Penetration through ICS Development Software - potentially devastating attack vector or not? CODESYS 0days examples. presented at syscan 2017

by Yuriy Gurkin,

Summary : ABSTRACT
Among well known ICS development tools there is a CODESYS Programming Software which is widely used in energy, factory and other Automation Technology Sectors. Those tools are used by engineers to create Controller Applications, HMI devices etc... But could someone attack that (or another) Development Software, and gain control over engineer PC, over connected real or tested ICS, even leave a backdoor (potentially for whole Controller line ) ?
It seems like successful attacks against development software could be really devastating especially if they stays unidentified.
E.G. In 2015 Volkswagen had lost 30 % (2.5 billions) of its shares in two days as a result of its Diesel engine controller software scandal ... It was a strange and unclear story, but what is clear - controller software being "tuned" is pretty serious thing.
So, let's take a look to CODESYS. Utilizing open-source EAST pentest framework we will show vulnerabilities in CODESYS software of older versions, and two 0days in newer versions.