Leakage of PLC Ethernet modules of Mitsubishi Q Series added to the Energy Management System of Japan's North Ocean University

Leakage of PLC Ethernet modules of Mitsubishi Q Series added to the Energy Management System of Japan's North Ocean University

For the safety analysis of the Mitsubishi Q series PLC, refer to the previous article. This is a real case of the control device running on the public network. It is also a case that can be confirmed based on the title.
In theory, if the PLC does not set a password, it can implement remote management operations through programming software, that is, uploading, downloading, and stopping the project.
In this case, we confirm that the web Service open to the relevant address is ecoserver (it should be the same as the small web Energy Monitoring and Management System of Mitsubishi, which is mainly used to monitor the current power usage, after loading java can view the trend chart, etc.) through the open udp port to confirm the PLC model for the Q series PLC (Q12DCCPU-V ).
For the identification method, refer to the previous analysis. For general batch verification, you can use the NMAP-based AUC script in this article.

Web part:

Homepage

Trend chart

 

Measurement Point Information

Information identified using NMAP scripts:

 

 

 

NMAP general-purpose discovery script

Tcp version

 

http://plcscan.org/blog/wp-content/uploads/2014/07/melsecq-discover.nse_.txt

Udp version

 

http://plcscan.org/blog/wp-content/uploads/2014/07/melsecq-discover-udp.nse_.txt-- Nmap Scripting Engine-- required packages for this script-- local bin = require "bin"local nmap = require "nmap"local shortport = require "shortport"local stdnse = require "stdnse"local string = require "string"local table = require "table"--Output Example:--PORT     STATE SERVICE                REASON--5006/udp open  Mitsubishi/Melsoft udp syn-ack--| melsecq-discover:--|_  CPUINFO: Q03UDECPUdescription = [[discovery Mitsubishi Electric Q Series PLC GET CPUINFO]]author = "ICS Security Workspace(plcscan.org)"license = "Same as Nmap--See http://nmap.org/book/man-legal.html"categories = {"discovery","intrusive"}function set_nmap(host, port)port.state = "open"port.version.name = "Mitsubishi/Melsoft Udp"port.version.product = "Mitsubishi Q PLC"nmap.set_port_version(host, port)nmap.set_port_state(host, port, "open") endfunction send_receive(socket, query)local sendstatus, senderr = socket:send(query)if(sendstatus == false) then    return "Error Sending getcpuinfopack"endlocal rcvstatus,response = socket:receive()if(rcvstatus == false) thenreturn "Error Reading getcpuinfopack"endreturn responseendportrule = shortport.port_or_service(5006, "Melsoft/TCP", "udp")action = function(host,port)local getcpuinfopack = bin.pack("H","57000000001111070000ffff030000fe03000014001c080a080000000000000004" .. "0101" .. "010000000001")local responselocal output = stdnse.output_table()local sock = nmap.new_socket()local constatus,conerr = sock:connect(host,port)if not constatus then    stdnse.print_debug(1,      'Error establishing connection for %s - %s', host,conerr      )    return nilendresponse  = send_receive(sock, getcpuinfopack)local mel, pack_head = bin.unpack("C", response, 1)--local mel, space_id = bin.unpack("C", response, 55)local offset = 0if ( pack_head == 0xd7) then--if ( space_id == 0x20) thenlocal mellocal mel, cpuinfo = bin.unpack("z", response, 42 + offset)output["CPUINFO"] = string.sub(cpuinfo, 1, 16)set_nmap(host, port)sock:close()return output--endelsesock:close()    return nilendend

Solution:

Internal systems and external devices should not be external