Is it possible to find vulnerabilities in an outdated firmware version of a device for which security research with multiple CVEs has already been published? Of course! Service network protocols that are rarely used are perfect for this.
The talk describes a security research of the C300 PLC by Honeywell, a large international vendor of industrial equipment. It is used in many areas related to critical infrastructure. Exploiting vulnerabilities in the C300 may potentially lead to an impact on the physical world. The device was developed quite a long time ago, so it has non-standard solutions in its hardware and software architecture, including in parts related to security. These aspects turned into an adventure in overcoming problems, especially in the process of obtaining dynamic debugging on the device via JTAG.
It was necessary to deal with the hardware interaction between the CPU and CPLD, a proprietary debugging protocol for PowerPC processors, weird system calls, and custom software instructions. The effort was not in vain, and a set of vulnerabilities was obtained, including remote arbitrary code execution, the PoC for which will be demonstrated in the talk.
