|
On Shaky Ground - A Study of Security Vulnerabilities in Control Protocols
VI.D. MODBUS/TCP Miscellaneous Grammar Test
The MODBUS/TCP Miscellaneous grammar examines the DUT's behavior in response to valid and invalid miscellaneous function code requests. It also examines the DUT's behavior in response to invalid function code requests. The valid function codes tested are:
- 20 Read File Record
- 21 Write File Record
- 22 Mask Write Holding Registers
- 23 Read / Write Multiple Registers
- 24 Read FIFO Queue
- Fuzzed Headers
Table 4: Serial Grammar Test Observed Behavior
We now break down the failed tests by function code.
VI.D.I. Function Code 20
Both PLC Q and PLC M returned incorrect error codes under the following circumstances:
- when the byte count < 7 or greater than 245
- when the reference type !=6
- when the record number >10000 or the record number + register length >10000
VI.D.II. Function Code 21
Both PLC Q and PLC M returned incorrect error codes under the following circumstances:.
- when the byte count < 7 or greater than 245
- when the reference type !=6
- when the record number >10000 or the record number + register length >10000
VI.D.III. Function Code 23
PLC Q incorrectly reports an error when:
- the starting write address was valid and the starting write address + quantity of registers to write was within range and the quantity of registers was 120 or 121 (limit is 121)
PLC Q returned incorrect error codes under the following circumstances:
- when the starting write address was valid and the quantity of registers to write was 120 or 121 and the starting address + quantity of registers to write was out of range and the data was valid
PLC M returned incorrect error codes under the following circumstances:
- when the read starting address was valid but the quantity of registers was zero
- when the read starting address was valid and the read quantity of registers was out of range and the read starting address+ read quantity of registers was valid or invalid
- when read starting address was invalid and the read quantity of registers was zero or out of range
- when the write starting address was valid and the write quantity of registers was zero
- when the write starting address and the write quantity of registers was valid and the write quantity + write starting address was within range but the actual data length and the and the specified data length were not in agreement
- when the write starting address was valid and the write quantity was invalid and the write quantity + write starting address was or was not within range and the actual data length and the specified data length were or were not in agreement
VI.D.I. Fuzzed MODBUS Headers
When fuzzing the MODBUS header PLC Q displayed the following incorrect behaviors:
- invalid function codes over 70 caused PLC Q to send a TCP Reset thereby terminating the communication
- incorrectly specified MODBUS packet lengths caused PLC Q to send a TCP Reset thereby terminating the communication
When fuzzing the MODBUS header PLC M displayed the following incorrect behaviors:
- incorrectly specified MODBUS packet lengths caused PLC M to send a TCP Reset thereby terminating the communication
« Prev | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | Next »
|
