADAPRO buffer overflow / DOS. CVE listed
- Cogent Datahub. no CVE.
- Sunway httpsvr.exe unauthenticated remote command execution. no CVE
- Sunway AngelServer DOS. no CVE.
- Sunway SNMP NetDBServer stack-based buffer overflow. no CVE.
Step Ahead (professional) SCADA 1.7Step ahead SCADA+ users additionally receive a 0day :
- Advantech Web Studio denial of service [0day].
SCADA+ 1.6New SCADA+ version 1.6 is out with following stuff for newest CVE listed vulns. some of them were found by Luigi Auriemma:
- Cogent DataHub Directory traversal vulnerability. CVE-2011-3500.
- DAQFactory <= v.5.85 build 1853 stack based buffer overflow. CVE-2011-3492
- CarelDataServer Directory traversal vulnerability. CVE-2011-3487
- Procyon Core Server stack buffer overflow. CVE-2011-3322
- SCADAPRO <= v.22.214.171.124 unauthenticated remote command execution. no CVE, but public.
Step Ahead (professional) SCADA 1.6Step ahead SCADA+ users additionally receive nice 0days :
- CEserver buffer overflow. [0day]. This software is available for most embedded systems. Exploit by now covers WinXP sp3 embedded.
- Carel Plant Visor Pro critical information disclosure. [0day] All scada users logins+pwds steal
- Carel Plant Visor Pro critical information disclosure. Second vuln. [0day] All scada users logins+pwds steal
SCADA+ 1.5New SCADA+ modules include:
- 0day for Broadwin\Advantech WebAccess. error based SQL Injection with filters bypass. was available via Step Ahead ~ 1.5 monthes ago.
- glorious Labview (version 6 and possibly others) DoS via ipv6 query. old bug, for old but commonly used Labview version.
- Progea Movicon 11 remote DoS crashing the server.
Step Ahead (professional) SCADA 1.5Step Ahead (professional SCADA) users additionally to all above receive
- 0day Carel Plant Visor Pro vulnerability. Used on nuclear plants e.g. in Canada. exploit allows credentials steal.
- Sunway ForceControl and pNetPower buffer overflow. vuln is known to exist (but details are not public), patch available. thousands of installations in Turkey and China http://gleg.net/httpsrv_shodan.png