TENGCONTROL TECHNOLOGY T920 PLC v5.5
Allows attackers to exploit this vulnerability to initiate a persistent denial of service attack on the controller remotely.
Cause the cause
By constructing the above specific network data packet, the T-920 CPU can be denied service when communicating, and the CPU enters the failure mode and can be automatically restarted after a period of time. The vulnerability is exploited by an attacker to remotely initiate a persistent denial of service attack on the controller, affecting the normal operation of the controller. When the T-920 reads a single coil, when the UID is 0x43, an abnormality occurs and the CPU refuses to service.
(1) Before using the attack script, the PLC is in normal communication state, check whether the network is connected using the following command:
Ping 192.168.1.99（PLC default IP address）
（2）After running the exploited python script, check the network connection status and the running status of the PLC.
It can be observed that the PLC has refused service, the network has been pinged, and after a few seconds, the PLC CPU restarts; once the CPU restarts, the attacker uses the vulnerability to continuously send data to make the PLC continuously refuse service, which in turn affects the normal operation of the PLC.