Ashiyane Find Siemens Simatic STEP7 DLL Bug

Security researcher Amir.ght of Iranian group Ashiyane Digital Security Team claims to have found a DLL Hijacking vulnerability in the following software:

SIMATIC Manager Step7 -versions >= 5.5 SP1-, for the SIEMENS STEP 7/S7 Programmable Controller.

This builds on a previous vulnerability in the software versions prior to 5.5 SP1 -and also affecting SIMATIC PCS 7 versions before and including V7.1 SP3-
See CVE 2012-3015 for details and see here: https://ics-cert.us-cert.gov/advisories/ICSA-12-205-02
Previous versions of SIMATIC STEP 7 and PCS 7 allowed the loading of malicious DLL files into the STEP 7 project folder that can be used to attack the system on which STEP 7 is installed. This vulnerability can be remotely exploited, as was the case with Stuxnet malware which was known to target this vulnerability.

The SIMATIC range of controllers -PC or PLC based- are used for many applications, including for the Siemens centrifuge systems targeted by the Stuxnet malware attack at the Natanz nuclear plant.

Amir.ght has published the new dll vulnerability here: https://packetstormsecurity.com/files/140243/
The SIMATIC Manager manages all data belonging to an automation project, regardless of the target system -SIMATIC S7, SIMATIC C7 or SIMATIC WinAC- on which they are implemented. It provides a common entry point for all SIMATIC S7, C7 or WinAC tools. The SIMATIC software tools that are necessary for processing the selected data are automatically started by SIMATIC Manager.

Proof of concept code involved renaming the outfile to winsock32.dll or s7acalxx.dll and then copying the dll files to the STEP 7 Project directory. After opening the program, the malicious dll-s- will be executed.

All vulnerabilities discovered by Amir.ght can be seen here: https://packetstormsecrity.com/files/author/12014/

Leave a Reply

Your email address will not be published. Required fields are marked *