This is a writeup of a technical protocol analysis of TwinCAT. TwinCAT allows remote code execution as soon as a valid route is discovered.
Beckhoff Engineering software on your Windows system can lead to
unauthenticated Remote Code Execution as System.
prerequisites are necessary
Runtime Environment installed (any version including the most recent one at
time of writing)
Part1: TwinCAT and AMS/ADS
TwinCAT is the Engineering Runtime used by Beckhoff and is installed on any device that wants to speak the AMS/ADS. This protocol is used to communicate between PLC and HMI or between PLC and engineering software or between PLC and PLC. And others …
AMS/ADS is a protocol running on both UDP/48899 and TCP/48898. The TCP version is pretty well understood by Wireshark in contrary to its UDP counterpart.
-> The UDP/48899 version is used to discover Beckhoff devices (including engineering systems like laptops or workstations) on a local network.
The AMS/ADS TCP/48898 version only allows communication between two devices once both of them have each other’s IP address whitelisted in a local list. This whitelist contains what’s called TwinCAT Routes.
configure this whitelist, we can either login locally and add routes, or we can
use the aforementioned UDP/48899 protocol: a Windows credential for an active,
local administrator is required to remotely add routes via UDP/48899.
-> Without such a route (whitelisted IP address), the TwinCAT system does not respond to any TCP AMS/ADS packets. However: there is another way of adding routes …
Part 2: AMS/ADS hidden functionality
going further on this route whitelist. Let’s find out what can be done on a
device once such a route is present:
By using the AMS/ADS protocol one can:
Program the PLC
Read and write PLC-variables
Change IP addresses and the name of the device
List and configure routes
Read out statistics about the device
Uptime, CPU load, temperature, OPC values
Note that in August 2019 with the release of TwinCAT 3.1.2024.4, “Encrypted AMS/ADS” has become available. It is strongly recommended to use this where possible.
Reboot or Shutdown the system (NT_Reboot and NT_Shutdown)
Browse the files (FB_EnumFindFileList), all files on all local drives are reachable.
Download, upload ánd overwrite files (FB_FileRingBuffer). We can download almost any file and even upload to folders as C:\Windows or E:\Data, the owner of the files is the “Administrators” group. As long as the file is not in use, it defaults to overwriting an existing file.
Execute any file (NT_StartProcess), this includes any file that we’ve just sent to the machine. Note: this process is started as a child from the process “TcSysUI.exe”, which is running as the currently logged in user.
Read and Write Registry Values (FB_RegQueryValue and FB_RegSetValue) Note: this is done as the SYSTEM user, but is only limited to all keys of the HKLM hive. In case an older version of TwinCAT is used (32bit), this is even more limited to reading and writing to HKLM\SOFTWARE\WOW6432Node\
-> This means that, once an IP is in the whitelist of the target device, code can be executed code as a local user and significant other actions performed on that target system.
Part 3: Execution (exploit)
line of defense in this scenario is that the protection is IP based: once we
find an IP already in the list and spoof it to add our own IP to that list, it
is game over.
TwinCAT Route Spoofer was created.
scenario we assumed three things:
We are in the same Layer2 subnet of
the target (called the victim). In other words, we can perform ARP Poisoning
The victim has TwinCAT 3 installed
and some routes are present.
The PLC subnet is the one used during the installation of TwinCAT
Which would be normal if the victim
wants to communicate with a real PLC
The victim has the firewall for
ports UDP/48899 or TCP/48989 disabled
Which would be normal if the victim
wants the PLC to communicate back
is a completely up-to-date Windows system, using the latest TwinCAT software
Using the UDP scanner to get a list of devices on the network
Using the TwinCAT Route Spoofer to walk through each IP of the PLC subnet, which we can deduce from the TwinCAT NET ID that is detected on the victim (e.g. this is the IP of the device at the time of installation).
Once a single route was found, it is used to add our own IP to the whitelist
Once we have our IP address in the whitelist, we can upload or download files, and run them as the current user
We can also configure the Registry to:
Disable UAC (“EnableLUA” key, so if the user is a local administrator, we are now SYSTEM)
Disable AV (“DisableAntiSpyware” key, AntiVirus is disabled permanently)
Create a service to run at boot, after we have copied over the necessary files
-> This works on Beckhoff PLC’s, but also on any Windows device (laptop, server, workstation …) that has the TwinCAT Engineering software installed and configured
Over de auteur