从哈希传递到施耐德电气 M340 PLC 的代码执行.pdf

《从哈希传递到施耐德电气 M340 PLC 的代码执行.pdf》由会员分享，可在线阅读，更多相关《从哈希传递到施耐德电气 M340 PLC 的代码执行.pdf（107页珍藏版）》请在三个皮匠报告上搜索。

1、#BHEU BlackHatEventsFrom PassFrom Pass-thethe-Hash to Code Execution Hash to Code Execution on Schneider Electric M340 PLCson Schneider Electric M340 PLCsAmir Zaltzman,Avishai Wool#BHEU BlackHatEventsInformation Classification:GeneralWho am I?Amir Zaltzman Embedded security researcher M.Sc.graduate

2、under the supervision of Prof.Avishai Wool at Tel Aviv University#BHEU BlackHatEventsInformation Classification:GeneralMotivation With the rise of Industry 4.0 revolution,industrial devices,including current-generation PLCs,are increasingly connectedto the internet.PLC vendors are continuously enhan

3、cing their proprietary security protocols while ensuring operational compatibility.#BHEU BlackHatEventsInformation Classification:GeneralModicon M340 PLCs Researched Schneider Electrics Modicon M340 PLCs with the latest firmware version 3.60(Oct 2024).PLCs used in various industries,such as water an

4、d wastewater management,oil and gas,food and beverage.#BHEU BlackHatEventsInformation Classification:GeneralEngineering station(Client)PCM340 processor module(Host)PLCUMAS protocolManagement Setup#BHEU BlackHatEventsInformation Classification:General UMAS(Unified Messaging Application Services)is a

5、proprietary Schneider Electric protocol.For configuration and monitoring Modicon PLCs.UMAS messages are transmitted over Modbus/TCP network,with 0 x5A Modbus function code.UMAS Protocol5AModbus HeaderSessionkeyUMASfunctionUMAS message dataUMAS messageModbus function#BHEU BlackHatEventsInformation Cl

6、assification:GeneralPublic session No prior authentication is required.Reserved session Prior authentication is required.Session TypesPublic session No prior authentication is required.#BHEU BlackHatEventsInformation Classification:GeneralPublic messages Can be transmitted both in public and reserve