I did some security research on industrial control systems for a while. It was a fun and rewarding experience in which I found tons of usually very simple bugs. Security in that sector was nascent, with the technology being brought forward from the dark ages of everything being on serial. Things are a bit different today, in no small part due to the fine work of many security researchers convincing vendors to step up their game and buyers learning how to ask the right questions before a purchase. SCADA gear is increasingly moving toward modern operating systems with modern security protections. This is very much a Good Thing (tm).

Nevertheless, software is hard. From last week's graph, you already know that the more software you have, the more likely that some of it is broken. Further, there's a lot of super old code in ICS.

Enter Adventech WebAccess Dashboard Viewer, "a fully web-based HMI and SCADA software package for industrial automation." It's basically a web application written in ASPX that lets you twiddle valves and flip switches. Like many web apps, it offers the ability to upload files, and like many web apps, it stores them in the web root and doesn't really care what those files are. Which, of course, means a very simple path to arbitrary code execution.

Maybe someday we'll get rid of newb mistakes. Not today, though.

New Modules

Exploit modules (1 new) * Advantech WebAccess Dashboard Viewer Arbitrary File Upload by Zhou Yu, and rgod exploits ZDI-16-128

Get it

As always, you can update to the latest Metasploit Framework with a simple msfupdate and the full diff since the last blog post is available on GitHub: 4.11.21...4.11.22

To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.