![Page 1: Sergey Gordeychik Denis Baranov Gleb · PDF fileSergey Gordeychik Positive Technologies CTO, Positive Hack Days Director and Scriptwriter, WASC board member ... WinCC OS/database forensic](https://reader031.vdocuments.net/reader031/viewer/2022020204/5a9f9ccf7f8b9a7f178d06f9/html5/thumbnails/1.jpg)
Sergey Gordeychik Denis Baranov
Gleb Gritsai
![Page 2: Sergey Gordeychik Denis Baranov Gleb · PDF fileSergey Gordeychik Positive Technologies CTO, Positive Hack Days Director and Scriptwriter, WASC board member ... WinCC OS/database forensic](https://reader031.vdocuments.net/reader031/viewer/2022020204/5a9f9ccf7f8b9a7f178d06f9/html5/thumbnails/2.jpg)
Sergey Gordeychik Positive Technologies CTO, Positive Hack Days Director
and Scriptwriter, WASC board member
http://sgordey.blogspot.com, http://www.phdays.com
Gleb Gritsai Principal Researcher, Network security and forensic
researcher, member of PHDays Challenges team
@repdet, http://repdet.blogspot.com
Denis Baranov Head of AppSec group, researcher, member of PHDays
CTF team
![Page 3: Sergey Gordeychik Denis Baranov Gleb · PDF fileSergey Gordeychik Positive Technologies CTO, Positive Hack Days Director and Scriptwriter, WASC board member ... WinCC OS/database forensic](https://reader031.vdocuments.net/reader031/viewer/2022020204/5a9f9ccf7f8b9a7f178d06f9/html5/thumbnails/3.jpg)
Group of security researchers focused on ICS/SCADA
to save Humanity from industrial disaster and to keep Purity Of Essence
Denis Baranov Sergey Bobrov Artem Chaykin
Yuriy Dyachenko Sergey Drozdov Dmitry Efanov
Gleb Gritsai Yuri Goltsev Sergey Gordeychik
Roman Ilin Vladimir Kochetkov Andrey Medov
Sergey Scherbel Timur Yunusov Alexander Zaitsev
Dmitry Serebryannikov Dmitry Nagibin
![Page 4: Sergey Gordeychik Denis Baranov Gleb · PDF fileSergey Gordeychik Positive Technologies CTO, Positive Hack Days Director and Scriptwriter, WASC board member ... WinCC OS/database forensic](https://reader031.vdocuments.net/reader031/viewer/2022020204/5a9f9ccf7f8b9a7f178d06f9/html5/thumbnails/4.jpg)
Siemens ProductCERT Really professional team
Quick responses
Personal contacts
Patches in 10-30 days
You guys rock!
![Page 5: Sergey Gordeychik Denis Baranov Gleb · PDF fileSergey Gordeychik Positive Technologies CTO, Positive Hack Days Director and Scriptwriter, WASC board member ... WinCC OS/database forensic](https://reader031.vdocuments.net/reader031/viewer/2022020204/5a9f9ccf7f8b9a7f178d06f9/html5/thumbnails/5.jpg)
![Page 6: Sergey Gordeychik Denis Baranov Gleb · PDF fileSergey Gordeychik Positive Technologies CTO, Positive Hack Days Director and Scriptwriter, WASC board member ... WinCC OS/database forensic](https://reader031.vdocuments.net/reader031/viewer/2022020204/5a9f9ccf7f8b9a7f178d06f9/html5/thumbnails/6.jpg)
DIRECT CONTROL
SUPERVISOR CONTROL
OPERATION AND PRODUCTION SUPERVISION
BUSINESS LAYER
PL
C/R
TU
S
CA
DA
ME
S E
RP
![Page 7: Sergey Gordeychik Denis Baranov Gleb · PDF fileSergey Gordeychik Positive Technologies CTO, Positive Hack Days Director and Scriptwriter, WASC board member ... WinCC OS/database forensic](https://reader031.vdocuments.net/reader031/viewer/2022020204/5a9f9ccf7f8b9a7f178d06f9/html5/thumbnails/7.jpg)
• NO magic on network
• Standard network protocols/channel level
• NO magic on system level
• Standard OS/DBMS/APPs
• Windows/SQL for SCADA
• Linux/QNX for PLC
• ICS guys don’t care about IT/IS
• MES reality - connect SCADA to other networks/systems (ERP etc.)
![Page 8: Sergey Gordeychik Denis Baranov Gleb · PDF fileSergey Gordeychik Positive Technologies CTO, Positive Hack Days Director and Scriptwriter, WASC board member ... WinCC OS/database forensic](https://reader031.vdocuments.net/reader031/viewer/2022020204/5a9f9ccf7f8b9a7f178d06f9/html5/thumbnails/8.jpg)
![Page 9: Sergey Gordeychik Denis Baranov Gleb · PDF fileSergey Gordeychik Positive Technologies CTO, Positive Hack Days Director and Scriptwriter, WASC board member ... WinCC OS/database forensic](https://reader031.vdocuments.net/reader031/viewer/2022020204/5a9f9ccf7f8b9a7f178d06f9/html5/thumbnails/9.jpg)
• Ethernet
• Cell (GSM, GPRS, …)
• RS-232/485
• Wi-Fi
• ZigBee
• Lot’s of other radio and wire
• All can be sniffed thanks to community
![Page 10: Sergey Gordeychik Denis Baranov Gleb · PDF fileSergey Gordeychik Positive Technologies CTO, Positive Hack Days Director and Scriptwriter, WASC board member ... WinCC OS/database forensic](https://reader031.vdocuments.net/reader031/viewer/2022020204/5a9f9ccf7f8b9a7f178d06f9/html5/thumbnails/10.jpg)
• Modbus
• DNP3
• OPC
• S7
• And more and more …
• EtherCAT
• FL-net
• Foundation Fieldbus
![Page 11: Sergey Gordeychik Denis Baranov Gleb · PDF fileSergey Gordeychik Positive Technologies CTO, Positive Hack Days Director and Scriptwriter, WASC board member ... WinCC OS/database forensic](https://reader031.vdocuments.net/reader031/viewer/2022020204/5a9f9ccf7f8b9a7f178d06f9/html5/thumbnails/11.jpg)
• Sniffing
• Spoofing/Injection
• Fingerprinting/Data collection
• Fuzzing
• Security?! – OPC, DNP3
![Page 12: Sergey Gordeychik Denis Baranov Gleb · PDF fileSergey Gordeychik Positive Technologies CTO, Positive Hack Days Director and Scriptwriter, WASC board member ... WinCC OS/database forensic](https://reader031.vdocuments.net/reader031/viewer/2022020204/5a9f9ccf7f8b9a7f178d06f9/html5/thumbnails/12.jpg)
Wireshark supports most of it
Third-party protocol dissectors for Wireshark
Industry grade tools and their free functions
FTE NetDecoder
No dissector/tool – No problem
Plaintext and easy to understand protocols
![Page 13: Sergey Gordeychik Denis Baranov Gleb · PDF fileSergey Gordeychik Positive Technologies CTO, Positive Hack Days Director and Scriptwriter, WASC board member ... WinCC OS/database forensic](https://reader031.vdocuments.net/reader031/viewer/2022020204/5a9f9ccf7f8b9a7f178d06f9/html5/thumbnails/13.jpg)
Widely available tools for Modbus packet crafting
Other protocols only with general packet crafters (Scapy)
More tools to come (from us ;))
Most of protocols can be attacked by simple packet replay
![Page 14: Sergey Gordeychik Denis Baranov Gleb · PDF fileSergey Gordeychik Positive Technologies CTO, Positive Hack Days Director and Scriptwriter, WASC board member ... WinCC OS/database forensic](https://reader031.vdocuments.net/reader031/viewer/2022020204/5a9f9ccf7f8b9a7f178d06f9/html5/thumbnails/14.jpg)
Well known ports
Modbus
Product, Device, GW, Unit enumeration
S7
Product, Device, Associated devices
OPC
RPC/DCOM
Modern fingerprinting add ons
snmp, http, management ports
![Page 15: Sergey Gordeychik Denis Baranov Gleb · PDF fileSergey Gordeychik Positive Technologies CTO, Positive Hack Days Director and Scriptwriter, WASC board member ... WinCC OS/database forensic](https://reader031.vdocuments.net/reader031/viewer/2022020204/5a9f9ccf7f8b9a7f178d06f9/html5/thumbnails/15.jpg)
Open Source ICS devices scan/fingerprint tool
Support modbus, S7, more to come
Software and hardware version
Device name and manufacturing
Other technical info
Thank to Dmitry Efanov
![Page 16: Sergey Gordeychik Denis Baranov Gleb · PDF fileSergey Gordeychik Positive Technologies CTO, Positive Hack Days Director and Scriptwriter, WASC board member ... WinCC OS/database forensic](https://reader031.vdocuments.net/reader031/viewer/2022020204/5a9f9ccf7f8b9a7f178d06f9/html5/thumbnails/16.jpg)
Siemens PLC 127.0.0.1:102 S7comm (src_tsap=0x100, dst_tsap=0x102) Module : 6ES7 151-8AB01-0AB0 v.0.2 Basic Hardware : 6ES7 151-8AB01-0AB0 v.0.2 Basic Firmware : v.3.2.6 Unknown (129) : Boot Loader A Name of the PLC : SIMATIC 300(xxxxxxxxx) Name of the module : IM151-8 PN/DP CPU Plant identification : Copyright : Original Siemens Equipment Serial number of module : S C-BOUVxxxxxxxx Module type name : IM151-8 PN/DP CPU Modbus device 127.0.0.1:502 Modbus/TCP Unit ID: 0 Response error: ILLEGAL FUNCTION Device info error: ILLEGAL FUNCTION Unit ID: 255 Response error: GATEWAY TARGET DEVICE FAILED TO RESPOND Device: Lantronix I WiPo V3.2.25
![Page 17: Sergey Gordeychik Denis Baranov Gleb · PDF fileSergey Gordeychik Positive Technologies CTO, Positive Hack Days Director and Scriptwriter, WASC board member ... WinCC OS/database forensic](https://reader031.vdocuments.net/reader031/viewer/2022020204/5a9f9ccf7f8b9a7f178d06f9/html5/thumbnails/17.jpg)
![Page 18: Sergey Gordeychik Denis Baranov Gleb · PDF fileSergey Gordeychik Positive Technologies CTO, Positive Hack Days Director and Scriptwriter, WASC board member ... WinCC OS/database forensic](https://reader031.vdocuments.net/reader031/viewer/2022020204/5a9f9ccf7f8b9a7f178d06f9/html5/thumbnails/18.jpg)
![Page 19: Sergey Gordeychik Denis Baranov Gleb · PDF fileSergey Gordeychik Positive Technologies CTO, Positive Hack Days Director and Scriptwriter, WASC board member ... WinCC OS/database forensic](https://reader031.vdocuments.net/reader031/viewer/2022020204/5a9f9ccf7f8b9a7f178d06f9/html5/thumbnails/19.jpg)
Just a network device with it’s own
OS
Network stack
Applications
…vulnerabilities
How to find vulnerabilities in PLC
Nothing special
Fuzzing
Code analysis (MWSL?)
Firmware reversing
![Page 20: Sergey Gordeychik Denis Baranov Gleb · PDF fileSergey Gordeychik Positive Technologies CTO, Positive Hack Days Director and Scriptwriter, WASC board member ... WinCC OS/database forensic](https://reader031.vdocuments.net/reader031/viewer/2022020204/5a9f9ccf7f8b9a7f178d06f9/html5/thumbnails/20.jpg)
Hardcoded SSL CA certificate (Dmitry Sklarov)
http://scadastrangelove.blogspot.com/2012/09/all-your-plc-belong-to-us.html
Multiply vulnerabilities in PLC S7 1200 Web interface (Dmitriy Serebryannikov, Artem Chaikin, Yury Goltsev, Timur Yunusov)
http://www.siemens.com/corporate-
technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-
279823.pdf
![Page 21: Sergey Gordeychik Denis Baranov Gleb · PDF fileSergey Gordeychik Positive Technologies CTO, Positive Hack Days Director and Scriptwriter, WASC board member ... WinCC OS/database forensic](https://reader031.vdocuments.net/reader031/viewer/2022020204/5a9f9ccf7f8b9a7f178d06f9/html5/thumbnails/21.jpg)
![Page 22: Sergey Gordeychik Denis Baranov Gleb · PDF fileSergey Gordeychik Positive Technologies CTO, Positive Hack Days Director and Scriptwriter, WASC board member ... WinCC OS/database forensic](https://reader031.vdocuments.net/reader031/viewer/2022020204/5a9f9ccf7f8b9a7f178d06f9/html5/thumbnails/22.jpg)
![Page 23: Sergey Gordeychik Denis Baranov Gleb · PDF fileSergey Gordeychik Positive Technologies CTO, Positive Hack Days Director and Scriptwriter, WASC board member ... WinCC OS/database forensic](https://reader031.vdocuments.net/reader031/viewer/2022020204/5a9f9ccf7f8b9a7f178d06f9/html5/thumbnails/23.jpg)
• Network stack • Connects with PLCs, etc
• OS
• Database
• Applications • HMI
• Web • Tools
![Page 24: Sergey Gordeychik Denis Baranov Gleb · PDF fileSergey Gordeychik Positive Technologies CTO, Positive Hack Days Director and Scriptwriter, WASC board member ... WinCC OS/database forensic](https://reader031.vdocuments.net/reader031/viewer/2022020204/5a9f9ccf7f8b9a7f178d06f9/html5/thumbnails/24.jpg)
Depends on OS/DBMS security
GUI restrictions/Kiosk mode for HMI
OS network stack and API heavily used
File shares
RPC/DCOM
Database replication
Password authentication, ACLs/RBAC
Something else?
![Page 25: Sergey Gordeychik Denis Baranov Gleb · PDF fileSergey Gordeychik Positive Technologies CTO, Positive Hack Days Director and Scriptwriter, WASC board member ... WinCC OS/database forensic](https://reader031.vdocuments.net/reader031/viewer/2022020204/5a9f9ccf7f8b9a7f178d06f9/html5/thumbnails/25.jpg)
• Nothing special
• Windows/Linux
• No Patches
• Weak/Absence-of Passwords
• Misconfiguration
• Insecure defaults
![Page 26: Sergey Gordeychik Denis Baranov Gleb · PDF fileSergey Gordeychik Positive Technologies CTO, Positive Hack Days Director and Scriptwriter, WASC board member ... WinCC OS/database forensic](https://reader031.vdocuments.net/reader031/viewer/2022020204/5a9f9ccf7f8b9a7f178d06f9/html5/thumbnails/26.jpg)
• Insecurity configuration
• Users/password
• Configuration
• ICS-related data
![Page 27: Sergey Gordeychik Denis Baranov Gleb · PDF fileSergey Gordeychik Positive Technologies CTO, Positive Hack Days Director and Scriptwriter, WASC board member ... WinCC OS/database forensic](https://reader031.vdocuments.net/reader031/viewer/2022020204/5a9f9ccf7f8b9a7f178d06f9/html5/thumbnails/27.jpg)
• Hardcoded accounts (fixed in SP3) • MS SQL listening network from the box*
• “Security controller” restricts to Subnet
• Two-tier architecture with Windows integrated auth and direct data access • We don’t know how to make it secure
• Database for new project created based on txt template • Perfect place to hide*
*make a note
![Page 28: Sergey Gordeychik Denis Baranov Gleb · PDF fileSergey Gordeychik Positive Technologies CTO, Positive Hack Days Director and Scriptwriter, WASC board member ... WinCC OS/database forensic](https://reader031.vdocuments.net/reader031/viewer/2022020204/5a9f9ccf7f8b9a7f178d06f9/html5/thumbnails/28.jpg)
• Managed by UM app
• Stored in dbo.PW_USER
![Page 29: Sergey Gordeychik Denis Baranov Gleb · PDF fileSergey Gordeychik Positive Technologies CTO, Positive Hack Days Director and Scriptwriter, WASC board member ... WinCC OS/database forensic](https://reader031.vdocuments.net/reader031/viewer/2022020204/5a9f9ccf7f8b9a7f178d06f9/html5/thumbnails/29.jpg)
![Page 30: Sergey Gordeychik Denis Baranov Gleb · PDF fileSergey Gordeychik Positive Technologies CTO, Positive Hack Days Director and Scriptwriter, WASC board member ... WinCC OS/database forensic](https://reader031.vdocuments.net/reader031/viewer/2022020204/5a9f9ccf7f8b9a7f178d06f9/html5/thumbnails/30.jpg)
• Administrator:ADMINISTRATOR
• Avgur2 > Avgur
![Page 31: Sergey Gordeychik Denis Baranov Gleb · PDF fileSergey Gordeychik Positive Technologies CTO, Positive Hack Days Director and Scriptwriter, WASC board member ... WinCC OS/database forensic](https://reader031.vdocuments.net/reader031/viewer/2022020204/5a9f9ccf7f8b9a7f178d06f9/html5/thumbnails/31.jpg)
![Page 32: Sergey Gordeychik Denis Baranov Gleb · PDF fileSergey Gordeychik Positive Technologies CTO, Positive Hack Days Director and Scriptwriter, WASC board member ... WinCC OS/database forensic](https://reader031.vdocuments.net/reader031/viewer/2022020204/5a9f9ccf7f8b9a7f178d06f9/html5/thumbnails/32.jpg)
![Page 33: Sergey Gordeychik Denis Baranov Gleb · PDF fileSergey Gordeychik Positive Technologies CTO, Positive Hack Days Director and Scriptwriter, WASC board member ... WinCC OS/database forensic](https://reader031.vdocuments.net/reader031/viewer/2022020204/5a9f9ccf7f8b9a7f178d06f9/html5/thumbnails/33.jpg)
![Page 34: Sergey Gordeychik Denis Baranov Gleb · PDF fileSergey Gordeychik Positive Technologies CTO, Positive Hack Days Director and Scriptwriter, WASC board member ... WinCC OS/database forensic](https://reader031.vdocuments.net/reader031/viewer/2022020204/5a9f9ccf7f8b9a7f178d06f9/html5/thumbnails/34.jpg)
![Page 35: Sergey Gordeychik Denis Baranov Gleb · PDF fileSergey Gordeychik Positive Technologies CTO, Positive Hack Days Director and Scriptwriter, WASC board member ... WinCC OS/database forensic](https://reader031.vdocuments.net/reader031/viewer/2022020204/5a9f9ccf7f8b9a7f178d06f9/html5/thumbnails/35.jpg)
This is my encryptionkey
![Page 36: Sergey Gordeychik Denis Baranov Gleb · PDF fileSergey Gordeychik Positive Technologies CTO, Positive Hack Days Director and Scriptwriter, WASC board member ... WinCC OS/database forensic](https://reader031.vdocuments.net/reader031/viewer/2022020204/5a9f9ccf7f8b9a7f178d06f9/html5/thumbnails/36.jpg)
![Page 37: Sergey Gordeychik Denis Baranov Gleb · PDF fileSergey Gordeychik Positive Technologies CTO, Positive Hack Days Director and Scriptwriter, WASC board member ... WinCC OS/database forensic](https://reader031.vdocuments.net/reader031/viewer/2022020204/5a9f9ccf7f8b9a7f178d06f9/html5/thumbnails/37.jpg)
…responsible disclosure
![Page 38: Sergey Gordeychik Denis Baranov Gleb · PDF fileSergey Gordeychik Positive Technologies CTO, Positive Hack Days Director and Scriptwriter, WASC board member ... WinCC OS/database forensic](https://reader031.vdocuments.net/reader031/viewer/2022020204/5a9f9ccf7f8b9a7f178d06f9/html5/thumbnails/38.jpg)
WinCC OS/database forensic white paper and script
WinCC security hardening guide
Exclusive cipher tool & msf module. We don’t have yet…
![Page 39: Sergey Gordeychik Denis Baranov Gleb · PDF fileSergey Gordeychik Positive Technologies CTO, Positive Hack Days Director and Scriptwriter, WASC board member ... WinCC OS/database forensic](https://reader031.vdocuments.net/reader031/viewer/2022020204/5a9f9ccf7f8b9a7f178d06f9/html5/thumbnails/39.jpg)
![Page 40: Sergey Gordeychik Denis Baranov Gleb · PDF fileSergey Gordeychik Positive Technologies CTO, Positive Hack Days Director and Scriptwriter, WASC board member ... WinCC OS/database forensic](https://reader031.vdocuments.net/reader031/viewer/2022020204/5a9f9ccf7f8b9a7f178d06f9/html5/thumbnails/40.jpg)
![Page 41: Sergey Gordeychik Denis Baranov Gleb · PDF fileSergey Gordeychik Positive Technologies CTO, Positive Hack Days Director and Scriptwriter, WASC board member ... WinCC OS/database forensic](https://reader031.vdocuments.net/reader031/viewer/2022020204/5a9f9ccf7f8b9a7f178d06f9/html5/thumbnails/41.jpg)
WebNavigator
Web-based HMI
IIS/ASP.NET
ActiveX client-side
DiagAgent
Diagnostic and remote management application
Custom web-server
…
![Page 42: Sergey Gordeychik Denis Baranov Gleb · PDF fileSergey Gordeychik Positive Technologies CTO, Positive Hack Days Director and Scriptwriter, WASC board member ... WinCC OS/database forensic](https://reader031.vdocuments.net/reader031/viewer/2022020204/5a9f9ccf7f8b9a7f178d06f9/html5/thumbnails/42.jpg)
![Page 43: Sergey Gordeychik Denis Baranov Gleb · PDF fileSergey Gordeychik Positive Technologies CTO, Positive Hack Days Director and Scriptwriter, WASC board member ... WinCC OS/database forensic](https://reader031.vdocuments.net/reader031/viewer/2022020204/5a9f9ccf7f8b9a7f178d06f9/html5/thumbnails/43.jpg)
Not started by default and shouldn’t never be launched
No authentication at all
XSSes
Path Traversal (arbitrary file reading)
Buffer overflow
![Page 44: Sergey Gordeychik Denis Baranov Gleb · PDF fileSergey Gordeychik Positive Technologies CTO, Positive Hack Days Director and Scriptwriter, WASC board member ... WinCC OS/database forensic](https://reader031.vdocuments.net/reader031/viewer/2022020204/5a9f9ccf7f8b9a7f178d06f9/html5/thumbnails/44.jpg)
Web-based HMI
XPath Injection (CVE-2012-2596)
Path Traversal (CVE-2012-2597)
XSS ~ 20 Instances (CVE-2012-2595)
Fixed in Update 2 for WinCC V7.0 SP3
http://support.automation.siemens.com/WW/view/en/60984587
![Page 45: Sergey Gordeychik Denis Baranov Gleb · PDF fileSergey Gordeychik Positive Technologies CTO, Positive Hack Days Director and Scriptwriter, WASC board member ... WinCC OS/database forensic](https://reader031.vdocuments.net/reader031/viewer/2022020204/5a9f9ccf7f8b9a7f178d06f9/html5/thumbnails/45.jpg)
Can help to exploit server-side vulnerabilities*
Operator’s browser is proxy to SCADAnet!
? Anybody works with SCADA and Internet
using same browser? * http://www.slideshare.net/phdays/root-via-xss-10716726
![Page 46: Sergey Gordeychik Denis Baranov Gleb · PDF fileSergey Gordeychik Positive Technologies CTO, Positive Hack Days Director and Scriptwriter, WASC board member ... WinCC OS/database forensic](https://reader031.vdocuments.net/reader031/viewer/2022020204/5a9f9ccf7f8b9a7f178d06f9/html5/thumbnails/46.jpg)
![Page 47: Sergey Gordeychik Denis Baranov Gleb · PDF fileSergey Gordeychik Positive Technologies CTO, Positive Hack Days Director and Scriptwriter, WASC board member ... WinCC OS/database forensic](https://reader031.vdocuments.net/reader031/viewer/2022020204/5a9f9ccf7f8b9a7f178d06f9/html5/thumbnails/47.jpg)
![Page 48: Sergey Gordeychik Denis Baranov Gleb · PDF fileSergey Gordeychik Positive Technologies CTO, Positive Hack Days Director and Scriptwriter, WASC board member ... WinCC OS/database forensic](https://reader031.vdocuments.net/reader031/viewer/2022020204/5a9f9ccf7f8b9a7f178d06f9/html5/thumbnails/48.jpg)
![Page 49: Sergey Gordeychik Denis Baranov Gleb · PDF fileSergey Gordeychik Positive Technologies CTO, Positive Hack Days Director and Scriptwriter, WASC board member ... WinCC OS/database forensic](https://reader031.vdocuments.net/reader031/viewer/2022020204/5a9f9ccf7f8b9a7f178d06f9/html5/thumbnails/49.jpg)
Lot of XSS and CSRF CVE-2012-3031
CVE-2012-3028
Arbitrary file reading CVE-2012-3030
SQL injection over SOAP CVE-2012-3032
Username and password CVE-2012-3034
http://scadastrangelove.blogspot.com/2012/09/new-vulnerabilities-in-siemens-simatic.html
![Page 50: Sergey Gordeychik Denis Baranov Gleb · PDF fileSergey Gordeychik Positive Technologies CTO, Positive Hack Days Director and Scriptwriter, WASC board member ... WinCC OS/database forensic](https://reader031.vdocuments.net/reader031/viewer/2022020204/5a9f9ccf7f8b9a7f178d06f9/html5/thumbnails/50.jpg)
Username bruteforce?
Password disclosure?
Path traversal?
Arbitrary file reading?
SQL injection?
XSS?
![Page 51: Sergey Gordeychik Denis Baranov Gleb · PDF fileSergey Gordeychik Positive Technologies CTO, Positive Hack Days Director and Scriptwriter, WASC board member ... WinCC OS/database forensic](https://reader031.vdocuments.net/reader031/viewer/2022020204/5a9f9ccf7f8b9a7f178d06f9/html5/thumbnails/51.jpg)
…responsible disclosure
![Page 52: Sergey Gordeychik Denis Baranov Gleb · PDF fileSergey Gordeychik Positive Technologies CTO, Positive Hack Days Director and Scriptwriter, WASC board member ... WinCC OS/database forensic](https://reader031.vdocuments.net/reader031/viewer/2022020204/5a9f9ccf7f8b9a7f178d06f9/html5/thumbnails/52.jpg)
![Page 53: Sergey Gordeychik Denis Baranov Gleb · PDF fileSergey Gordeychik Positive Technologies CTO, Positive Hack Days Director and Scriptwriter, WASC board member ... WinCC OS/database forensic](https://reader031.vdocuments.net/reader031/viewer/2022020204/5a9f9ccf7f8b9a7f178d06f9/html5/thumbnails/53.jpg)
![Page 54: Sergey Gordeychik Denis Baranov Gleb · PDF fileSergey Gordeychik Positive Technologies CTO, Positive Hack Days Director and Scriptwriter, WASC board member ... WinCC OS/database forensic](https://reader031.vdocuments.net/reader031/viewer/2022020204/5a9f9ccf7f8b9a7f178d06f9/html5/thumbnails/54.jpg)
![Page 55: Sergey Gordeychik Denis Baranov Gleb · PDF fileSergey Gordeychik Positive Technologies CTO, Positive Hack Days Director and Scriptwriter, WASC board member ... WinCC OS/database forensic](https://reader031.vdocuments.net/reader031/viewer/2022020204/5a9f9ccf7f8b9a7f178d06f9/html5/thumbnails/55.jpg)
![Page 56: Sergey Gordeychik Denis Baranov Gleb · PDF fileSergey Gordeychik Positive Technologies CTO, Positive Hack Days Director and Scriptwriter, WASC board member ... WinCC OS/database forensic](https://reader031.vdocuments.net/reader031/viewer/2022020204/5a9f9ccf7f8b9a7f178d06f9/html5/thumbnails/56.jpg)
![Page 57: Sergey Gordeychik Denis Baranov Gleb · PDF fileSergey Gordeychik Positive Technologies CTO, Positive Hack Days Director and Scriptwriter, WASC board member ... WinCC OS/database forensic](https://reader031.vdocuments.net/reader031/viewer/2022020204/5a9f9ccf7f8b9a7f178d06f9/html5/thumbnails/57.jpg)
![Page 58: Sergey Gordeychik Denis Baranov Gleb · PDF fileSergey Gordeychik Positive Technologies CTO, Positive Hack Days Director and Scriptwriter, WASC board member ... WinCC OS/database forensic](https://reader031.vdocuments.net/reader031/viewer/2022020204/5a9f9ccf7f8b9a7f178d06f9/html5/thumbnails/58.jpg)