OpenSource Security Ralf Spenneberg
Am Bahnhof 3-5
48565 Steinfurt
info@os-s.net

OS-S Security Advisory 2017-02

Date: April 4th, 2017
Authors: Simon Heming, Maik BrA1/4ggemann, Hendrik Schwartke, Ralf Spenneberg
CVE: not yet assigned
CVSS: 10
Affected Device: Schneider SoMachine Basic 1.4 SP1, Schneider Modicon
TM221CE16R, Firmware 1.3.3.3

Title: The password for the project protection of the Schneider Modicon
TM221CE16R is hard-coded and cannot be changed.
Severity: Critical. The protection of the application is not existant.
Ease of Exploitation: Trivial
Vulnerability type: Information Disclosure
Vendor contacted: December 23rd, 2016

Abstract
The Project Protection is used to prevent unauthorized users from
opening the protected project file by prompting the user for a password.
The XML file is AES-CBC encrypted, however the key used for encryption
is hard coded and cannot be changed. The key used for encryption is:
aSoMachineBasicSoMachineBasicSoMaa. After decrypting the XML file with
the standard password the user password can be found in the decrypted
data. After reading the user password the project can be opened and
modified with SoMachine Basic.

Vendor Contacted
We contacted the vendor. Apart from the first acknowledgement of the
receipt of the report we did not receive any further information.

PDF: https://www.os-s.net/advisories/OSS-2017-02.pdf
-- 
OpenSource Training Ralf Spenneberg     http://www.os-t.de
Am Bahnhof 3-5                          48565 Steinfurt         Germany
Fon: +49(0)2552 638 755                 Fax: +49(0)2552 638 757