contact us | support

Home > Products

SCADA+ Pack Latest Updates

SCADA+ 1.13

SCADA+ 1.13 is out with:
- bunch of DoSes for IBM SolidDB. sometime this is also used in industrial soft. both fresh and old bugs covered.
- Advantech Studio [0day] DoS,
- xArrow multiple DoS,
- GeFanuc Proficy Portal directory traversal.


SCADA+ professional 1.12


NOTE: starting from this 1.12 version SCADA+ standard and Step-ahead licenses will be gradually merged into single "SCADA+ professional package"!

This time we include 3 step ahead scada modules from previous releases.
We have also powered this release with some modules for network devices.
Modules list:
- CEserver from Advantech Studio and Indusoft Web Studio buffer overflow. [0day]
- Carel Plant Visor Pro Hardcoded credentials vulnerability. [0day]
- Sunway ForceControl and pNetPower httpsvr.exe heap-based buffer overflow
modules for network devices:
- D-Link Wireless N Router (DIR-615) firmware 3.10NA apply.cgi Admin Authentication Bypass
- D-Link ShareCenter DNS-320 firmware v2.00b06 remote DoS
- D-Link Wireless G Router (WBR-1310) firmware 2.00 Authentication Bypass
- TRENDnet internet camera TV-IP201(P) firmware v2.00 Authentication Bypass


SCADA+ 1.11

SCADA+ 1.11 is available for download.
Five remote [0day] DoSes for remotely reachable services in famous SCADAs are available this time.
Covered are such vendors like GE Fanuc Proficy, Atvise, Trace Mode, xArrow.
Modules list:
- Ge Fanuc Proficy HMI/SCADA CIMPLICITY denial of service. [0day]
- Trace Mode v 6.06 RunTime monitor denial of service. [0day]
- Trace Mode v 6.06 RunTime monitor denial of service. [0day]
- Atvise v.2.1.16 denial of service. [0day]
- xArrow v3.2 DoS. [0day]

Step Ahead (professional) SCADA 1.11

Step Ahead (professional version) users additionally receive nice 0day in GE Fanuc Proficy, allowing scada users credentials steal and DoS in WinCC.
- Ge Fanuc Proficy HMI/SCADA CIMPLICITY scada users credentials steal. [0day]
- WINCC denial of service. [0day]


SCADA+ 1.10

Two fresh 0days for GE Fanuc and Broadwin\Advantech WebAccess, plus two 'old' 0days for Carel Plant Visor Pro (those were available previously in professional SCADA+ version).
Modules allow for sensitive information retrieving, such as SCADA users or admins names, database admin password hashes, configuration files.
- Ge Fanuc Real Time Portal v 3.0 SP1 sensitive information disclosure [0day]
- Broadwin\Advantech WebAccess v7.0 sensitive information disclosure [0day]
- Carel Plant Visor Pro critical information disclosure [0day]
- Carel Plant Visor Pro critical information disclosure [0day]


SCADA+ 1.9

New modules for public vulns in CoDeSys, Siemens WINCC and Samsung air conditioning Data manager server. Some allows full system compromise!
- Samsung Data Manager server (air conditioning systems) == 1.4.1 hardcoded credentials. [0day]
- CoDeSys SCADA v2.3 Webserver Stack Buffer Overflow. exploit allows full pwn.
- Siemens WINCC flexible runtime 2008 SP2 + SP 1, hmiload.exe directory traversal. exploit allows full pwn via troyan uploading.
- Siemens WINCC flexible runtime 2008 SP2 + SP 1, miniweb.exe Directory traversal. exploit allows arbitrary files downloading.
- Siemens WINCC flexible runtime 2008 SP2 + SP 1, miniweb.exe Denial of Service.
- LabStoRe <= 1.5.4 SQL Injection allowing admin + pwdhash retreiving.
- Samsung Data Manager server <= 1.4.2 multiple vulnerabilities (some critical).

Step Ahead (professional) SCADA 1.9

For step ahead (professional) SCADA+ users there are Three additional 0days for well known SCADAs ... all allowing full pwn!
- SCPSA Carel Plantvisor [0day]. full pwn!
- SCPSA KASKAD scada v.5.00 Remote Heap Overflow. [0day]. full pwn!
- SCPSA Ge Fanuc Proficy HMI/SCADA CIMPLICITY. [0day]. full pwn!


SCADA+ 1.8

In SCADA+ 1.8 there are modules for several fresh public vulns (mostly Luigi Auriemma's) in well known industrial soft. Mostly DoSes this time...
- Beckhoff TwinCAT <= 2.11.0.2004
- Optima <= 1.5.2.13 Denial of Service
- OPCSystems.net <= 4.00.0048 denial of service
- Data Archiver service in GE Intelligent Platforms Proficy Historian
<= 3.5 SIM 17 and 4.x <= 4.0 SIM 12 stack overflow proof of concept / DOS
- Atvise webMI2ADS <= 1.0 denial of service
- another Atvise webMI2ADS <= 1.0 denial of service
- Atvise webmitestserver directory traversal

Step Ahead (professional) SCADA 1.8

Step Ahead users also receive nice module, allowing to decrypt users credentials in Promotic SCADA! and nice scada related activex exploit.
- PcVue <= 10.0, SVUIGrd.ocx <= 1.5.1.0. allows code execution
SCPSA_promotic - PROMOTIC <= 8.1.3 directory traversal leveraged touser credentials steal.


SCADA+ 1.7

New modules this time include:
- Rockwell's RSLogix5000 Denial of Service. CVE listed.
- SCADAPRO buffer overflow / DOS. CVE listed
- Cogent Datahub. no CVE.
- Sunway httpsvr.exe unauthenticated remote command execution. no CVE
- Sunway AngelServer DOS. no CVE.
- Sunway SNMP NetDBServer stack-based buffer overflow. no CVE.

Step Ahead (professional) SCADA 1.7

Step ahead SCADA+ users additionally receive a 0day :
- Advantech Web Studio denial of service [0day].


SCADA+ 1.6

New SCADA+ version 1.6 is out with following stuff for newest CVE listed vulns. some of them were found by Luigi Auriemma:
- Cogent DataHub Directory traversal vulnerability. CVE-2011-3500.
- DAQFactory <= v.5.85 build 1853 stack based buffer overflow. CVE-2011-3492
- CarelDataServer Directory traversal vulnerability. CVE-2011-3487
- Procyon Core Server stack buffer overflow. CVE-2011-3322
- SCADAPRO <= v.4.0.0.0 unauthenticated remote command execution. no CVE, but public.

Step Ahead (professional) SCADA 1.6

Step ahead SCADA+ users additionally receive nice 0days :
- CEserver buffer overflow. [0day]. This software is available for most embedded systems. Exploit by now covers WinXP sp3 embedded.
- Carel Plant Visor Pro critical information disclosure. [0day] All scada users logins+pwds steal
- Carel Plant Visor Pro critical information disclosure. Second vuln. [0day] All scada users logins+pwds steal


SCADA+ 1.5

New SCADA+ modules include:
- 0day for Broadwin\Advantech WebAccess. error based SQL Injection with filters bypass. was available via Step Ahead ~ 1.5 monthes ago.
- glorious Labview (version 6 and possibly others) DoS via ipv6 query. old bug, for old but commonly used Labview version.
- Progea Movicon 11 remote DoS crashing the server.

Step Ahead (professional) SCADA 1.5

Step Ahead (professional SCADA) users additionally to all above receive
- 0day Carel Plant Visor Pro vulnerability. Used on nuclear plants e.g. in Canada. exploit allows credentials steal.
- Sunway ForceControl and pNetPower buffer overflow. vuln is known to exist (but details are not public), patch available. thousands of installations in Turkey and China http://gleg.net/httpsrv_shodan.png

© 2004-2011 GLEG Ltd All rights reserved

sitemap