Fun with VxWorks

introduction Chief Security Officer Founder & Chief Architect

with help from… Dillon Beresford (NSS Labs) Shawn Merdinger David
Maynor R3L1K FX

introduction VxWorks • An embedded, real-time operating system • Most
widely deployed embedded OS in ~2005 Claimed 300 million devices in 2006 Produced by Wind River Systems, now owned by Intel http://www.eetimes.com/discussion/other/4025539/Embedded-systems-survey-Operating-systems-up-for-grabs

internals VxWorks internals • Support for dozens of hardware platforms
• PowerPC, ARM, MIPS, x86, i960, SPARC • All “applications” run as kernel threads • Little memory protection between apps • Everything runs with the highest privileges • …but not necessarily the highest priority.

memory layout

vxworks systems VxWorks is everywhere • VoIP phones, telecom equipment,
switches • Satellite, WiFi, microwave, sensors • RAID controllers and fibre channel switches • Video conferencing equipment • Industrial control monitors • Military routing equipment • Automobile controls • Spacecraft

vxworks systems

vxworks customers

vulnerabilities VxWorks security • Only 12 CVEs mention VxWorks •
Only 2 refer to flaws in the actual OS • Bug free or just too boring to hack?

vulnerabilities A common thread… • The VxWorks debug service on
port 17185 • Lightly mentioned in 2002, 2004, 2005 • CVE-2005-3715 & CVE-2005-3804 • No information on the protocol • Works on all architectures “Allows attackers to access the phone OS, obtain sensitive information, and cause a denial of service”

vxworks debug service Protocol information • Basic API mentioned in
dev docs • Signed up for a Tornado eval kit • Wouldn’t connect to VxWorks 5 targets • Gave up and searched Google…

useful documentation

vxworks debug service Metasploit modules • Created a WDBRPC protocol
library • Created an easy-to-call Mixin • Wrote modules  wdbrpc_version  wdbrpc_bootline  wdbrpc_memory_dump  wdbrpc_reboot

vxworks debug service DEMO

vxworks debug service Identifying affected devices • At least 5
different vendors had flubbed this • Probably much more where that came from • Email the vendors and ask? • Ask Wind River Systems?

vxworks debug service This is 2010 • Just survey the
entire Internet • Use wdbrpc_bootline as a scanner • Use tcpdump to capture replies • Use a VPS with a friendly provider • Scan, scan, scan! • Parse the results

vxworks debug service Preliminary results • Scanned 3,185,049,600 IP addresses
• Found over 250,000 vulnerable • Rescanned those with SNMP • Organized the results • SNMP on 25%

vxworks debug service Checking score • Someone must have noticed
this scan • Lets look through the DShield data…

dshield: 2004 Peak is 140

dshield: 2006 Peak is over 1200!

dshield: 2010 You call that a scan? This is a
scan. 16,000

too late, we lost Winning the internet • Someone spent
a year scanning for these • This was 4 years ago, nobody noticed

shiny fun things Exploiting the debug service • We can
read, write, exec memory • We can reboot the device • What code should we execute? • How do we get a shell?

exploiting functionality Save-game hacking • Take a memory snapshot of
the device • Make a configuration change • Take another memory snapshot • Diff the results • Patch bytes

exploiting functionality DEMO – DVC1000 Product has been discontinued

exploiting functionality Memory scraping • Locate sensitive information in memory
• Write a “scanner” to find it

exploiting functionality DEMO – Apple Airport Latest firmware is patched

advisories Advisories out August 2nd • List of affected products
and vendors • Detection code in NeXpose & Metasploit • No specific exploits until September 2nd

exploiting functionality Changing the device mode • Modify the boot
flags in memory • Soft reset the device • Login remotely

exploiting functionality Huawei IAD2 boot flags: 0x02 - load local
system symbols 0x04 - don't autoboot 0x08 - quick autoboot (no countdown) 0x20 - disable login security 0x40 - use bootp to get boot parameters 0x80 - use tftp to get boot image 0x100 - use proxy arp

exploiting functionality

vulnerable systems Vendors & Devices #define INCLUDE_WDB

authentication Getting a shell (quickly) • Dug into the login
process for Telnet & FTP • The password is hashed, hashes compared • Tons of static backdoor accounts* • Password is stored hashed… * Check for calls to loginUserAdd()

authentication Math is hard (apparently) • The algorithm is indexed
in Google • Used an additive byte sum as the “secret” • Only 210,000 possible output hashes • Only ~8,000 are easy to type • Most passwords within ~4000 • Range is 8-40 characters, \x00 -> \xFF

authentication Hash output examples • “password” > 3974 / RcQbRbzRyc
• “passwore” > 3966 / RRc9dydebz • “howdybob” > 3847 / ReySzQQSRR • “AAAAAAAA” > 2304 / Rrdeebbe • “!@$%^WTF” > 2564 / b9SdezeRcb

authentication Precomputed passwords • Calculated a “workalike” for all outputs
• Sorted by probability of it working • Plug this into Metasploit bruteforce

authentication Brute force is easy • No account lockouts by
default • Telnet disconnects after 3 attempts • FTP never disconnects • FTP allows 4 connections • Crack most passwords in ~30 minutes

authentication Combine debug + weak hashes • Remote memory dump
a target device • Scan the memory dump for hashes • Find the username as well • Login!

vxworks Summary • These bugs are just the tip of
the iceberg • Metasploit code will drive research • Expect to see these for a long, long time Timeline • Public advisories on August 2nd • Rapid7 NeXpose checks on August 2nd • Metasploit scanners on August 2nd • Exploit modules pushed in early September • Master password list also in September

vxworks References • VU#362332 - http://www.kb.cert.org/vuls/id/362332 • VU#840249 - http://www.kb.cert.org/vuls/id/840249
• http://www.metasploit.com/redmine/projects/framework/wiki/VxWorks • http://www.rapid7.com/vulndb/lookup/vxworks-wdbrpc-exposed

Fun with VxWorks

Fun with VxWorks

More Decks by HD Moore

Other Decks in Research

Featured

Transcript