Going Deeper Into Schneider Modicon PAC Security

Dive into the security vulnerabilities of Schneider Modicon Programmable Automation Controllers (PACs) in this comprehensive HITB2021SIN conference talk. Explore the private communication protocol UMAS and password protection mechanisms for CPU, uncovering potential security flaws in these industrial controllers widely used in critical infrastructure. Learn how to build fuzz program tools for discovering zero-day vulnerabilities, and understand techniques for bypassing password-protected security policies to gain unauthorized controller access. Witness a demonstration of a novel ransomware attack that exploits Modicon PAC security weaknesses. Gain insights into defensive strategies and recommendations to mitigate these vulnerabilities, presented by experienced industrial control system security researcher Gao Jian from NSFOCUS's GEWU Lab.

Intro
About GEWU Lab
About Modicon PAC
Scenarios and Network PAC concept Top to bottom standard Ethernet network & Open architecture with direct Ethernet connection on backplane
Architecture & Functions
Enhanced cyber security Cybersecure-ready
Attack surface of PAC
What we focus on Weak private protocols are often the best way to breaking
Research setup
What is UMAS?
UMAS message format
UMAS function code
FUZZ UMAS Protocol
Select FUZZ samples
How to build FUZZ
UMAS FUZZ demo
Modicon PAC Application Password
How to bypass application passwor
How the password is stored Reverse UnityEncrypter.dll, the password hash algorithm is SHA-256
Authorization algorithm analysis
Leaked password hash in traffic
UMAS security function code 0x38
0x38 integrity check
0x38 message format
Summary the Authentication Bypas
Replay attack bypassing authorizat
Ransomware attack targeting level 1
Ransomware attack for M580?
Bypass authorization to replace ap
0x29 function code RCE
Ox29 RCE attack demo
How to protect