-
MicroLogix 1400
-
Modes
- Program: Will not execute logic
- Remote: combo of Run and Program
- Has substates
- Can remotely manage
- Run: can't change any configs, will exewcute logic
-
Protocols
- Serial MODBUS
- Ethernet/IP
- PCCC
- Sub command protocol
- Management controls
-
PCCC
- CMD code
- TNS code
- FNC code
- Data
- DF1 is the serial version of PCCC, PCCC is Ethernet/IP version
-
Device Config
- CPU State: Remote Run
- SNMP State: Disabled
- Memory Module: Installed w/o write protect
- Firmware: 21.003 or below
-
Enabling SNMP service
- SNMP used to flash new firmware
- Disabled by default
- Use RSLogix to enable SNMP and reboot device
-
Channel Configuration File
- Change bit within bitfield
-
Get current config
- PCCC Protected Type Logical Read w/ 3 Address Fields
-
CRC CheckSum
- Combo of first and second response.
- CRC16
-
Write bit to enable SNMP
- PCCC Protected Typed Logical Write w/ 3 Address Fields -Memory Module
- Need "Get Edit Resource" and "Custom Configuration"
- Need to send Store to Memory Module packet
-
Changing Firmware
- No CRC, just a simple checksum
- Have to ensure that when you change bytes, that they still add up to the the right checksum
-
Flashing Firmware w/ SNMP Backdoor
- use w/ snmpset command
-
Wireshark Dissector: packet-cip.h
-
White Paper: talosintelligence.com/resources/62
-
blog.talosintelligence.com/2018/03/ab-micrologix-1400-multiple-vulns.html
-
blog.talosintelligence.com/2016/rockwell-snmp-vuln.html
-