Fun with VxWorks – HDM
- Started off as a generic vulnerability analysis
- VxWorks –> embedded, real-time OS. Now owned by Intel
- Most widely deployed embedded OS (based on 2005 info)
- Supports various hardware platforms
- Each application run as kernel threads
- Little memory protection between applications
- Everything runs with the highest privileges…
- not necessarily the highest priority
Used in systems from VoIP phones through to Fibre Channel switches. Lots of SCADA companies us this in monitoring systems.
Spacecraft and cars also run it!
There’s not many companies that don’t ship products with VxWorks
Only 12 CVEs mention VxWorks
Only 2 CVEs refer to flaws actually in the core of VxWorks
VxWorks debug server (default port 17185) Found to be running on a number of devices in production.
Mentioned in 2002, 2004, 2005.. but no info on how to abuse it
Basic API mentioned in the dev docs
VxWorks source-code is available by searching on Chinese wares-sites (use Google)
By looking at the source-code you can see the initial comments date back to 1995
Created WDBRPC Protocol library
Allows for scanning of a target
- use auxiliary/scanner/vxworks/wdbrpc_version
Allows for completing a FULL memory dump from the device
- use auxiliary/admin/vxworks/wdbrpc_memory_dump
- Progress meters incase you’re dumping from a system located in China
Performing strings on the full dump gives lots of great information
Debugger however lets you read and WRITE to memory –> direct memory write to goatse everybody
Identify affected devices
At least 5 vendors have flubbed this
Only way to deactivate fully is to reflash
This is 2010…. finding devices by scanning the web
- Just scan the whole internet
- use wdbrpc_bootline as a scanner
- use tcpdump to capture replies
- use a VPS with a nice provider
- scan… scan … scan
3.1 millions IPs…. 250,000 found vulnerable!
Rescanned those with SNMP –> active on 25% of devices
Somebody must have done this before right!
Looking through DShield data
- Traffic back in 2006, somebody did a mass scan for this port
- Nothing major since then
So somebody already knew, they probably already had their fun!
The number of devices ave probably declined since then….
Exploiting the debug service
We can read/write memory, but how do we get a shell?
Just like hacking old games….
- Take a memory image before
- Make config changes to enable remote admin
- Take another snapshot
- Rollout changes to the remote devices
Locate sensitive information in memory
Write a scanner to find it
Have Fun !
Example: Pulling the Admin password out of the memory (Apple Airport used to suffer from this until it was patched)
Advisors for all vendors goes out on August 2nd… no specific exploits until September 2nd
<kill the cameras>
Note: In respect of the private nature of this section of the talk, I’ll leave it there. Sorry.. sometimes you’ve just gotta be there!