Beckhoff CVE-2019-16871

Beckhoff CVE-2019-16871

Windows Remote Code Execution via TwinCAT AMS/ADS

This is a writeup of a technical protocol analysis of TwinCAT. TwinCAT allows remote code execution as soon as a valid route is discovered.

Installing Beckhoff Engineering software on your Windows system can lead to unauthenticated Remote Code Execution as System.

Three prerequisites are necessary

• TwinCAT Runtime Environment installed (any version including the most recent one at time of writing)
• TwinCAT routes configured
• Firewall allows TCP/48898

Part1: TwinCAT and AMS/ADS

TwinCAT is the Engineering Runtime used by Beckhoff and is installed on any device that wants to speak the AMS/ADS. This protocol is used to communicate between PLC and HMI or between PLC and engineering software or between PLC and PLC. And others …

AMS/ADS is a protocol running on both UDP/48899 and TCP/48898. The TCP version is pretty well understood by Wireshark in contrary to its UDP counterpart.

-> The UDP/48899 version is used to discover Beckhoff devices (including engineering systems like laptops or workstations) on a local network.

AMS/ADS Routes

The AMS/ADS TCP/48898 version only allows communication between two devices once both of them have each other’s IP address whitelisted in a local list. This whitelist contains what’s called TwinCAT Routes.

To configure this whitelist, we can either login locally and add routes, or we can use the aforementioned UDP/48899 protocol: a Windows credential for an active, local administrator is required to remotely add routes via UDP/48899.

-> Without such a route (whitelisted IP address), the TwinCAT system does not respond to any TCP AMS/ADS packets.
However: there is another way of adding routes …

Part 2: AMS/ADS hidden functionality

Before going further on this route whitelist. Let’s find out what can be done on a device once such a route is present:

• By using the AMS/ADS protocol one can:
  • Program the PLC
• There are also functionalities that are less expected, as can be seen on this public page:
  https://infosys.beckhoff.com/english.php?content=../content/1033/tcplclib_tc2_utilities/126100789601339659.html
  This means speaking the AMS/ADS protocol against any device that has a valid route, the following becomes possible (amongst others):
  • Reboot or Shutdown the system (NT_Reboot and NT_Shutdown)

-> This means that, once an IP is in the whitelist of the target device, code can be executed code as a local user and significant other actions performed on that target system.

Part 3: Execution (exploit)

The only line of defense in this scenario is that the protection is IP based: once we find an IP already in the list and spoof it to add our own IP to that list, it is game over.

So a TwinCAT Route Spoofer was created.

Scenario

For this scenario we assumed three things:

1. We are in the same Layer2 subnet of the target (called the victim). In other words, we can perform ARP Poisoning
2. The victim has TwinCAT 3 installed and some routes are present.
   The PLC subnet is the one used during the installation of TwinCAT
   1. Which would be normal if the victim wants to communicate with a real PLC
3. The victim has the firewall for ports UDP/48899 or TCP/48989 disabled
   1. Which would be normal if the victim wants the PLC to communicate back

This system is a completely up-to-date Windows system, using the latest TwinCAT software

An example, as displayed in this video:

https://photubias.stackstorage.com/s/zIgRis1RUH88ugw

1. Using the UDP scanner to get a list of devices on the network
2. Using the TwinCAT Route Spoofer to walk through each IP of the PLC subnet, which we can deduce from the TwinCAT NET ID that is detected on the victim (e.g. this is the IP of the device at the time of installation).
3. Once a single route was found, it is used to add our own IP to the whitelist
4. Once we have our IP address in the whitelist, we can upload or download files, and run them as the current user
5. We can also configure the Registry to:
   • Disable UAC (“EnableLUA” key, so if the user is a local administrator, we are now SYSTEM)
   • Disable AV (“DisableAntiSpyware” key, AntiVirus is disabled permanently)
   • Create a service to run at boot, after we have copied over the necessary files
   • …

-> This works on Beckhoff PLC’s, but also on any Windows device (laptop, server, workstation …) that has the TwinCAT Engineering software installed and configured

References and mitigation:
https://download.beckhoff.com/download/Document/product-security/Advisories/advisory-2017-001.pdf

The used scripts can be found on our Github page: https://www.github.com/tijldeneut

Created by Tinus Umans and Tijl Deneut for IC4® Belgium: www.ic4.be