0% found this document useful (0 votes)

24 views150 pages

Attacks OPCUA

The document discusses vulnerabilities in the OPC-UA protocol, highlighting over 50 CVEs related to denial of service, information leaks, and remote code execution. It details the research methodology, including the use of fuzzing tools and the exploitation framework developed by the authors. The findings emphasize the need for improved security measures in OPC-UA implementations across various industrial applications.

Uploaded by

ctfemylive123

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

24 views150 pages

Attacks OPCUA

Uploaded by

ctfemylive123

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 150

Exploiting OPC-UA in Every Possible Way:

Practical Attacks Against Modern OPC-UA Architectures

Sharon Brizinov, Noam Moshe @ Claroty Research - Team82

$whoami
Sharon Brizinov
Vulnerability researcher - CTFs,
Pwn2Own, DEFCON
blackbadge, mostly breaking
PLCs

Noam Moshe
Vulnerability researcher -
Pwn2Own, mostly breaking IoT
clouds

* Special thanks to Claroty Team82 researchers:

Uri Katz, Vera Mens
Background

Researched dozens of OPC-UA protocol

stacks and products

Found core issues in protocol

implementations
~50 CVEs: DoS, Info leaks, RCE
~12 unique generic attacks

Open-source tools
• OPC-UA fuzzer

• OPC-UA exploitation framework

Three Pwn2Own ICS ~$200k 💰💰💰

How Did We Do That?
Agenda
• What is OPC-UA?

• Protocol Stack Implementations

• Bits and Bytes

• Research Methodology

• Vulnerabilities and Exploits

• OPC-UA Exploitation Framework

• Summary
What’s the Problem?

Water
level Proprietary
ICS Protocol ?
???

Water Tank PLC HMI & SCADA

What’s the Problem?

Water
level Water Level OPC-UA
Water Level
is 50%
Proprietary
is 50%
ICS Protocol

OPC-UA
Water Tank PLC Server HMI & SCADA
What is OPC-UA?

Open Platform Communications -

Unified Architecture

Protocol for data exchange

between industrial devices and
systems
• Server: stores tags/variables

• Client: requests tags/variables

Widely accepted standard for

industrial communications
• Supported in Azure/AWS IoT cloud
OPC Foundation

OPC Foundation, specs first version ~2006

• opcfoundation.org

Lesson learned from “OPC Classic”

• Platform independent, scalable, secure

Detailed specifications
• Information Model: Object types, how to encode

• Services: Supported services such as read, write, etc

• Security: Authentication, authorization, encryption

• Many more
Protocol Stacks and Frameworks
Agenda
• What is OPC-UA?

• Protocol Stack Implementations

• Bits and Bytes

• Research Methodology

• Vulnerabilities and Exploits

• OPC-UA Exploitation Framework

• Summary
OPC-UA Protocol Stacks

To expedite popularity, OPC-UA Application (Server/Gateway/Client)

OPC Foundation created

the first OPC-UA JAVA API/SDK .NET API/SDK C/C++ API/SDK

protocol stacks
Java Stack .NET Stack ANSI C Stack

• ANSI C
Java Runtime .NET Runtime
• Java
• .NET
Win / Linux API

Operating System
OPC-UA Supply Chain

With time, vendors integrated the base

stacks and modified some of its code

Currently, OPC Foundation lists more

than 500 different products

https://opcfoundation.org/products
OPC-UA Supply Chain

The problem, is that

most products are
heavily relying on the
base protocol stacks
from OPC Foundation
Top Products

UA Automation OPC Foundation Prosys OPC UA Softing Integration

KEPServerEx
C++ Server OPC UA .NET SDK for JAVA Server

Extended Proprietary Proprietary Proprietary Proprietary

Lib/SDK

+ + +
Core lib
Focus on the Protocol Stacks

So we wanted to find
vulns in the base
protocol stacks
Protocol Stacks
Programing Is Open
We also researched popular products OPC-UA Protocol Stack
language Source?

such as: node-opcua NodeJS Yes

open62541 C Yes
• Softing Secure Integration Server freeopcua (c++) C++ Yes
• PTC Kepware KEPServerEx python-opcua Python Yes
opcua-asyncio Python Yes
• Triangle Microworks SCADA Data eclipse-milo Java Yes
Gateway ASNeG OpcUaStack C++ Yes
locka99 Rust Yes
• Honeywell Matrikon
Unified Automation C++ No
• Inductive Automation Ignition OPC Foundation .NET Stack C# Yes
Softing OPC UA SDK C++ No
Prosys OPC UA Java No
OPC UA Legacy Java Stack Java Yes
S2OPC C Yes
LibUA C# Yes
Bits and Bytes
Agenda
• What is OPC-UA?

• Protocol Stack Implementations

• Bits and Bytes

• Research Methodology

• Vulnerabilities and Exploits

• OPC-UA Exploitation Framework

• Summary
OPC-UA Nodes

Everything is a node
• Variable (e.g. “Water Level”)

• Type of the Variable value (e.g. Float)

Nodes are identified by [ns, i]

• NodeID (i=1)

• Namespace ID (ns=0)

Namespace is a container for nodes

• Namespace 0: default namespace and

contains the default nodes

Address Space provide a standard way for

servers to represent objects to clients
OPC-UA Services

Our interaction with the server is via request/response fashion. In

most cases we are doing some “action” on nodes.
Examples:

Service Set Service Name Description

Read Service Read values from attributes of nodes
Attribute
Write Service Write values to attributes of nodes

Method Call Service Call (invoke) a list of methods.

Navigate through the AddressSpace - find Node

View Browse
references

OPC 10000-4: UA Part 4: Services

Example

Node Name Node Class and Type

Variable with
Fill Valve DataType Boolean

Variable with
Discharge Valve DataType Boolean

Variable with
Flow Meter DataType Float Tank (water level %50)
Variable with
Water Level DataType Float

Start/Stop Method
Nodes Encoding [ns=0, i=446]

Specifications

Binary Representation

Binary Parsing
Example: Read Service: Reading 12 Nodes
HEL
HEL: Hello message
HEL
HEL: Hello message

Endpoint URL

● Scheme - must be opc.tcp or opc.https

● Server address
● Port
● Discovery endpoint

opc.tcp://SERVER_IP:62541/UA/Server
OPN
HEL: Hello message

OPN: OpenSecureChannel message

OPN
HEL: Hello message

OPN: OpenSecureChannel message

Security Mode

• None

• Sign

• Sign & Encrypt

SecurityPolicies supported by Prosys OPC-UA server

OPN
HEL: Hello message

OPN: OpenSecureChannel message

Authentication

• Anonymous

• Username/password

• Certificate

Authentication settings for an OPC-UA client, shown using

UAExeprt
OPN
HEL: Hello message

OPN: OpenSecureChannel message

• Security Mode and Policy

• Authentication

OPC UA Secure Conversation MessageChunk

CreateSession
HEL: Hello message

OPN: OpenSecureChannel message

MSG: A generic message container. Some service

will be used.
CreateSession
HEL: Hello message

OPN: OpenSecureChannel message

MSG: A generic message container. Some service

will be used.

Create Session + Activate

• Configure the session (e.g. timeout,

message size, etc)
Full Session
HEL: Hello message

OPN: OpenSecureChannel message

MSG: A generic message container (secured with

the channel’s keys)

CLO: CloseSecureChannel message

Research Methodology
Agenda
• What is OPC-UA?

• Protocol Stack Implementations

• Bits and Bytes

• Research Methodology

• Vulnerabilities and Exploits

• OPC-UA Exploitation Framework

• Summary
Building Basic OPC-UA Client
Why?
• Hands-on
• Focus on logic
• Customizable to our vuln research
needs

How?
• Specification
• Protocol analysis + Wireshark
FreeOpcUa Python OPC-UA
(Python)
Prosys OPC-UA Browser (Java)
Unified Automation UaExpert
(C/C++)
Building the Setup

Intel NUC x 2
• Intel Core i7-1165G7
• 32 GB RAM

Installed VMware ESXi

Prepared a Windows 10 x64 Image

~10 machines per NUC
Installing & Configuring Targets
Protocol Stack Libraries Gateways
• Unified Automation - ANSI C Stack - C Triangle Microworks SCADA Data Gateway

• OPC Foundation - .NET Standard - .NET Softing Secure Integration Server

• OPC Foundation - Java Legacy - Java

• Prosys OPC UA SDK for Java - Java
Clients
• FreeOpcUA opcua-asyncio Python
PTC Kepware KepServerEx
• Eclipse Milo - Java
Prosys OPC UA Browser
• Node-opcua - Node JS
Softing edgeAggregator
• Open62541 - C
Inductive Automation Ignition
• OPC UA rust – Rust

OPC UA Servers
• Inductive Automation Ignition
• Unified Automation UaGateway
• PTC Kepware KepServerEx
• Prosys OPC UA Simulation Server
• Softing edgeConnector
Network Fuzzer

Released open-source OPC-UA

fuzzer, based on boofuzz

Found 2 heap/stack overflow

Fuzzing 6 Services
• Read Service

• Browse Service

• Browse Next Service

• Create Subscription Service

• Add Nodes Service

• History Read Service

https://github.com/claroty/opcua_network_fuzzer
Fuzzers: Coverage Based

Found old source-code for ANSI C

OPC-UA stack

Used both libFuzzer / AFL

Wrote small harness, mostly to fuzz the AFL harness

decode routines
https://github.com/linshenqi/UA-AnsiC

libFuzzer burning CPUs

Control the Fuzzers

Dozens of fuzzers running

• Network based: using boofuzz

• Memory/Coverage based: using AFL,

libfuzzer
• Closed binary: using WinAFL,

UnicornAFL (CPU Emulator)

Monitored everything through

Slackbot

Collected millions of corpus

Specs & RE

Looking for esoteric and complex features/mechanisms

What will developers overlook?

Reverse engineer and code review to observe different

implementations

Pre-auth (HEL, OPN) vs post-auth

Specs & RE

Looking for esoteric and complex

features/mechanisms

What will developers overlook?

Reverse engineer and code

review to observe different
implementations

Pre-auth (HEL, OPN) vs post-auth

What happens if we are not sending the Final flag?
https://reference.opcfoundation.org/v104/Core/docs/Part6/6.7.2/
Specs & RE

Looking for esoteric and complex

features/mechanisms

What will developers overlook?

Reverse engineer and code

review to observe different
implementations
What happens if we keep all
Pre-auth (HEL, OPN) vs post-auth subscriptions alive?
https://reference.opcfoundation.org/Core/Part4/v104/docs/5.6.4
Vulnerabilities and Exploits
Denial of Service - Servers
Agenda
• What is OPC-UA?

• Protocol Stack Implementations

• Bits and Bytes

• Research Methodology

• Vulnerabilities and Exploits

• OPC-UA Exploitation Framework

• Summary
OPC-UA Server - Denial of Service

OPC-UA

Attacker

OPC-UA Water Level

Proprietary
is ???
ICS Protocol

OPC-UA
Water Tank PLC Server/Gateway OPC-UA Client
Denial of Service - Vectors

• Resource exhaustion: uncontrolled memory management

• Threads deadlock

• Use after free bugs

• Buffer overflows: heap/stack corruption

• Uncaught exceptions

• Busy loops / unlimited recursions: call-stack overflow

Denial of Service – Attack Concepts

Resource exhaustion - uncontrolled Buffer overflows - heap/stack corruption

memory management • Unicode Conversion - OOB Write
• Chunk Flooding Uncaught exceptions
• Unlimited ConditionRefresh Attack • Parser Bug - Dissecting Malformed
• Unlimited Persistent Monitored OPC-UA Data Type
Subscriptions Busy loops / unlimited recursions –
• Unlimited Open Channels call-stack overflow
Threads deadlock • Complex Deep Nested Variants
• Worker Starvation (OTORIO)
Use-after-free bugs • Certificate Chain Loop (Sector7)
• Method Calling From Dead Session • Unlimited Translate Browse Path (JFrog)
• Add/Remove From Namespace
While Browsing
Denial of Service – Attack Concepts

Resource exhaustion - uncontrolled Buffer overflows - heap/stack corruption

OPC-UA .NET Stack

Denial of Service - Chunk Flooding

while !isFinalChunk:
add(chunk)

MSG MSG
Chunk Chunk
MSG
MSG MSG MSG MSG
Chunk
Final Chunk Chunk MSG Chunk
MSG
Chunk
Chunk MSG
Attacker Chunk
OPC-UA
Server/Gateway
Denial of Service - Chunk Flooding

while !isFinalChunk:
add(chunk)
MSG
Chunk
MSG
Chunk MSG
Chunk MSG
MSG Chunk
MSG
Final Chunk

Attacker OPC-UA
Server/Gateway
Denial of Service - Chunk Flooding

while
!isFinalChunk:
add(chunk)
MSG
Chunk
MSG
Chunk MSG
Chunk MSG
MSG Chunk
MSG
Final Chunk

Attacker OPC-UA
Server/Gateway
Denial of Service - Chunk Flooding

while
!isFinalChunk:
add(chunk)
MSG
Chunk
MSG
Chunk MSG
Chunk MSG
MSG Chunk
MSG
Final Chunk

Attacker OPC-UA
Server/Gateway
CVE-2022-21208 CVE-2022-24381
CVE-2022-25761 CVE-2022-25888
CVE-2022-25304 CVE-2022-29864
Denial of Service – Attack Concepts

Resource exhaustion - uncontrolled Buffer overflows - heap/stack corruption

memory management • Unicode Conversion - OOB Write
• Chunk Flooding Uncaught exceptions
• Unlimited ConditionRefresh Attack • Parser Bug - Dissecting Malformed
• Unlimited Persistent Monitored OPC-UA Data Type
Subscriptions Busy loops / unlimited recursions –
• Unlimited Open Channels call-stack overflow
Threads deadlock • Complex Deep Nested Variants
• Worker Starvation (OTORIO)
Use-after-free bugs • Certificate Chain Loop (Sector7)
• Method Calling From Dead Session • Unlimited Translate Browse Path (JFrog)
• Add/Remove From Namespace While
Browsing
Denial of Service - Method Calling From Dead Session

Example to exposed function (python-opcua)

https://reference.opcfoundation.org/v104/Core/docs/Part4/5.11.2/
Denial of Service - Method Calling From Dead Session

Example to exposed function (python-opcua)

https://reference.opcfoundation.org/v104/Core/docs/Part4/5.11.2/
Denial of Service - Method Calling From Dead Session

Did all stacks implement this

correctly?

Exploit:
• Sending many Call Method
Request
• And immediately close the session
Denial of Service - Method Calling From Dead Session

MSG
Call Method 1
Call Method 2
…
Call Method n
Attacker OPC-UA
Server/Gateway
Denial of Service - Method Calling From Dead Session

MSG
Call Method 1
Call Method 2
…
Call Method n

Attacker OPC-UA
Server/Gateway
Denial of Service - Method Calling From Dead Session

MSG
Call Method 1
Call Method 2
…
Call Method n

Attacker OPC-UA
Server/Gateway
Denial of Service - Method Calling From Dead Session

MSG
Call Method 1
Call Method 2
…
Call Method n

Attacker OPC-UA
Server/Gateway
Denial of Service - Method Calling From Dead Session

MSG
Call Method 1
Call Method 2
…
Call Method n

OPC-UA
Server/Gateway
Denial of Service - Method Calling From Dead Session

Softing Secure Integration Server

MSG
Call Method 1
Call Method 2
…
Call Method n
Denial of Service - Method Calling From Dead Session

Softing Secure Integration Server

MSG
Call Method 1
Call Method 2
…
Call Method n

CVE-2022-1748
Vulnerabilities and Exploits
RCE - Servers
OPC-UA Server - RCE

Attacker

OPC-UA Water Level

Proprietary
is 50%
ICS Protocol

OPC-UA
Water Tank PLC Server/Gateway OPC-UA Client
OPC-UA Server - RCE

OPC-UA

Attacker

OPC-UA Water Level

Proprietary
is 50%
ICS Protocol

OPC-UA
Water Tank PLC Server/Gateway OPC-UA Client
PTC Kepware KepServerEx
• Industry’s leading OPC-UA server, used
in biggest manufacturing lines, oil rigs,
wind farms, etc.

• Windows-based

• Custom OPC-UA protocol stack

• OPC-UA logic in server_runtime.exe

▪ 32bit, service (SYSTEM)
▪ Customized anti-debugging
Fuzzer Demo
Analyzing the Crash
OPC-UA Strings are UTF-8 Encoded

Read tag’s value Wireshark

TANK_ID tag and it’s value

Unified Automation Client
KepServerEx Conversion bug

KepServerEx is trying to convert UTF-8 to UTF-16

String Encoding is Hard
UTF-8 to UTF-16 is Hard

Whatever starts
UTF-8: AAAÀ with C3 is
probably 2 bytes
long

AAAÀ
UTF-8 to UTF-16 is Hard

Whatever starts
UTF-8: AAAÀ with C3 is
probably 2 bytes
long
41 41 41 c3 80 00 ……
UTF-8 to UTF-16 is Hard

Whatever starts
UTF-8: AAAÀ with C3 is
probably 2 bytes
long
41 41 41 c3 80 00 ……

1 1 1 2
UTF-8 to UTF-16 is Hard

Whatever starts
UTF-8: AAAÀ with C3 is
probably 2 bytes
long
41 41 41 c3 80 00 ……
Stop
1 1 1 2
UTF-8 to UTF-16 is Hard

Whatever starts
UTF-8: AAAÀ with C3 is
probably 2 bytes
long
41 41 41 c3 80 00 ……
Stop
1 1 1 2
UTF-16:

\x41\x41\x41\xC3\x80
UTF-8 to UTF-16 is Hard

Whatever starts
UTF-8: AAAÀ with C3 is
probably 2 bytes
long

OK
41 41 41 c3 80 00 ……
Stop
1 1 1 2
UTF-16:

\x41\x41\x41\xC3\x80
UTF-8 to UTF-16 is Hard

Whatever starts
UTF-8: AAA\xC3 with C3 is
probably 2 bytes
long

AAA\xC3
UTF-8 to UTF-16 is Hard

Whatever starts
UTF-8: AAA\xC3 with C3 is
probably 2 bytes
long
41 41 41 c3 00
UTF-8 to UTF-16 is Hard

Whatever starts
UTF-8: AAA\xC3 with C3 is
probably 2 bytes
long
41 41 41 c3 00

1
UTF-8 to UTF-16 is Hard

Whatever starts
UTF-8: AAA\xC3 with C3 is
probably 2 bytes
long
41 41 41 c3 00

1 1
UTF-8 to UTF-16 is Hard

Whatever starts
UTF-8: AAA\xC3 with C3 is
probably 2 bytes
long
41 41 41 c3 00

1 1 2
UTF-8 to UTF-16 is Hard

Whatever starts
UTF-8: AAA\xC3 with C3 is
probably 2 bytes
long
41 41 41 c3 00 XXXXXXXXX……00

1 1 2 1 1
UTF-8 to UTF-16 is Hard

Whatever starts
UTF-8: AAA\xC3 with C3 is
probably 2 bytes
long
41 41 41 c3 00 XXXXXXXXX……00
Stop
1 1 2 1 1
UTF-8 to UTF-16 is Hard

UTF-8: AAA\xC3

41 41 41 c3 00 XXXXXXXXX……00
Stop
1 1 2 1 1
UTF-16:

\x41\x41\x41\xC3LEAKINGTHEHEAP
UTF-8 to UTF-16 is Hard

UTF-8: AAA\xC3

FAIL
41 41 41 c3 00 XXXXXXXXX……00
Stop
1 1 2 1 1
UTF-16:

\x41\x41\x41\xC3LEAKINGTHEHEAP
Heap Overflow Primitive

The bug is triggered on both READ_TAG and WRITE_TAG functions

We have heap OOB (read+write)

• OOB read → leak pointers to defeat ASLR

• OOB write → construct ROP chain, RCE and PWN
Heap OOB Read

Leaking data via read tag

OOB Write

We have the pointers to start our ROP chain

But the bytes written are UTF-16 converted

To construct the ROP chain we need to control the whole payload.

UTF8 → UTF16
mspaint → \x00m\x00s\x00p\x00a\x00i\x00n\x00t
OOB Write

We have the pointers to start our ROP chain

But the bytes written are UTF-16 converted

To construct the ROP chain we need to control the whole payload.

UTF8 → UTF16
mspaint → \x00m\x00s\x00p\x00a\x00i\x00n\x00t

Not good for our ROP

OOB Write

We have the pointers to start our ROP chain

But the bytes written are UTF-16 converted

To construct the ROP chain we need to control the whole payload.

UTF8 → UTF16
????? → mspaint
OOB Write

We have the pointers to start our ROP chain

But the bytes written are UTF-16 converted

To construct the ROP chain we need to control the

UTF-8 UTF-16
whole payload.
? ms
UTF8 → UTF16
????? → mspaint
OOB Write

We have the pointers to start our ROP chain

But the bytes written are UTF-16 converted

To construct the ROP chain we need to control the

UTF-8 UTF-16
whole payload.
獭 ms
UTF8 → UTF16
????? → mspaint
OOB Write

We have the pointers to start our ROP chain

But the bytes written are UTF-16 converted

To construct the ROP chain we need to control the

UTF-8 UTF-16
whole payload.
獭 ms
UTF8 → UTF16
????? → mspaint 慰 pa
湩 in
.. ..
OOB Write

We have the pointers to start our ROP chain

But the bytes written are UTF-16 converted

To construct the ROP chain we need to control the

UTF-8 UTF-16
whole payload.
獭 ms
UTF8 → UTF16
????? → mspaint 慰 pa
獭慰湩慭硥e → mspaint.exe
湩 in
.. ..
OOB Write
- We have the pointers to start our ROP chain
- But the bytes written are UTF-16 converted
- To construct the ROP chain we need to control the whole
payload.

UTF8 → UTF16
????? → mspaint
UTF-8 to16(?UTF-8) = ‘ms’
OOB Write
- We have the pointers to start our ROP chain
- But the bytes written are UTF-16 converted
- To construct the ROP chain we need to control the whole
payload.

UTF8 → UTF16
?????UTF-8→
to16(? UTF-8) =
mspaint ‘ms’ → \x6d\x73
OOB Write
- We have the pointers to start our ROP chain
- But the bytes written are UTF-16 converted
- To construct the ROP chain we need to control the whole
payload.

UTF8 → UTF16
?????
UTF-8 to16(?UTF-8) =
→ mspaint
‘ms’ → \x6d\x73
Unicode(\x6d\x73 ) = 獭 UTF-16
OOB Write
- We have the pointers to start our ROP chain
- But the bytes written are UTF-16 converted
- To construct the ROP chain we need to control the whole
payload.

UTF8 UTF-8→
to16(? UTF-8) = ‘ms’ → \x6d\x73
UTF16
UTF-16) = 獭
→ mspaint
????? Unicode(\x6d\x73
UTF-8(獭) = \xe7\x8d\xad
OOB Write
- We have the pointers to start our ROP chain
- But the bytes written are UTF-16 converted
- To construct the ROP chain we need to control the whole
payload.

UTF-8to16(? ) = ‘ms’ → \x6d\x73 UTF-8

UTF8 → UTF16
????? Unicode(\x6d\x73
→ mspaint ) = 獭 UTF-16

UTF-8(獭) = \xe7\x8d\xad
UTF-8to16(\xe7\x8d\xad ) = ? UTF-8
OOB Write
- We have the pointers to start our ROP chain
- But the bytes written are UTF-16 converted
- To construct the ROP chain we need to control the whole
payload.

UTF-8to16(? ) = ‘ms’ → \x6d\x73 UTF-8

UTF8 → UTF16
?????
Unicode(\x6d\x73
→ mspaint
) = 獭 UTF-16

UTF-8(獭) = \xe7\x8d\xad
UTF-8to16(\xe7\x8d\xad ) = \x6d\x73 UTF-8
OOB Write
- We have the pointers to start our ROP chain
- But the bytes written are UTF-16 converted
- To construct the ROP chain we need to control the whole
payload.

UTF-8to16(? ) = ‘ms’ → \x6d\x73 UTF-8

UTF8 → UTF16
????? Unicode(\x6d\x73
→ mspaint ) = 獭 UTF-16

UTF-8(獭) = \xe7\x8d\xad
UTF-8to16(\xe7\x8d\xad ) = \x6d\x73 = ‘ms’ UTF-8
OOB Write
- We have the pointers to start our ROP chain
- But the bytes written are UTF-16 converted
- To construct the ROP chain we need to control the whole
payload.

UTF-8to16(? ) = ‘ms’ → \x6d\x73 UTF-8

UTF8 Unicode(\x6d\x73
→ UTF16 )=獭 UTF-16

????? → mspaint
UTF-8(獭) = \xe7\x8d\xad
UTF-8to16(\xe7\x8d\xad ) = \x6d\x73 = ‘ms’ UTF-8

\xe7\x8d\xad → ms UTF-8 UTF-16

OOB Write

We have the pointers to start our ROP chain

But the bytes written are UTF-16 converted

To construct the ROP chain we need to control the

whole payload.
Building the ROP Chain
PTC Kepware RCE - Leaking
PTC Kepware RCE - Overwriting Heap
PTC Kepware RCE - Triggering
CVE-2022-2848
PTC Kepware RCE CVE-2022-2825
Vulnerabilities and Exploits
RCE - Clients
Attacking OPC-UA Clients

Read
Water Level
OPC-UA Tag

Malicious OPC-UA
OPC-UA Client
Server
Web-Based OPC-UA Clients