MODBUS Application Protocol 1.1b System Information Remote Disclosure

According to Wikipedia:

Modbus is a serial communications protocol originally published by Modicon (now Schneider Electric) in 1979 for use with its programmable logic controllers (PLCs). Simple and robust, it has since become a de facto standard communication protocol, and it is now a commonly available means of connecting industrial electronic devices.

This protocol is used by a lot of industrial control systems (ICS) and supervisory control and data acquisition (SCADA) systems. Version 1.1b of the MODBUS Application Protocol, maintained by the Modbus Organization, outlines “Read Device Identification” functionality. This lets a remote client query a system for information and does not require authentication.

6.21 43 / 14 (0x2B / 0x0E) Read Device Identification

This function code allows reading the identification and additional information relative to the physical and functional description of a remote device, only.

Some systems may not give up much information but others give up the vendor, device, version, project information (which can include full path disclosure), and more. Shodan already uses this method to fingerprint systems:

modbus0

modbus1

modbus2

Advertisements

Tags: , ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: