Windows Remote Code Execution via TwinCAT AMS/ADS

This is a writeup of a technical protocol analysis of TwinCAT. TwinCAT allows remote code execution as soon as a valid route is discovered.

Installing Beckhoff Engineering software on your Windows system can lead to unauthenticated Remote Code Execution as System.

Three prerequisites are necessary

• TwinCAT Runtime Environment installed (any version including the most recent one at time of writing)
• TwinCAT routes configured
• Firewall allows TCP/48898

Part1: TwinCAT and AMS/ADS

TwinCAT is the Engineering Runtime used by Beckhoff and is installed on any device that wants to speak the AMS/ADS. This protocol is used to communicate between PLC and HMI or between PLC and engineering software or between PLC and PLC. And others …

AMS/ADS is a protocol running on both UDP/48899 and TCP/48898. The TCP version is pretty well understood by Wireshark in contrary to its UDP counterpart.

-> The UDP/48899 version is used to discover Beckhoff devices (including engineering systems like laptops or workstations) on a local network.

AMS/ADS Routes

The AMS/ADS TCP/48898 version only allows communication between two devices once both of them have each other’s IP address whitelisted in a local list. This whitelist contains what’s called TwinCAT Routes.

To configure this whitelist, we can either login locally and add routes, or we can use the aforementioned UDP/48899 protocol: a Windows credential for an active, local administrator is required to remotely add routes via UDP/48899.

-> Without such a route (whitelisted IP address), the TwinCAT system does not respond to any TCP AMS/ADS packets.
However: there is another way of adding routes …

Part 2: AMS/ADS hidden functionality

Before going further on this route whitelist. Let’s find out what can be done on a device once such a route is present:

• By using the AMS/ADS protocol one can:
• Program the PLC
• Read and write PLC-variables
• Change IP addresses and the name of the device
• List users
• List and configure routes
• Read out statistics about the device
• Uptime, CPU load, temperature, OPC values
• Note that in August 2019 with the release of TwinCAT 3.1.2024.4, “Encrypted AMS/ADS” has become available. It is strongly recommended to use this where possible.
• There are also functionalities that are less expected, as can be seen on this public page:
  https://infosys.beckhoff.com/english.php?content=../content/1033/tcplclib_tc2_utilities/126100789601339659.html
  This means speaking the AMS/ADS protocol against any device that has a valid route, the following becomes possible (amongst others):
• Reboot or Shutdown the system (NT_Reboot and NT_Shutdown)
• Browse the files (FB_EnumFindFileList), all files on all local drives are reachable.
• Download, upload ánd overwrite files (FB_FileRingBuffer).
  We can download almost any file and even upload to folders as C:\Windows or E:\Data, the owner of the files is the “Administrators” group.
  As long as the file is not in use, it defaults to overwriting an existing file.
• Execute any file (NT_StartProcess), this includes any file that we’ve just sent to the machine.
  Note: this process is started as a child from the process “TcSysUI.exe”, which is running as the currently logged in user.
• Read and Write Registry Values (FB_RegQueryValue and FB_RegSetValue)
  Note: this is done as the SYSTEM user, but is only limited to all keys of the HKLM hive.
  In case an older version of TwinCAT is used (32bit), this is even more limited to reading and writing to HKLM\SOFTWARE\WOW6432Node\
• …

-> This means that, once an IP is in the whitelist of the target device, code can be executed code as a local user and significant other actions performed on that target system.

Part 3: Execution (exploit)

The only line of defense in this scenario is that the protection is IP based: once we find an IP already in the list and spoof it to add our own IP to that list, it is game over.

So a TwinCAT Route Spoofer was created.

Scenario

For this scenario we assumed three things:

1. We are in the same Layer2 subnet of the target (called the victim). In other words, we can perform ARP Poisoning
2. The victim has TwinCAT 3 installed and some routes are present.
   The PLC subnet is the one used during the installation of TwinCAT
3. Which would be normal if the victim wants to communicate with a real PLC
4. The victim has the firewall for ports UDP/48899 or TCP/48989 disabled
5. Which would be normal if the victim wants the PLC to communicate back

This system is a completely up-to-date Windows system, using the latest TwinCAT software

An example, as displayed in this video:

https://photubias.stackstorage.com/s/zIgRis1RUH88ugw

1. Using the UDP scanner to get a list of devices on the network
2. Using the TwinCAT Route Spoofer to walk through each IP of the PLC subnet, which we can deduce from the TwinCAT NET ID that is detected on the victim (e.g. this is the IP of the device at the time of installation).
3. Once a single route was found, it is used to add our own IP to the whitelist
4. Once we have our IP address in the whitelist, we can upload or download files, and run them as the current user
5. We can also configure the Registry to:
6. Disable UAC (“EnableLUA” key, so if the user is a local administrator, we are now SYSTEM)
7. Disable AV (“DisableAntiSpyware” key, AntiVirus is disabled permanently)
8. Create a service to run at boot, after we have copied over the necessary files
9. …

-> This works on Beckhoff PLC’s, but also on any Windows device (laptop, server, workstation …) that has the TwinCAT Engineering software installed and configured

References and mitigation:
https://download.beckhoff.com/download/Document/product-security/Advisories/advisory-2017-001.pdf

The used scripts can be found on our Github page: https://www.github.com/tijldeneut

Created by Tinus Umans and Tijl Deneut for IC4® Belgium: www.ic4.be