Hacking industrial control systems

Exploiting the Honeywell Falcon

This post picks up where the earlier posts, CVE-2014-2717: Attacking the Honeywell Falcon XLWeb (30.09.2014) and Cross Site Scripting – Attacking the Honeywell Falcon XLWeb part two (02.10.2014) left of.

In the following blog post, we will be moving from gaining application level administrative control and how to use XSS, to target system administrators, and finally, how to gain a shell on the operating system level of the equipment using a combination of misconfigurations and security issues in combination.

Outpost24-VulnerabilityManagementBlog-Honeywell-Faclon

TL;DR; In 2014, Outpost24 released a security warning related to the Honeywell Falcon XLWeb Linux/Webserver.

Later, a second vulnerability in the form of a default, static and unchangeable account was detected, as well as a directory traversal. Together, they lead to user controlled code execution and exploitation of the platform.

The default credentials can be used to directly gain access to the very few Telnet enabled Falcon servers. Other servers are targeted via a combination of the FTP-server and the HTTP-server.

This post will provide more in-depth information on how this works and its implications. It should be mentioned, that this information is disclosed more than a month after disclosure by the ICS CERT. However, to date unpatched systems still remain exposed to the internet.

Note, that the post omits mentioning the password built in as a default, but this is of course relatively straight forward to obtain, as it is tied to localization and customization of the product and not a guarded secret.

References:

https://ics-cert.us-cert.gov/advisories/ICSA-15-076-02 – CVE: CVE-2015-0984

What System is this?

AFFECTED PRODUCTS
The following Honeywell XLWeb controller (sometimes referred to as FALCON) versions are affected:

FALCON Linux and FALCON XLWebExe
- XL1000C50 – EXCEL WEB 52 I/O
- XL1000C100 – EXCEL WEB 104 I/O
- XL1000C500 – EXCEL WEB 300 I/O
- XL1000C1000 – EXCEL WEB 600 I/O
- XL1000C50U – EXCEL WEB 52 I/O UUKL
- XL1000C100U – EXCEL WEB 104 I/O UUKL
- XL1000C500U – EXCEL WEB 300 I/O UUKL
- XL1000C1000U – EXCEL WEB 600 I/O UUKL

Impact

Full system compromise of the SCADA system, leading to a remote access to the SCADA networks where the devices are deployed, as well as persistent operating system access on the affected units.

The affected FALCON XLWeb controllers are web-based SCADA systems. According to Honeywell, FALCON XLWeb controllers are deployed across several sectors including Critical Manufacturing, Energy, Water and Waste Water Systems, among others. According to Honeywell, the affected controllers are used by customers primarily in Europe and the Middle East.

The impact results in the attacker gaining control of the device. The devices are often connected to the internal, or at least SCADA, networks. Therefore, in many cases, the impact will include internet exposure of not only that device, but of the entire network.

Outpost24-VulnerabilityManagementBlog-Scada-Network-Setup

Using devices with such a setup puts the organization at risk for suffering the same form of targeted attacks as Target was a subject of, where attackers entered via a network connected HVAC system. You can read more about this here: http://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/

Mitigation

The update for this vulnerability is Excel Web Linux version 2.04.01 (March, 2014) or later, and in addition the programing tool CARE version 10.02 (March 2014), or later. Customers are encouraged to contact their local Honeywell HBS branch to have their sites updated to the latest version.

In the Centraline partner channel, Excel Web controllers also have been sold under the brand name “FALCON”. Centraline partners can directly access http://www.centraline.com to get these versions.

Linux:
https://www.centraline.com/index.php?id=847&route=article/index&directory_id=140&direct_link=1

CARE:
https://www.centraline.com/index.php?id=847&route=article/index&directory_id=138&direct_link=1

Background

After the mitigation of the initial pass-the-hash vulnerability, verification testing and final documentation of the vulnerability took place. At this time, information was gained that led to information on customization of some system settings and appearances. This information contained the built in account for this purpose, which has a fixed password.

The Honeywell Falcon XLWeb Controllers is a web-based management system to control DUCs, in building control systems, waste water and much more.

Outpost24-VulnerabilityManagementBlog-Honeywell-XLWeb-Controllers

Initial access

If the system exposes Telnet, this already means “game over” at step one, as the system then exposes a login mechanism to end users. There are almost no such systems exposed at this moment. For the few systems running that configuration, it means game over as the built-in account makes you admin, over the internet, immediately

We will go for the most common services exposed: HTTP and FTP.

By using the built in account of XWADMIN with its fixed password, a user can then use the directory traversal issues within the FPT server.

CWD /../../mnt/mtd6/xlweb/web/

This is the root of the web server. The web server supports PHP, for example the EXEC and PASSTHRU functions.

An attacker would upload any web shell they see fit. Personally, I prefer to use a simple one and wrap it into the rest of my automation scripts. With a simple PYTHON wrapper, this gives us something like the following. It logs in, uploads the file, moves to processing calls over the HTTP connection instead, and on EXIT runs a cleanup where it also deletes the web shell. Of course the web shell uses a key for execution permissions, so we don’t accidentally backdoor a system during a security audit.

Outpost24-VulnerabilityManagementBlog-Security-Audit

This constitutes a combination of a fixed default account, a directory traversal and a web server running with sufficient access rights to access most components of the system.

Example flow of attack

Authenticate with the FTP server using built-in static default account
Traverse working directory
Upload PHP shell
Call Shell for execution of any OS commands
Clean-up

Final note

As mentioned, the post does not disclose the password used. This is available in rare but obtainable technical documentation online with a bit of reading. We are not comfortable including it at the moment as the patch penetration is close to 0%, even though more than one month has passed.

A private exploit is of course available, but overall – with sufficient information – exploitation is very straight forward, and – as mentioned in the advisory – that requires only a low level of skills for exploitation.

There was one new issue detected and reported to ICS CERT on 2015-04-20, which is related to a default deployment issue. Outpost24 strongly recommends isolating all FALCON/XLWeb systems from the Internet, or to isolate all SCADA systems from Internet exposure.

This issue will be developed more in depth after discussion with the CERT on whether it will be addressed by the vendor or not. We leave you with this screen from that obtained access, and again caution everyone to isolate their SCADA environments.

Outpost24-VulnerabilityManagementBlog-Scada-environment