I did some security research on industrial control systems for a while. It was a fun and rewarding experience in which I found tons of usually very simple bugs. Security in that sector was nascent, with the technology being brought forward from the dark ages of everything being on serial. Things are a bit different today, in no small part due to the fine work of many security researchers convincing vendors to step up their game and buyers learning how to ask the right questions before a purchase. SCADA gear is increasingly moving toward modern operating systems with modern security protections. This is very much a Good Thing (tm).
Nevertheless, software is hard. From last week's graph, you already know that the more software you have, the more likely that some of it is broken. Further, there's a lot of super old code in ICS.
Enter Adventech WebAccess Dashboard Viewer, "a fully web-based HMI and SCADA software package for industrial automation." It's basically a web application written in ASPX that lets you twiddle valves and flip switches. Like many web apps, it offers the ability to upload files, and like many web apps, it stores them in the web root and doesn't really care what those files are. Which, of course, means a very simple path to arbitrary code execution.
Maybe someday we'll get rid of newb mistakes. Not today, though.
Exploit modules (1 new) * Advantech WebAccess Dashboard Viewer Arbitrary File Upload by Zhou Yu, and rgod exploits ZDI-16-128
As always, you can update to the latest Metasploit Framework with a simple
msfupdate and the full diff since the last blog post is available on GitHub: 4.11.21...4.11.22