This is a writeup of a technical protocol analysis of TwinCAT. TwinCAT allows remote code execution as soon as a valid route is discovered.
Installing Beckhoff Engineering software on your Windows system can lead to unauthenticated Remote Code Execution as System.
Three prerequisites are necessary
TwinCAT is the Engineering Runtime used by Beckhoff and is installed on any device that wants to speak the AMS/ADS. This protocol is used to communicate between PLC and HMI or between PLC and engineering software or between PLC and PLC. And others …
AMS/ADS is a protocol running on both UDP/48899 and TCP/48898. The TCP version is pretty well understood by Wireshark in contrary to its UDP counterpart.
-> The UDP/48899 version is used to discover Beckhoff devices (including engineering systems like laptops or workstations) on a local network.
The AMS/ADS TCP/48898 version only allows communication between two devices once both of them have each other’s IP address whitelisted in a local list. This whitelist contains what’s called TwinCAT Routes.
To configure this whitelist, we can either login locally and add routes, or we can use the aforementioned UDP/48899 protocol: a Windows credential for an active, local administrator is required to remotely add routes via UDP/48899.
-> Without such a route (whitelisted IP address), the TwinCAT system does not respond to any TCP AMS/ADS packets.
However: there is another way of adding routes …
Before going further on this route whitelist. Let’s find out what can be done on a device once such a route is present:
-> This means that, once an IP is in the whitelist of the target device, code can be executed code as a local user and significant other actions performed on that target system.
The only line of defense in this scenario is that the protection is IP based: once we find an IP already in the list and spoof it to add our own IP to that list, it is game over.
So a TwinCAT Route Spoofer was created.
For this scenario we assumed three things:
This system is a completely up-to-date Windows system, using the latest TwinCAT software
An example, as displayed in this video:
-> This works on Beckhoff PLC’s, but also on any Windows device (laptop, server, workstation …) that has the TwinCAT Engineering software installed and configured
References and mitigation:
The used scripts can be found on our Github page: https://www.github.com/tijldeneut
Created by Tinus Umans and Tijl Deneut for IC4® Belgium: www.ic4.be