Cатсн²² (in)sесuяitу / ChrisJohnRiley

Fun with VxWorks – HDM

VxWorks Basics

• Started off as a generic vulnerability analysis
• VxWorks –> embedded, real-time OS. Now owned by Intel
• Most widely deployed embedded OS (based on 2005 info)
• Supports various hardware platforms
• Each application run as kernel threads
• Little memory protection between applications
• Everything runs with the highest privileges…
  • not necessarily the highest priority

Used in systems from VoIP phones through to Fibre Channel switches. Lots of SCADA companies us this in monitoring systems.

Spacecraft and cars also run it!

There’s not many companies that don’t ship products with VxWorks

VxWorks Security

Only 12 CVEs mention VxWorks

Only 2 CVEs refer to flaws actually in the core of VxWorks

• CVE-2005-3715
• CVE-2005-3804

VxWorks debug server (default port 17185) Found to be running on a number of devices in production.

Mentioned in 2002, 2004, 2005.. but no info on how to abuse it

Basic API mentioned in the dev docs

VxWorks source-code is available by searching on Chinese wares-sites (use Google)

By looking at the source-code you can see the initial comments date back to 1995

Metasploit

Created WDBRPC Protocol library

Allows for scanning of a target

• use auxiliary/scanner/vxworks/wdbrpc_version

Allows for completing a FULL memory dump from the device

• use auxiliary/admin/vxworks/wdbrpc_memory_dump
• Progress meters incase you’re dumping from a system located in China

Performing strings on the full dump gives lots of great information

Debugger however lets you read and WRITE to memory –> direct memory write to goatse everybody

Identify affected devices

At least 5 vendors have flubbed this

Only way to deactivate fully is to reflash

This is 2010…. finding devices by scanning the web

• Just scan the whole internet
• use wdbrpc_bootline as a scanner
• use tcpdump to capture replies
• use a VPS with a nice provider
• scan… scan … scan
• parse

3.1 millions IPs…. 250,000 found vulnerable!

Rescanned those with SNMP –> active on 25% of devices

Checking score

Somebody must have done this before right!

Looking through DShield data

• Traffic back in 2006, somebody did a mass scan for this port
• Nothing major since then

So somebody already knew, they probably already had their fun!

The number of devices ave probably declined since then….

Exploiting the debug service

We can read/write memory, but how do we get a shell?

Just like hacking old games….

• Take a memory image before
• Make config changes to enable remote admin
• Take another snapshot
• Rollout changes to the remote devices

Memory Scraping

Locate sensitive information in memory

Write a scanner to find it

Have Fun !

Example: Pulling the Admin password out of the memory (Apple Airport used to suffer from this until it was patched)

Advisors for all vendors goes out on August 2nd… no specific exploits until September 2nd

<kill the cameras>

Note: In respect of the private nature of this section of the talk, I’ll leave it there. Sorry.. sometimes you’ve just gotta be there!

Links:

• HD Moore Twitter –> @hdmoore