exploit the possibilities

Mitsubishi Melsec FX3G-24M Denial Of Service

Mitsubishi Melsec FX3G-24M Denial Of Service
Posted Sep 30, 2015
Authored by Ralf Spenneberg

Mitsubishi Melsec FX3G-24M suffers from a denial of service vulnerability.

tags | exploit, denial of service
advisories | CVE-2015-3938
MD5 | 2a10a9dca38e65e0d1a507ad24a8483e

Mitsubishi Melsec FX3G-24M Denial Of Service

Change Mirror Download
OS-S Security Advisory 2015-03

Date: September 29th, 2015
CVE: CVE-2015-3938
CVSS: 5 (AV:N/AC:L/Au:N/C:N/I:N/A:P)

Title: Mitsubishi ICS FX3G-24M Permanent Communication Denial of Service

Severity: Critical.
The TCP/IP communication of the Mitsubishi Melsec FX3G-24 is
permanently disrupted.

Ease of Exploitation: Trivial

Vulnerability type: Wrong input validation (buffer overflow?)

Products: Mitsubishi Melsec FX3G-24M

Abstract
The Mitsubishi Melsec FX3G-24M is a highly integrated Industrial Control
System (ICS). Many functions of the ICS may be controlled via the built-in
HTTP-Server. By using specially crafted HTTP-messages all Ethernet based
communication may be permanently disrupted. This permanent denial of Service
can only be corrected via a cold restart of the ICS.
Detailed product description
We confirmed the bug on the following system:
FX3G-24M
CPU-Version: 2.10
FX3U-ENET-ADP Version: 1.20
Further products or firmware versions have not been tested

Description
The built-in HTTP application is unable to handle parameters with a length of
100 bytes or more. This is true for all tested URLs but /fx_devmon.html. Even
parameters not used by the web applications trigger the DoS bug. This security
weakness can be exploited using both POST and GET HTTP requests.
As soon as any parameter with a length of at least 100 characters is
transmitted all Ethernet/IP/TCP communication is permanently halted. A
connected HMI looses its connection, the HTTP server is not available any more
and the System does not respond to ICMP ping requests or ARP requests.
The ICS has to undergo a cold restart be interrupting the power supply.
The PLC still continues to execute the internal logic program. Only the
Ethernet based communication is disrupted.

Proof of Concept
The following command (all on one line) crafts an GET request and sends it to
the PLC running on the IP address 192.168.155.80:
python -c "print 'GET /index.html?'+'A'*100 +' \ HTTP/1.1\r\n\r\n'" | nc
192.168.155.80 80

As soon as the command returns the communication is disrupted.

Severity and Ease of Exploitation
The security weakness can be easily exploited. No special tools are necessary.
The Exploit neither requires physical access to the ICS nor does it require
direct access to the ICS network. The exploit can be executed across routers
and if the ICS is connected to the internet across the Internet. The HTTP-
request is a normal and valid request and will not be detected or prevented by
Firewalls or Intrusion Prevention Systems.
The disruption of the Ethernet based communication will cause a permanent loss
of view on any connected HMIs and will prevent the communication of the ICS
with other ICS systems via Ethernet.

Vendor Communication
We unsuccessfully tried to contact the vendor for several month. We could not
find a security contact responsible for these products. On December 4th 2014
we contacted the ICS-CERT. The ICS-CERT contacted Mitsubishi. Mitsubishi
released a new firmware in April 2015. The new firmware will only be available
in all controllers shipped starting April 2015. Older controllers will not
receive the firmware update.

Formatted PDF:
--
OpenSource Security Ralf Spenneberg http://www.os-s.de
Am Bahnhof 3-5 48565 Steinfurt Germany
Fon: +49(0)2552 638 755 Fax: +49(0)2552 638 757

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    34 Files
  • 2
    Jul 2nd
    15 Files
  • 3
    Jul 3rd
    9 Files
  • 4
    Jul 4th
    8 Files
  • 5
    Jul 5th
    2 Files
  • 6
    Jul 6th
    3 Files
  • 7
    Jul 7th
    1 Files
  • 8
    Jul 8th
    15 Files
  • 9
    Jul 9th
    15 Files
  • 10
    Jul 10th
    20 Files
  • 11
    Jul 11th
    17 Files
  • 12
    Jul 12th
    16 Files
  • 13
    Jul 13th
    2 Files
  • 14
    Jul 14th
    1 Files
  • 15
    Jul 15th
    20 Files
  • 16
    Jul 16th
    27 Files
  • 17
    Jul 17th
    7 Files
  • 18
    Jul 18th
    5 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close