| Title | Delta DVP32ES2 PLC device denial of service vulnerability |
|---|
| Description | DVP32ES2 PLC is a PLC device from Delta that uses the modbus protocol to interact with the host computer software for data.
When sending specific data, the denial of service vulnerability of the DVP32ES2 PLC device will be triggered, and the device needs to be restarted to recover.
In the software ISPSoft, there is a function to set a password. When you click to set the password, ISPSoft will send a modbus tcp package to the plc:
The function code is 103, which is a customized function code.
Response is:
Then when the password is set and confirmed, a package will also be sent.
The function code is 100, which is also a customized function code.
Response:
Function code analysis:
The focus here is on the 100 function code, because the password transmission uses the 100 function code.
By continuously sending correct passwords and incorrect passwords, and capturing packets.
Found that if the password sent is correct,
For example, send: 9e 61 00 00 00 09 00 64 01 0d 04 70 61 73 73
That is the correct password: pass
Then the same packet will be returned: 9e 61 00 00 00 09 00 64 01 0d 04 70 61 73 73
If the password sent is wrong,
For example, send: 9e 61 00 00 00 09 00 64 01 0d 04 33 33 33 33
That is the wrong password: 3333
Will reply: 9e 61 00 00 00 09 00 64 01 0d 04 CC CC CC CC
Different from the packet sent.
ISPSoft is a software that determines whether the password is correct by verifying whether the sent package and the received package are the same.
Fuzz protocol
Through previous analysis, two customized function codes were discovered, so the direction of fuzz is mainly aimed at these two function codes.
Since the function code 103 is not clearly analyzed, we first fuzz 100.
First, let’s look at the traffic with two function codes of 100.
Verification password: 9e 61 00 00 00 09 00 64 01 0d 04 70 61 73 73
Set password: 9e 61 00 00 00 09 00 64 01 0b 04 70 61 73 73
These two are modbus tcp requests to verify the password and set the password.
Guess 0d, 0b are sub-functions under the 100 function code.
It was found that the data sent was:
\x9e\x61\x00\x00\x00\x09\x00\x64\x01\x15\x04\x33\x33\x33\x33
When, the plc equipment has an error, the Error light lights up, and stops working.
|
|---|
| Source | ⚠️ https://drive.google.com/drive/folders/1mUKkl_NPoUENpPUq-pdQQaEEGvKAaIFB?usp=drive_link |
|---|
| User | Anonymous User |
|---|
| Submission | 09/21/2023 11:57 (3 years ago) |
|---|
| Moderation | 10/09/2023 15:46 (18 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 241582 [Delta Electronics DVP32ES2 PLC 1.48 Password Transmission denial of service] |
|---|
| Points | 20 |
|---|