![Page 1: 44CON London - Attacking VxWorks: from Stone Age to Interstellar](https://reader034.vdocuments.us/reader034/viewer/2022050613/587cfa0a1a28ab1e7e8b49fd/html5/thumbnails/1.jpg)
ATTACKING VXWORKS
FROM STONE AGE TO INTERSTELLAR
44CON LONDON 9102015YANNICK FORMAGGIO RICHARD HSU amp ERIC LIU
ABOUT ME
Yannick Formaggio
Security Researcher at Istuary Innovation Labs
TheLumberJhack || yannickformaggio on LinkedIn
Look for vulns using fuzzing techniques first time speaker
Lego fanhellip
Help from Richard Hsu and Eric Liu (Lead security
researcher)
2
AGENDA
Introduction to VxWorks amp previous researches
Inside VxWorks
Memory management amp protections
From fuzzing to exploit RPC Integer Overflow RCE
Conclusion
3
INTRODUCTION
4
WHATrsquoS VXWORKS
1 Embedded devices RTOS
Claimed gt 15 billions devices
developed by Wind River
supports lot of CPU architectures
SOME STATS
6
WHATrsquoS VXWORKS
1987
bull First release
bull 32 bits processing
1990rsquos
bull VxWorks 5 released
bull 1st RTOS w network stack
2000rsquos
bull VxWorks 6x (12-2004)
bull Security improvements (RTPs no more task shared memory)
2014
bull VxWorks 7x (02-2014)
bull 64bits more security improvements
SOME CUSTOMERS
8
ldquo
rdquo
The Real-Time Operating System for the Internet of ThingsPowering billions of intelligent devices VxWorksreg delivers an industry-leading combination of scalability safety security and virtualization capabilities to meet next-generation requirements
Windriver VxWorks product
9
VXWORKS amp SECURITY
Source httpwwwcvedetailscomproduct15063Windriver-Vxworkshtmlvendor_id=9510
VXWORKS amp SECURITY
Wind River treatsVxWorks security seriously
Partnership with McAffee in Feb 2011
Source httpwwwwindrivercomnewspressprhtmlID=8801
VXWORKS amp SECURITY
Wind River treats VxWorks security seriously
Partnership with McAffee in Feb 2011
6x introduced some memory protections
7x improved way further
Digitally signed modules (X509)
Encryption
Centralized user database
Password management (SHA-256 algorithm)
Ability to createdelete users at run time
Encrypted data storage
PREVIOUS RESEARCHES
amp INSPIRATIONS
PREVIOUS RESEARCH amp INSPIRATIONS
ldquoShiny Old VxWorks Vulnerabilitiesrdquo
HD Moore (2010)
4 Metasploit modules targeting WDB RPC
Weak password hash entropy
rainbow table containing around 200k hashed
passwords
14
PREVIOUS RESEARCH amp INSPIRATIONS
ldquoReverse Engineering VxWorks Firmware WRT54Gv8rdquo
devttyS0
15
PREVIOUS RESEARCH amp INSPIRATIONS
ldquoDigging Inside the VxWorks OS and Firmware The
Holistic Securityrdquo
Aditya K Sood (0kn0ck) ndash SecNiche Security Lab
WDB debugging Interface (again)
OS Security
16
INSIDE VXWORKS
MEMORY LAYOUT amp PROTECTIONS
17
X86 MEMORY LAYOUT UPPER MEMORY
IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
18
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
19
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
ASCII string for fatal
exception message
20
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DecriptorVector
Table
ASCII string for fatal
exception message
VxWorks image entry
point
21
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
ASCII string for fatal
exception message
VxWorks image entry
point
WDB shared memory
22
MEMORY PROTECTIONS
VxWorks provides MMU-based features in addition to
the virtual memory support
Non MMU based protections Heap Error Detection
23
MEMORY PROTECTION
Task stack overrun and underrun
detection
Interrupt stack overrun and
underrun detection
Stack pages
Stack
Start
Stop
24
MEMORY PROTECTION
Non-executable task stacks amp Non-
writable Text Segment
INCLUDE_TASK_STACK_NO_EXEC
INCLUDE_PROTECT_TEXT
Task stack size = MMU page size
Program pages
Read Only
Raw Data
r+w
T
EX
TD
ATA
25
MEMORY PROTECTION
-r-w-x
Address Space
0x00000000
NULL Pointer usage detection
26
MEMORY PROTECTIONHEAP BLOCK OVERRUN DETECTION USAGE TRACKING amp LEAKAGE DETECTION
27
FROM FUZZING TO EXPLOIT
28
FUZZING TARGETS
Network protocols
Portmap (RPC)
FTP
TFTP
NTP
hellip
29
FUZZING
Used Sulley fuzzing framework
Problem no accurate crash detection available
Solution using WdbRPC
30
WHATrsquoS WDB RPC
Debugging Interface
Service running on port UDP17185
Based on SUN-RPC protocol
Provides direct access to system memory
31
WDB PROTOCOL V2
Target Server Target AgentWDB
Shell
Debugger
Browser
Other
tools
HOST VxWorks
WTX
OS
32
WDB PROTOCOL V2CALL SENT BY TARGET SERVER
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Request Header
(40 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Sequence (4 bytes)
33
WDB PROTOCOL V2REPLY SENT BY TARGET AGENT
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Reply Header
(24 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Error code (4 bytes)
34
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
35
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
36
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
37
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
38
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
39
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
40
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
41
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
42
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
HOST TARGET
CALL
REPLY
hellip43
Small interpreted
language
Two objects pointer
and tape
Result of the eval stored
in tape
Tape content returned
to the host
More info on Gopher
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
CALL
REPLY
44HOST TARGET
hellip
Host reads the pointed
memory addresses
CRASH DETECTION
Target sends event
notification
45HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
![Page 2: 44CON London - Attacking VxWorks: from Stone Age to Interstellar](https://reader034.vdocuments.us/reader034/viewer/2022050613/587cfa0a1a28ab1e7e8b49fd/html5/thumbnails/2.jpg)
ABOUT ME
Yannick Formaggio
Security Researcher at Istuary Innovation Labs
TheLumberJhack || yannickformaggio on LinkedIn
Look for vulns using fuzzing techniques first time speaker
Lego fanhellip
Help from Richard Hsu and Eric Liu (Lead security
researcher)
2
AGENDA
Introduction to VxWorks amp previous researches
Inside VxWorks
Memory management amp protections
From fuzzing to exploit RPC Integer Overflow RCE
Conclusion
3
INTRODUCTION
4
WHATrsquoS VXWORKS
1 Embedded devices RTOS
Claimed gt 15 billions devices
developed by Wind River
supports lot of CPU architectures
SOME STATS
6
WHATrsquoS VXWORKS
1987
bull First release
bull 32 bits processing
1990rsquos
bull VxWorks 5 released
bull 1st RTOS w network stack
2000rsquos
bull VxWorks 6x (12-2004)
bull Security improvements (RTPs no more task shared memory)
2014
bull VxWorks 7x (02-2014)
bull 64bits more security improvements
SOME CUSTOMERS
8
ldquo
rdquo
The Real-Time Operating System for the Internet of ThingsPowering billions of intelligent devices VxWorksreg delivers an industry-leading combination of scalability safety security and virtualization capabilities to meet next-generation requirements
Windriver VxWorks product
9
VXWORKS amp SECURITY
Source httpwwwcvedetailscomproduct15063Windriver-Vxworkshtmlvendor_id=9510
VXWORKS amp SECURITY
Wind River treatsVxWorks security seriously
Partnership with McAffee in Feb 2011
Source httpwwwwindrivercomnewspressprhtmlID=8801
VXWORKS amp SECURITY
Wind River treats VxWorks security seriously
Partnership with McAffee in Feb 2011
6x introduced some memory protections
7x improved way further
Digitally signed modules (X509)
Encryption
Centralized user database
Password management (SHA-256 algorithm)
Ability to createdelete users at run time
Encrypted data storage
PREVIOUS RESEARCHES
amp INSPIRATIONS
PREVIOUS RESEARCH amp INSPIRATIONS
ldquoShiny Old VxWorks Vulnerabilitiesrdquo
HD Moore (2010)
4 Metasploit modules targeting WDB RPC
Weak password hash entropy
rainbow table containing around 200k hashed
passwords
14
PREVIOUS RESEARCH amp INSPIRATIONS
ldquoReverse Engineering VxWorks Firmware WRT54Gv8rdquo
devttyS0
15
PREVIOUS RESEARCH amp INSPIRATIONS
ldquoDigging Inside the VxWorks OS and Firmware The
Holistic Securityrdquo
Aditya K Sood (0kn0ck) ndash SecNiche Security Lab
WDB debugging Interface (again)
OS Security
16
INSIDE VXWORKS
MEMORY LAYOUT amp PROTECTIONS
17
X86 MEMORY LAYOUT UPPER MEMORY
IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
18
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
19
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
ASCII string for fatal
exception message
20
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DecriptorVector
Table
ASCII string for fatal
exception message
VxWorks image entry
point
21
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
ASCII string for fatal
exception message
VxWorks image entry
point
WDB shared memory
22
MEMORY PROTECTIONS
VxWorks provides MMU-based features in addition to
the virtual memory support
Non MMU based protections Heap Error Detection
23
MEMORY PROTECTION
Task stack overrun and underrun
detection
Interrupt stack overrun and
underrun detection
Stack pages
Stack
Start
Stop
24
MEMORY PROTECTION
Non-executable task stacks amp Non-
writable Text Segment
INCLUDE_TASK_STACK_NO_EXEC
INCLUDE_PROTECT_TEXT
Task stack size = MMU page size
Program pages
Read Only
Raw Data
r+w
T
EX
TD
ATA
25
MEMORY PROTECTION
-r-w-x
Address Space
0x00000000
NULL Pointer usage detection
26
MEMORY PROTECTIONHEAP BLOCK OVERRUN DETECTION USAGE TRACKING amp LEAKAGE DETECTION
27
FROM FUZZING TO EXPLOIT
28
FUZZING TARGETS
Network protocols
Portmap (RPC)
FTP
TFTP
NTP
hellip
29
FUZZING
Used Sulley fuzzing framework
Problem no accurate crash detection available
Solution using WdbRPC
30
WHATrsquoS WDB RPC
Debugging Interface
Service running on port UDP17185
Based on SUN-RPC protocol
Provides direct access to system memory
31
WDB PROTOCOL V2
Target Server Target AgentWDB
Shell
Debugger
Browser
Other
tools
HOST VxWorks
WTX
OS
32
WDB PROTOCOL V2CALL SENT BY TARGET SERVER
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Request Header
(40 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Sequence (4 bytes)
33
WDB PROTOCOL V2REPLY SENT BY TARGET AGENT
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Reply Header
(24 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Error code (4 bytes)
34
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
35
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
36
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
37
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
38
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
39
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
40
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
41
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
42
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
HOST TARGET
CALL
REPLY
hellip43
Small interpreted
language
Two objects pointer
and tape
Result of the eval stored
in tape
Tape content returned
to the host
More info on Gopher
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
CALL
REPLY
44HOST TARGET
hellip
Host reads the pointed
memory addresses
CRASH DETECTION
Target sends event
notification
45HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
![Page 3: 44CON London - Attacking VxWorks: from Stone Age to Interstellar](https://reader034.vdocuments.us/reader034/viewer/2022050613/587cfa0a1a28ab1e7e8b49fd/html5/thumbnails/3.jpg)
AGENDA
Introduction to VxWorks amp previous researches
Inside VxWorks
Memory management amp protections
From fuzzing to exploit RPC Integer Overflow RCE
Conclusion
3
INTRODUCTION
4
WHATrsquoS VXWORKS
1 Embedded devices RTOS
Claimed gt 15 billions devices
developed by Wind River
supports lot of CPU architectures
SOME STATS
6
WHATrsquoS VXWORKS
1987
bull First release
bull 32 bits processing
1990rsquos
bull VxWorks 5 released
bull 1st RTOS w network stack
2000rsquos
bull VxWorks 6x (12-2004)
bull Security improvements (RTPs no more task shared memory)
2014
bull VxWorks 7x (02-2014)
bull 64bits more security improvements
SOME CUSTOMERS
8
ldquo
rdquo
The Real-Time Operating System for the Internet of ThingsPowering billions of intelligent devices VxWorksreg delivers an industry-leading combination of scalability safety security and virtualization capabilities to meet next-generation requirements
Windriver VxWorks product
9
VXWORKS amp SECURITY
Source httpwwwcvedetailscomproduct15063Windriver-Vxworkshtmlvendor_id=9510
VXWORKS amp SECURITY
Wind River treatsVxWorks security seriously
Partnership with McAffee in Feb 2011
Source httpwwwwindrivercomnewspressprhtmlID=8801
VXWORKS amp SECURITY
Wind River treats VxWorks security seriously
Partnership with McAffee in Feb 2011
6x introduced some memory protections
7x improved way further
Digitally signed modules (X509)
Encryption
Centralized user database
Password management (SHA-256 algorithm)
Ability to createdelete users at run time
Encrypted data storage
PREVIOUS RESEARCHES
amp INSPIRATIONS
PREVIOUS RESEARCH amp INSPIRATIONS
ldquoShiny Old VxWorks Vulnerabilitiesrdquo
HD Moore (2010)
4 Metasploit modules targeting WDB RPC
Weak password hash entropy
rainbow table containing around 200k hashed
passwords
14
PREVIOUS RESEARCH amp INSPIRATIONS
ldquoReverse Engineering VxWorks Firmware WRT54Gv8rdquo
devttyS0
15
PREVIOUS RESEARCH amp INSPIRATIONS
ldquoDigging Inside the VxWorks OS and Firmware The
Holistic Securityrdquo
Aditya K Sood (0kn0ck) ndash SecNiche Security Lab
WDB debugging Interface (again)
OS Security
16
INSIDE VXWORKS
MEMORY LAYOUT amp PROTECTIONS
17
X86 MEMORY LAYOUT UPPER MEMORY
IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
18
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
19
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
ASCII string for fatal
exception message
20
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DecriptorVector
Table
ASCII string for fatal
exception message
VxWorks image entry
point
21
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
ASCII string for fatal
exception message
VxWorks image entry
point
WDB shared memory
22
MEMORY PROTECTIONS
VxWorks provides MMU-based features in addition to
the virtual memory support
Non MMU based protections Heap Error Detection
23
MEMORY PROTECTION
Task stack overrun and underrun
detection
Interrupt stack overrun and
underrun detection
Stack pages
Stack
Start
Stop
24
MEMORY PROTECTION
Non-executable task stacks amp Non-
writable Text Segment
INCLUDE_TASK_STACK_NO_EXEC
INCLUDE_PROTECT_TEXT
Task stack size = MMU page size
Program pages
Read Only
Raw Data
r+w
T
EX
TD
ATA
25
MEMORY PROTECTION
-r-w-x
Address Space
0x00000000
NULL Pointer usage detection
26
MEMORY PROTECTIONHEAP BLOCK OVERRUN DETECTION USAGE TRACKING amp LEAKAGE DETECTION
27
FROM FUZZING TO EXPLOIT
28
FUZZING TARGETS
Network protocols
Portmap (RPC)
FTP
TFTP
NTP
hellip
29
FUZZING
Used Sulley fuzzing framework
Problem no accurate crash detection available
Solution using WdbRPC
30
WHATrsquoS WDB RPC
Debugging Interface
Service running on port UDP17185
Based on SUN-RPC protocol
Provides direct access to system memory
31
WDB PROTOCOL V2
Target Server Target AgentWDB
Shell
Debugger
Browser
Other
tools
HOST VxWorks
WTX
OS
32
WDB PROTOCOL V2CALL SENT BY TARGET SERVER
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Request Header
(40 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Sequence (4 bytes)
33
WDB PROTOCOL V2REPLY SENT BY TARGET AGENT
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Reply Header
(24 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Error code (4 bytes)
34
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
35
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
36
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
37
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
38
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
39
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
40
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
41
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
42
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
HOST TARGET
CALL
REPLY
hellip43
Small interpreted
language
Two objects pointer
and tape
Result of the eval stored
in tape
Tape content returned
to the host
More info on Gopher
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
CALL
REPLY
44HOST TARGET
hellip
Host reads the pointed
memory addresses
CRASH DETECTION
Target sends event
notification
45HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
![Page 4: 44CON London - Attacking VxWorks: from Stone Age to Interstellar](https://reader034.vdocuments.us/reader034/viewer/2022050613/587cfa0a1a28ab1e7e8b49fd/html5/thumbnails/4.jpg)
INTRODUCTION
4
WHATrsquoS VXWORKS
1 Embedded devices RTOS
Claimed gt 15 billions devices
developed by Wind River
supports lot of CPU architectures
SOME STATS
6
WHATrsquoS VXWORKS
1987
bull First release
bull 32 bits processing
1990rsquos
bull VxWorks 5 released
bull 1st RTOS w network stack
2000rsquos
bull VxWorks 6x (12-2004)
bull Security improvements (RTPs no more task shared memory)
2014
bull VxWorks 7x (02-2014)
bull 64bits more security improvements
SOME CUSTOMERS
8
ldquo
rdquo
The Real-Time Operating System for the Internet of ThingsPowering billions of intelligent devices VxWorksreg delivers an industry-leading combination of scalability safety security and virtualization capabilities to meet next-generation requirements
Windriver VxWorks product
9
VXWORKS amp SECURITY
Source httpwwwcvedetailscomproduct15063Windriver-Vxworkshtmlvendor_id=9510
VXWORKS amp SECURITY
Wind River treatsVxWorks security seriously
Partnership with McAffee in Feb 2011
Source httpwwwwindrivercomnewspressprhtmlID=8801
VXWORKS amp SECURITY
Wind River treats VxWorks security seriously
Partnership with McAffee in Feb 2011
6x introduced some memory protections
7x improved way further
Digitally signed modules (X509)
Encryption
Centralized user database
Password management (SHA-256 algorithm)
Ability to createdelete users at run time
Encrypted data storage
PREVIOUS RESEARCHES
amp INSPIRATIONS
PREVIOUS RESEARCH amp INSPIRATIONS
ldquoShiny Old VxWorks Vulnerabilitiesrdquo
HD Moore (2010)
4 Metasploit modules targeting WDB RPC
Weak password hash entropy
rainbow table containing around 200k hashed
passwords
14
PREVIOUS RESEARCH amp INSPIRATIONS
ldquoReverse Engineering VxWorks Firmware WRT54Gv8rdquo
devttyS0
15
PREVIOUS RESEARCH amp INSPIRATIONS
ldquoDigging Inside the VxWorks OS and Firmware The
Holistic Securityrdquo
Aditya K Sood (0kn0ck) ndash SecNiche Security Lab
WDB debugging Interface (again)
OS Security
16
INSIDE VXWORKS
MEMORY LAYOUT amp PROTECTIONS
17
X86 MEMORY LAYOUT UPPER MEMORY
IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
18
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
19
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
ASCII string for fatal
exception message
20
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DecriptorVector
Table
ASCII string for fatal
exception message
VxWorks image entry
point
21
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
ASCII string for fatal
exception message
VxWorks image entry
point
WDB shared memory
22
MEMORY PROTECTIONS
VxWorks provides MMU-based features in addition to
the virtual memory support
Non MMU based protections Heap Error Detection
23
MEMORY PROTECTION
Task stack overrun and underrun
detection
Interrupt stack overrun and
underrun detection
Stack pages
Stack
Start
Stop
24
MEMORY PROTECTION
Non-executable task stacks amp Non-
writable Text Segment
INCLUDE_TASK_STACK_NO_EXEC
INCLUDE_PROTECT_TEXT
Task stack size = MMU page size
Program pages
Read Only
Raw Data
r+w
T
EX
TD
ATA
25
MEMORY PROTECTION
-r-w-x
Address Space
0x00000000
NULL Pointer usage detection
26
MEMORY PROTECTIONHEAP BLOCK OVERRUN DETECTION USAGE TRACKING amp LEAKAGE DETECTION
27
FROM FUZZING TO EXPLOIT
28
FUZZING TARGETS
Network protocols
Portmap (RPC)
FTP
TFTP
NTP
hellip
29
FUZZING
Used Sulley fuzzing framework
Problem no accurate crash detection available
Solution using WdbRPC
30
WHATrsquoS WDB RPC
Debugging Interface
Service running on port UDP17185
Based on SUN-RPC protocol
Provides direct access to system memory
31
WDB PROTOCOL V2
Target Server Target AgentWDB
Shell
Debugger
Browser
Other
tools
HOST VxWorks
WTX
OS
32
WDB PROTOCOL V2CALL SENT BY TARGET SERVER
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Request Header
(40 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Sequence (4 bytes)
33
WDB PROTOCOL V2REPLY SENT BY TARGET AGENT
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Reply Header
(24 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Error code (4 bytes)
34
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
35
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
36
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
37
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
38
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
39
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
40
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
41
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
42
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
HOST TARGET
CALL
REPLY
hellip43
Small interpreted
language
Two objects pointer
and tape
Result of the eval stored
in tape
Tape content returned
to the host
More info on Gopher
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
CALL
REPLY
44HOST TARGET
hellip
Host reads the pointed
memory addresses
CRASH DETECTION
Target sends event
notification
45HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
![Page 5: 44CON London - Attacking VxWorks: from Stone Age to Interstellar](https://reader034.vdocuments.us/reader034/viewer/2022050613/587cfa0a1a28ab1e7e8b49fd/html5/thumbnails/5.jpg)
WHATrsquoS VXWORKS
1 Embedded devices RTOS
Claimed gt 15 billions devices
developed by Wind River
supports lot of CPU architectures
SOME STATS
6
WHATrsquoS VXWORKS
1987
bull First release
bull 32 bits processing
1990rsquos
bull VxWorks 5 released
bull 1st RTOS w network stack
2000rsquos
bull VxWorks 6x (12-2004)
bull Security improvements (RTPs no more task shared memory)
2014
bull VxWorks 7x (02-2014)
bull 64bits more security improvements
SOME CUSTOMERS
8
ldquo
rdquo
The Real-Time Operating System for the Internet of ThingsPowering billions of intelligent devices VxWorksreg delivers an industry-leading combination of scalability safety security and virtualization capabilities to meet next-generation requirements
Windriver VxWorks product
9
VXWORKS amp SECURITY
Source httpwwwcvedetailscomproduct15063Windriver-Vxworkshtmlvendor_id=9510
VXWORKS amp SECURITY
Wind River treatsVxWorks security seriously
Partnership with McAffee in Feb 2011
Source httpwwwwindrivercomnewspressprhtmlID=8801
VXWORKS amp SECURITY
Wind River treats VxWorks security seriously
Partnership with McAffee in Feb 2011
6x introduced some memory protections
7x improved way further
Digitally signed modules (X509)
Encryption
Centralized user database
Password management (SHA-256 algorithm)
Ability to createdelete users at run time
Encrypted data storage
PREVIOUS RESEARCHES
amp INSPIRATIONS
PREVIOUS RESEARCH amp INSPIRATIONS
ldquoShiny Old VxWorks Vulnerabilitiesrdquo
HD Moore (2010)
4 Metasploit modules targeting WDB RPC
Weak password hash entropy
rainbow table containing around 200k hashed
passwords
14
PREVIOUS RESEARCH amp INSPIRATIONS
ldquoReverse Engineering VxWorks Firmware WRT54Gv8rdquo
devttyS0
15
PREVIOUS RESEARCH amp INSPIRATIONS
ldquoDigging Inside the VxWorks OS and Firmware The
Holistic Securityrdquo
Aditya K Sood (0kn0ck) ndash SecNiche Security Lab
WDB debugging Interface (again)
OS Security
16
INSIDE VXWORKS
MEMORY LAYOUT amp PROTECTIONS
17
X86 MEMORY LAYOUT UPPER MEMORY
IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
18
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
19
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
ASCII string for fatal
exception message
20
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DecriptorVector
Table
ASCII string for fatal
exception message
VxWorks image entry
point
21
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
ASCII string for fatal
exception message
VxWorks image entry
point
WDB shared memory
22
MEMORY PROTECTIONS
VxWorks provides MMU-based features in addition to
the virtual memory support
Non MMU based protections Heap Error Detection
23
MEMORY PROTECTION
Task stack overrun and underrun
detection
Interrupt stack overrun and
underrun detection
Stack pages
Stack
Start
Stop
24
MEMORY PROTECTION
Non-executable task stacks amp Non-
writable Text Segment
INCLUDE_TASK_STACK_NO_EXEC
INCLUDE_PROTECT_TEXT
Task stack size = MMU page size
Program pages
Read Only
Raw Data
r+w
T
EX
TD
ATA
25
MEMORY PROTECTION
-r-w-x
Address Space
0x00000000
NULL Pointer usage detection
26
MEMORY PROTECTIONHEAP BLOCK OVERRUN DETECTION USAGE TRACKING amp LEAKAGE DETECTION
27
FROM FUZZING TO EXPLOIT
28
FUZZING TARGETS
Network protocols
Portmap (RPC)
FTP
TFTP
NTP
hellip
29
FUZZING
Used Sulley fuzzing framework
Problem no accurate crash detection available
Solution using WdbRPC
30
WHATrsquoS WDB RPC
Debugging Interface
Service running on port UDP17185
Based on SUN-RPC protocol
Provides direct access to system memory
31
WDB PROTOCOL V2
Target Server Target AgentWDB
Shell
Debugger
Browser
Other
tools
HOST VxWorks
WTX
OS
32
WDB PROTOCOL V2CALL SENT BY TARGET SERVER
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Request Header
(40 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Sequence (4 bytes)
33
WDB PROTOCOL V2REPLY SENT BY TARGET AGENT
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Reply Header
(24 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Error code (4 bytes)
34
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
35
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
36
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
37
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
38
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
39
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
40
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
41
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
42
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
HOST TARGET
CALL
REPLY
hellip43
Small interpreted
language
Two objects pointer
and tape
Result of the eval stored
in tape
Tape content returned
to the host
More info on Gopher
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
CALL
REPLY
44HOST TARGET
hellip
Host reads the pointed
memory addresses
CRASH DETECTION
Target sends event
notification
45HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
![Page 6: 44CON London - Attacking VxWorks: from Stone Age to Interstellar](https://reader034.vdocuments.us/reader034/viewer/2022050613/587cfa0a1a28ab1e7e8b49fd/html5/thumbnails/6.jpg)
SOME STATS
6
WHATrsquoS VXWORKS
1987
bull First release
bull 32 bits processing
1990rsquos
bull VxWorks 5 released
bull 1st RTOS w network stack
2000rsquos
bull VxWorks 6x (12-2004)
bull Security improvements (RTPs no more task shared memory)
2014
bull VxWorks 7x (02-2014)
bull 64bits more security improvements
SOME CUSTOMERS
8
ldquo
rdquo
The Real-Time Operating System for the Internet of ThingsPowering billions of intelligent devices VxWorksreg delivers an industry-leading combination of scalability safety security and virtualization capabilities to meet next-generation requirements
Windriver VxWorks product
9
VXWORKS amp SECURITY
Source httpwwwcvedetailscomproduct15063Windriver-Vxworkshtmlvendor_id=9510
VXWORKS amp SECURITY
Wind River treatsVxWorks security seriously
Partnership with McAffee in Feb 2011
Source httpwwwwindrivercomnewspressprhtmlID=8801
VXWORKS amp SECURITY
Wind River treats VxWorks security seriously
Partnership with McAffee in Feb 2011
6x introduced some memory protections
7x improved way further
Digitally signed modules (X509)
Encryption
Centralized user database
Password management (SHA-256 algorithm)
Ability to createdelete users at run time
Encrypted data storage
PREVIOUS RESEARCHES
amp INSPIRATIONS
PREVIOUS RESEARCH amp INSPIRATIONS
ldquoShiny Old VxWorks Vulnerabilitiesrdquo
HD Moore (2010)
4 Metasploit modules targeting WDB RPC
Weak password hash entropy
rainbow table containing around 200k hashed
passwords
14
PREVIOUS RESEARCH amp INSPIRATIONS
ldquoReverse Engineering VxWorks Firmware WRT54Gv8rdquo
devttyS0
15
PREVIOUS RESEARCH amp INSPIRATIONS
ldquoDigging Inside the VxWorks OS and Firmware The
Holistic Securityrdquo
Aditya K Sood (0kn0ck) ndash SecNiche Security Lab
WDB debugging Interface (again)
OS Security
16
INSIDE VXWORKS
MEMORY LAYOUT amp PROTECTIONS
17
X86 MEMORY LAYOUT UPPER MEMORY
IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
18
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
19
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
ASCII string for fatal
exception message
20
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DecriptorVector
Table
ASCII string for fatal
exception message
VxWorks image entry
point
21
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
ASCII string for fatal
exception message
VxWorks image entry
point
WDB shared memory
22
MEMORY PROTECTIONS
VxWorks provides MMU-based features in addition to
the virtual memory support
Non MMU based protections Heap Error Detection
23
MEMORY PROTECTION
Task stack overrun and underrun
detection
Interrupt stack overrun and
underrun detection
Stack pages
Stack
Start
Stop
24
MEMORY PROTECTION
Non-executable task stacks amp Non-
writable Text Segment
INCLUDE_TASK_STACK_NO_EXEC
INCLUDE_PROTECT_TEXT
Task stack size = MMU page size
Program pages
Read Only
Raw Data
r+w
T
EX
TD
ATA
25
MEMORY PROTECTION
-r-w-x
Address Space
0x00000000
NULL Pointer usage detection
26
MEMORY PROTECTIONHEAP BLOCK OVERRUN DETECTION USAGE TRACKING amp LEAKAGE DETECTION
27
FROM FUZZING TO EXPLOIT
28
FUZZING TARGETS
Network protocols
Portmap (RPC)
FTP
TFTP
NTP
hellip
29
FUZZING
Used Sulley fuzzing framework
Problem no accurate crash detection available
Solution using WdbRPC
30
WHATrsquoS WDB RPC
Debugging Interface
Service running on port UDP17185
Based on SUN-RPC protocol
Provides direct access to system memory
31
WDB PROTOCOL V2
Target Server Target AgentWDB
Shell
Debugger
Browser
Other
tools
HOST VxWorks
WTX
OS
32
WDB PROTOCOL V2CALL SENT BY TARGET SERVER
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Request Header
(40 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Sequence (4 bytes)
33
WDB PROTOCOL V2REPLY SENT BY TARGET AGENT
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Reply Header
(24 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Error code (4 bytes)
34
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
35
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
36
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
37
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
38
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
39
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
40
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
41
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
42
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
HOST TARGET
CALL
REPLY
hellip43
Small interpreted
language
Two objects pointer
and tape
Result of the eval stored
in tape
Tape content returned
to the host
More info on Gopher
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
CALL
REPLY
44HOST TARGET
hellip
Host reads the pointed
memory addresses
CRASH DETECTION
Target sends event
notification
45HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
![Page 7: 44CON London - Attacking VxWorks: from Stone Age to Interstellar](https://reader034.vdocuments.us/reader034/viewer/2022050613/587cfa0a1a28ab1e7e8b49fd/html5/thumbnails/7.jpg)
WHATrsquoS VXWORKS
1987
bull First release
bull 32 bits processing
1990rsquos
bull VxWorks 5 released
bull 1st RTOS w network stack
2000rsquos
bull VxWorks 6x (12-2004)
bull Security improvements (RTPs no more task shared memory)
2014
bull VxWorks 7x (02-2014)
bull 64bits more security improvements
SOME CUSTOMERS
8
ldquo
rdquo
The Real-Time Operating System for the Internet of ThingsPowering billions of intelligent devices VxWorksreg delivers an industry-leading combination of scalability safety security and virtualization capabilities to meet next-generation requirements
Windriver VxWorks product
9
VXWORKS amp SECURITY
Source httpwwwcvedetailscomproduct15063Windriver-Vxworkshtmlvendor_id=9510
VXWORKS amp SECURITY
Wind River treatsVxWorks security seriously
Partnership with McAffee in Feb 2011
Source httpwwwwindrivercomnewspressprhtmlID=8801
VXWORKS amp SECURITY
Wind River treats VxWorks security seriously
Partnership with McAffee in Feb 2011
6x introduced some memory protections
7x improved way further
Digitally signed modules (X509)
Encryption
Centralized user database
Password management (SHA-256 algorithm)
Ability to createdelete users at run time
Encrypted data storage
PREVIOUS RESEARCHES
amp INSPIRATIONS
PREVIOUS RESEARCH amp INSPIRATIONS
ldquoShiny Old VxWorks Vulnerabilitiesrdquo
HD Moore (2010)
4 Metasploit modules targeting WDB RPC
Weak password hash entropy
rainbow table containing around 200k hashed
passwords
14
PREVIOUS RESEARCH amp INSPIRATIONS
ldquoReverse Engineering VxWorks Firmware WRT54Gv8rdquo
devttyS0
15
PREVIOUS RESEARCH amp INSPIRATIONS
ldquoDigging Inside the VxWorks OS and Firmware The
Holistic Securityrdquo
Aditya K Sood (0kn0ck) ndash SecNiche Security Lab
WDB debugging Interface (again)
OS Security
16
INSIDE VXWORKS
MEMORY LAYOUT amp PROTECTIONS
17
X86 MEMORY LAYOUT UPPER MEMORY
IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
18
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
19
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
ASCII string for fatal
exception message
20
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DecriptorVector
Table
ASCII string for fatal
exception message
VxWorks image entry
point
21
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
ASCII string for fatal
exception message
VxWorks image entry
point
WDB shared memory
22
MEMORY PROTECTIONS
VxWorks provides MMU-based features in addition to
the virtual memory support
Non MMU based protections Heap Error Detection
23
MEMORY PROTECTION
Task stack overrun and underrun
detection
Interrupt stack overrun and
underrun detection
Stack pages
Stack
Start
Stop
24
MEMORY PROTECTION
Non-executable task stacks amp Non-
writable Text Segment
INCLUDE_TASK_STACK_NO_EXEC
INCLUDE_PROTECT_TEXT
Task stack size = MMU page size
Program pages
Read Only
Raw Data
r+w
T
EX
TD
ATA
25
MEMORY PROTECTION
-r-w-x
Address Space
0x00000000
NULL Pointer usage detection
26
MEMORY PROTECTIONHEAP BLOCK OVERRUN DETECTION USAGE TRACKING amp LEAKAGE DETECTION
27
FROM FUZZING TO EXPLOIT
28
FUZZING TARGETS
Network protocols
Portmap (RPC)
FTP
TFTP
NTP
hellip
29
FUZZING
Used Sulley fuzzing framework
Problem no accurate crash detection available
Solution using WdbRPC
30
WHATrsquoS WDB RPC
Debugging Interface
Service running on port UDP17185
Based on SUN-RPC protocol
Provides direct access to system memory
31
WDB PROTOCOL V2
Target Server Target AgentWDB
Shell
Debugger
Browser
Other
tools
HOST VxWorks
WTX
OS
32
WDB PROTOCOL V2CALL SENT BY TARGET SERVER
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Request Header
(40 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Sequence (4 bytes)
33
WDB PROTOCOL V2REPLY SENT BY TARGET AGENT
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Reply Header
(24 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Error code (4 bytes)
34
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
35
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
36
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
37
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
38
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
39
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
40
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
41
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
42
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
HOST TARGET
CALL
REPLY
hellip43
Small interpreted
language
Two objects pointer
and tape
Result of the eval stored
in tape
Tape content returned
to the host
More info on Gopher
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
CALL
REPLY
44HOST TARGET
hellip
Host reads the pointed
memory addresses
CRASH DETECTION
Target sends event
notification
45HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
![Page 8: 44CON London - Attacking VxWorks: from Stone Age to Interstellar](https://reader034.vdocuments.us/reader034/viewer/2022050613/587cfa0a1a28ab1e7e8b49fd/html5/thumbnails/8.jpg)
SOME CUSTOMERS
8
ldquo
rdquo
The Real-Time Operating System for the Internet of ThingsPowering billions of intelligent devices VxWorksreg delivers an industry-leading combination of scalability safety security and virtualization capabilities to meet next-generation requirements
Windriver VxWorks product
9
VXWORKS amp SECURITY
Source httpwwwcvedetailscomproduct15063Windriver-Vxworkshtmlvendor_id=9510
VXWORKS amp SECURITY
Wind River treatsVxWorks security seriously
Partnership with McAffee in Feb 2011
Source httpwwwwindrivercomnewspressprhtmlID=8801
VXWORKS amp SECURITY
Wind River treats VxWorks security seriously
Partnership with McAffee in Feb 2011
6x introduced some memory protections
7x improved way further
Digitally signed modules (X509)
Encryption
Centralized user database
Password management (SHA-256 algorithm)
Ability to createdelete users at run time
Encrypted data storage
PREVIOUS RESEARCHES
amp INSPIRATIONS
PREVIOUS RESEARCH amp INSPIRATIONS
ldquoShiny Old VxWorks Vulnerabilitiesrdquo
HD Moore (2010)
4 Metasploit modules targeting WDB RPC
Weak password hash entropy
rainbow table containing around 200k hashed
passwords
14
PREVIOUS RESEARCH amp INSPIRATIONS
ldquoReverse Engineering VxWorks Firmware WRT54Gv8rdquo
devttyS0
15
PREVIOUS RESEARCH amp INSPIRATIONS
ldquoDigging Inside the VxWorks OS and Firmware The
Holistic Securityrdquo
Aditya K Sood (0kn0ck) ndash SecNiche Security Lab
WDB debugging Interface (again)
OS Security
16
INSIDE VXWORKS
MEMORY LAYOUT amp PROTECTIONS
17
X86 MEMORY LAYOUT UPPER MEMORY
IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
18
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
19
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
ASCII string for fatal
exception message
20
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DecriptorVector
Table
ASCII string for fatal
exception message
VxWorks image entry
point
21
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
ASCII string for fatal
exception message
VxWorks image entry
point
WDB shared memory
22
MEMORY PROTECTIONS
VxWorks provides MMU-based features in addition to
the virtual memory support
Non MMU based protections Heap Error Detection
23
MEMORY PROTECTION
Task stack overrun and underrun
detection
Interrupt stack overrun and
underrun detection
Stack pages
Stack
Start
Stop
24
MEMORY PROTECTION
Non-executable task stacks amp Non-
writable Text Segment
INCLUDE_TASK_STACK_NO_EXEC
INCLUDE_PROTECT_TEXT
Task stack size = MMU page size
Program pages
Read Only
Raw Data
r+w
T
EX
TD
ATA
25
MEMORY PROTECTION
-r-w-x
Address Space
0x00000000
NULL Pointer usage detection
26
MEMORY PROTECTIONHEAP BLOCK OVERRUN DETECTION USAGE TRACKING amp LEAKAGE DETECTION
27
FROM FUZZING TO EXPLOIT
28
FUZZING TARGETS
Network protocols
Portmap (RPC)
FTP
TFTP
NTP
hellip
29
FUZZING
Used Sulley fuzzing framework
Problem no accurate crash detection available
Solution using WdbRPC
30
WHATrsquoS WDB RPC
Debugging Interface
Service running on port UDP17185
Based on SUN-RPC protocol
Provides direct access to system memory
31
WDB PROTOCOL V2
Target Server Target AgentWDB
Shell
Debugger
Browser
Other
tools
HOST VxWorks
WTX
OS
32
WDB PROTOCOL V2CALL SENT BY TARGET SERVER
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Request Header
(40 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Sequence (4 bytes)
33
WDB PROTOCOL V2REPLY SENT BY TARGET AGENT
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Reply Header
(24 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Error code (4 bytes)
34
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
35
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
36
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
37
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
38
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
39
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
40
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
41
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
42
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
HOST TARGET
CALL
REPLY
hellip43
Small interpreted
language
Two objects pointer
and tape
Result of the eval stored
in tape
Tape content returned
to the host
More info on Gopher
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
CALL
REPLY
44HOST TARGET
hellip
Host reads the pointed
memory addresses
CRASH DETECTION
Target sends event
notification
45HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
![Page 9: 44CON London - Attacking VxWorks: from Stone Age to Interstellar](https://reader034.vdocuments.us/reader034/viewer/2022050613/587cfa0a1a28ab1e7e8b49fd/html5/thumbnails/9.jpg)
ldquo
rdquo
The Real-Time Operating System for the Internet of ThingsPowering billions of intelligent devices VxWorksreg delivers an industry-leading combination of scalability safety security and virtualization capabilities to meet next-generation requirements
Windriver VxWorks product
9
VXWORKS amp SECURITY
Source httpwwwcvedetailscomproduct15063Windriver-Vxworkshtmlvendor_id=9510
VXWORKS amp SECURITY
Wind River treatsVxWorks security seriously
Partnership with McAffee in Feb 2011
Source httpwwwwindrivercomnewspressprhtmlID=8801
VXWORKS amp SECURITY
Wind River treats VxWorks security seriously
Partnership with McAffee in Feb 2011
6x introduced some memory protections
7x improved way further
Digitally signed modules (X509)
Encryption
Centralized user database
Password management (SHA-256 algorithm)
Ability to createdelete users at run time
Encrypted data storage
PREVIOUS RESEARCHES
amp INSPIRATIONS
PREVIOUS RESEARCH amp INSPIRATIONS
ldquoShiny Old VxWorks Vulnerabilitiesrdquo
HD Moore (2010)
4 Metasploit modules targeting WDB RPC
Weak password hash entropy
rainbow table containing around 200k hashed
passwords
14
PREVIOUS RESEARCH amp INSPIRATIONS
ldquoReverse Engineering VxWorks Firmware WRT54Gv8rdquo
devttyS0
15
PREVIOUS RESEARCH amp INSPIRATIONS
ldquoDigging Inside the VxWorks OS and Firmware The
Holistic Securityrdquo
Aditya K Sood (0kn0ck) ndash SecNiche Security Lab
WDB debugging Interface (again)
OS Security
16
INSIDE VXWORKS
MEMORY LAYOUT amp PROTECTIONS
17
X86 MEMORY LAYOUT UPPER MEMORY
IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
18
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
19
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
ASCII string for fatal
exception message
20
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DecriptorVector
Table
ASCII string for fatal
exception message
VxWorks image entry
point
21
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
ASCII string for fatal
exception message
VxWorks image entry
point
WDB shared memory
22
MEMORY PROTECTIONS
VxWorks provides MMU-based features in addition to
the virtual memory support
Non MMU based protections Heap Error Detection
23
MEMORY PROTECTION
Task stack overrun and underrun
detection
Interrupt stack overrun and
underrun detection
Stack pages
Stack
Start
Stop
24
MEMORY PROTECTION
Non-executable task stacks amp Non-
writable Text Segment
INCLUDE_TASK_STACK_NO_EXEC
INCLUDE_PROTECT_TEXT
Task stack size = MMU page size
Program pages
Read Only
Raw Data
r+w
T
EX
TD
ATA
25
MEMORY PROTECTION
-r-w-x
Address Space
0x00000000
NULL Pointer usage detection
26
MEMORY PROTECTIONHEAP BLOCK OVERRUN DETECTION USAGE TRACKING amp LEAKAGE DETECTION
27
FROM FUZZING TO EXPLOIT
28
FUZZING TARGETS
Network protocols
Portmap (RPC)
FTP
TFTP
NTP
hellip
29
FUZZING
Used Sulley fuzzing framework
Problem no accurate crash detection available
Solution using WdbRPC
30
WHATrsquoS WDB RPC
Debugging Interface
Service running on port UDP17185
Based on SUN-RPC protocol
Provides direct access to system memory
31
WDB PROTOCOL V2
Target Server Target AgentWDB
Shell
Debugger
Browser
Other
tools
HOST VxWorks
WTX
OS
32
WDB PROTOCOL V2CALL SENT BY TARGET SERVER
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Request Header
(40 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Sequence (4 bytes)
33
WDB PROTOCOL V2REPLY SENT BY TARGET AGENT
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Reply Header
(24 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Error code (4 bytes)
34
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
35
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
36
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
37
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
38
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
39
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
40
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
41
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
42
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
HOST TARGET
CALL
REPLY
hellip43
Small interpreted
language
Two objects pointer
and tape
Result of the eval stored
in tape
Tape content returned
to the host
More info on Gopher
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
CALL
REPLY
44HOST TARGET
hellip
Host reads the pointed
memory addresses
CRASH DETECTION
Target sends event
notification
45HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
![Page 10: 44CON London - Attacking VxWorks: from Stone Age to Interstellar](https://reader034.vdocuments.us/reader034/viewer/2022050613/587cfa0a1a28ab1e7e8b49fd/html5/thumbnails/10.jpg)
VXWORKS amp SECURITY
Source httpwwwcvedetailscomproduct15063Windriver-Vxworkshtmlvendor_id=9510
VXWORKS amp SECURITY
Wind River treatsVxWorks security seriously
Partnership with McAffee in Feb 2011
Source httpwwwwindrivercomnewspressprhtmlID=8801
VXWORKS amp SECURITY
Wind River treats VxWorks security seriously
Partnership with McAffee in Feb 2011
6x introduced some memory protections
7x improved way further
Digitally signed modules (X509)
Encryption
Centralized user database
Password management (SHA-256 algorithm)
Ability to createdelete users at run time
Encrypted data storage
PREVIOUS RESEARCHES
amp INSPIRATIONS
PREVIOUS RESEARCH amp INSPIRATIONS
ldquoShiny Old VxWorks Vulnerabilitiesrdquo
HD Moore (2010)
4 Metasploit modules targeting WDB RPC
Weak password hash entropy
rainbow table containing around 200k hashed
passwords
14
PREVIOUS RESEARCH amp INSPIRATIONS
ldquoReverse Engineering VxWorks Firmware WRT54Gv8rdquo
devttyS0
15
PREVIOUS RESEARCH amp INSPIRATIONS
ldquoDigging Inside the VxWorks OS and Firmware The
Holistic Securityrdquo
Aditya K Sood (0kn0ck) ndash SecNiche Security Lab
WDB debugging Interface (again)
OS Security
16
INSIDE VXWORKS
MEMORY LAYOUT amp PROTECTIONS
17
X86 MEMORY LAYOUT UPPER MEMORY
IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
18
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
19
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
ASCII string for fatal
exception message
20
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DecriptorVector
Table
ASCII string for fatal
exception message
VxWorks image entry
point
21
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
ASCII string for fatal
exception message
VxWorks image entry
point
WDB shared memory
22
MEMORY PROTECTIONS
VxWorks provides MMU-based features in addition to
the virtual memory support
Non MMU based protections Heap Error Detection
23
MEMORY PROTECTION
Task stack overrun and underrun
detection
Interrupt stack overrun and
underrun detection
Stack pages
Stack
Start
Stop
24
MEMORY PROTECTION
Non-executable task stacks amp Non-
writable Text Segment
INCLUDE_TASK_STACK_NO_EXEC
INCLUDE_PROTECT_TEXT
Task stack size = MMU page size
Program pages
Read Only
Raw Data
r+w
T
EX
TD
ATA
25
MEMORY PROTECTION
-r-w-x
Address Space
0x00000000
NULL Pointer usage detection
26
MEMORY PROTECTIONHEAP BLOCK OVERRUN DETECTION USAGE TRACKING amp LEAKAGE DETECTION
27
FROM FUZZING TO EXPLOIT
28
FUZZING TARGETS
Network protocols
Portmap (RPC)
FTP
TFTP
NTP
hellip
29
FUZZING
Used Sulley fuzzing framework
Problem no accurate crash detection available
Solution using WdbRPC
30
WHATrsquoS WDB RPC
Debugging Interface
Service running on port UDP17185
Based on SUN-RPC protocol
Provides direct access to system memory
31
WDB PROTOCOL V2
Target Server Target AgentWDB
Shell
Debugger
Browser
Other
tools
HOST VxWorks
WTX
OS
32
WDB PROTOCOL V2CALL SENT BY TARGET SERVER
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Request Header
(40 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Sequence (4 bytes)
33
WDB PROTOCOL V2REPLY SENT BY TARGET AGENT
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Reply Header
(24 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Error code (4 bytes)
34
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
35
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
36
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
37
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
38
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
39
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
40
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
41
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
42
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
HOST TARGET
CALL
REPLY
hellip43
Small interpreted
language
Two objects pointer
and tape
Result of the eval stored
in tape
Tape content returned
to the host
More info on Gopher
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
CALL
REPLY
44HOST TARGET
hellip
Host reads the pointed
memory addresses
CRASH DETECTION
Target sends event
notification
45HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
![Page 11: 44CON London - Attacking VxWorks: from Stone Age to Interstellar](https://reader034.vdocuments.us/reader034/viewer/2022050613/587cfa0a1a28ab1e7e8b49fd/html5/thumbnails/11.jpg)
VXWORKS amp SECURITY
Wind River treatsVxWorks security seriously
Partnership with McAffee in Feb 2011
Source httpwwwwindrivercomnewspressprhtmlID=8801
VXWORKS amp SECURITY
Wind River treats VxWorks security seriously
Partnership with McAffee in Feb 2011
6x introduced some memory protections
7x improved way further
Digitally signed modules (X509)
Encryption
Centralized user database
Password management (SHA-256 algorithm)
Ability to createdelete users at run time
Encrypted data storage
PREVIOUS RESEARCHES
amp INSPIRATIONS
PREVIOUS RESEARCH amp INSPIRATIONS
ldquoShiny Old VxWorks Vulnerabilitiesrdquo
HD Moore (2010)
4 Metasploit modules targeting WDB RPC
Weak password hash entropy
rainbow table containing around 200k hashed
passwords
14
PREVIOUS RESEARCH amp INSPIRATIONS
ldquoReverse Engineering VxWorks Firmware WRT54Gv8rdquo
devttyS0
15
PREVIOUS RESEARCH amp INSPIRATIONS
ldquoDigging Inside the VxWorks OS and Firmware The
Holistic Securityrdquo
Aditya K Sood (0kn0ck) ndash SecNiche Security Lab
WDB debugging Interface (again)
OS Security
16
INSIDE VXWORKS
MEMORY LAYOUT amp PROTECTIONS
17
X86 MEMORY LAYOUT UPPER MEMORY
IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
18
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
19
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
ASCII string for fatal
exception message
20
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DecriptorVector
Table
ASCII string for fatal
exception message
VxWorks image entry
point
21
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
ASCII string for fatal
exception message
VxWorks image entry
point
WDB shared memory
22
MEMORY PROTECTIONS
VxWorks provides MMU-based features in addition to
the virtual memory support
Non MMU based protections Heap Error Detection
23
MEMORY PROTECTION
Task stack overrun and underrun
detection
Interrupt stack overrun and
underrun detection
Stack pages
Stack
Start
Stop
24
MEMORY PROTECTION
Non-executable task stacks amp Non-
writable Text Segment
INCLUDE_TASK_STACK_NO_EXEC
INCLUDE_PROTECT_TEXT
Task stack size = MMU page size
Program pages
Read Only
Raw Data
r+w
T
EX
TD
ATA
25
MEMORY PROTECTION
-r-w-x
Address Space
0x00000000
NULL Pointer usage detection
26
MEMORY PROTECTIONHEAP BLOCK OVERRUN DETECTION USAGE TRACKING amp LEAKAGE DETECTION
27
FROM FUZZING TO EXPLOIT
28
FUZZING TARGETS
Network protocols
Portmap (RPC)
FTP
TFTP
NTP
hellip
29
FUZZING
Used Sulley fuzzing framework
Problem no accurate crash detection available
Solution using WdbRPC
30
WHATrsquoS WDB RPC
Debugging Interface
Service running on port UDP17185
Based on SUN-RPC protocol
Provides direct access to system memory
31
WDB PROTOCOL V2
Target Server Target AgentWDB
Shell
Debugger
Browser
Other
tools
HOST VxWorks
WTX
OS
32
WDB PROTOCOL V2CALL SENT BY TARGET SERVER
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Request Header
(40 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Sequence (4 bytes)
33
WDB PROTOCOL V2REPLY SENT BY TARGET AGENT
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Reply Header
(24 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Error code (4 bytes)
34
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
35
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
36
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
37
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
38
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
39
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
40
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
41
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
42
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
HOST TARGET
CALL
REPLY
hellip43
Small interpreted
language
Two objects pointer
and tape
Result of the eval stored
in tape
Tape content returned
to the host
More info on Gopher
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
CALL
REPLY
44HOST TARGET
hellip
Host reads the pointed
memory addresses
CRASH DETECTION
Target sends event
notification
45HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
![Page 12: 44CON London - Attacking VxWorks: from Stone Age to Interstellar](https://reader034.vdocuments.us/reader034/viewer/2022050613/587cfa0a1a28ab1e7e8b49fd/html5/thumbnails/12.jpg)
VXWORKS amp SECURITY
Wind River treats VxWorks security seriously
Partnership with McAffee in Feb 2011
6x introduced some memory protections
7x improved way further
Digitally signed modules (X509)
Encryption
Centralized user database
Password management (SHA-256 algorithm)
Ability to createdelete users at run time
Encrypted data storage
PREVIOUS RESEARCHES
amp INSPIRATIONS
PREVIOUS RESEARCH amp INSPIRATIONS
ldquoShiny Old VxWorks Vulnerabilitiesrdquo
HD Moore (2010)
4 Metasploit modules targeting WDB RPC
Weak password hash entropy
rainbow table containing around 200k hashed
passwords
14
PREVIOUS RESEARCH amp INSPIRATIONS
ldquoReverse Engineering VxWorks Firmware WRT54Gv8rdquo
devttyS0
15
PREVIOUS RESEARCH amp INSPIRATIONS
ldquoDigging Inside the VxWorks OS and Firmware The
Holistic Securityrdquo
Aditya K Sood (0kn0ck) ndash SecNiche Security Lab
WDB debugging Interface (again)
OS Security
16
INSIDE VXWORKS
MEMORY LAYOUT amp PROTECTIONS
17
X86 MEMORY LAYOUT UPPER MEMORY
IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
18
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
19
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
ASCII string for fatal
exception message
20
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DecriptorVector
Table
ASCII string for fatal
exception message
VxWorks image entry
point
21
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
ASCII string for fatal
exception message
VxWorks image entry
point
WDB shared memory
22
MEMORY PROTECTIONS
VxWorks provides MMU-based features in addition to
the virtual memory support
Non MMU based protections Heap Error Detection
23
MEMORY PROTECTION
Task stack overrun and underrun
detection
Interrupt stack overrun and
underrun detection
Stack pages
Stack
Start
Stop
24
MEMORY PROTECTION
Non-executable task stacks amp Non-
writable Text Segment
INCLUDE_TASK_STACK_NO_EXEC
INCLUDE_PROTECT_TEXT
Task stack size = MMU page size
Program pages
Read Only
Raw Data
r+w
T
EX
TD
ATA
25
MEMORY PROTECTION
-r-w-x
Address Space
0x00000000
NULL Pointer usage detection
26
MEMORY PROTECTIONHEAP BLOCK OVERRUN DETECTION USAGE TRACKING amp LEAKAGE DETECTION
27
FROM FUZZING TO EXPLOIT
28
FUZZING TARGETS
Network protocols
Portmap (RPC)
FTP
TFTP
NTP
hellip
29
FUZZING
Used Sulley fuzzing framework
Problem no accurate crash detection available
Solution using WdbRPC
30
WHATrsquoS WDB RPC
Debugging Interface
Service running on port UDP17185
Based on SUN-RPC protocol
Provides direct access to system memory
31
WDB PROTOCOL V2
Target Server Target AgentWDB
Shell
Debugger
Browser
Other
tools
HOST VxWorks
WTX
OS
32
WDB PROTOCOL V2CALL SENT BY TARGET SERVER
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Request Header
(40 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Sequence (4 bytes)
33
WDB PROTOCOL V2REPLY SENT BY TARGET AGENT
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Reply Header
(24 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Error code (4 bytes)
34
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
35
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
36
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
37
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
38
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
39
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
40
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
41
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
42
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
HOST TARGET
CALL
REPLY
hellip43
Small interpreted
language
Two objects pointer
and tape
Result of the eval stored
in tape
Tape content returned
to the host
More info on Gopher
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
CALL
REPLY
44HOST TARGET
hellip
Host reads the pointed
memory addresses
CRASH DETECTION
Target sends event
notification
45HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
![Page 13: 44CON London - Attacking VxWorks: from Stone Age to Interstellar](https://reader034.vdocuments.us/reader034/viewer/2022050613/587cfa0a1a28ab1e7e8b49fd/html5/thumbnails/13.jpg)
PREVIOUS RESEARCHES
amp INSPIRATIONS
PREVIOUS RESEARCH amp INSPIRATIONS
ldquoShiny Old VxWorks Vulnerabilitiesrdquo
HD Moore (2010)
4 Metasploit modules targeting WDB RPC
Weak password hash entropy
rainbow table containing around 200k hashed
passwords
14
PREVIOUS RESEARCH amp INSPIRATIONS
ldquoReverse Engineering VxWorks Firmware WRT54Gv8rdquo
devttyS0
15
PREVIOUS RESEARCH amp INSPIRATIONS
ldquoDigging Inside the VxWorks OS and Firmware The
Holistic Securityrdquo
Aditya K Sood (0kn0ck) ndash SecNiche Security Lab
WDB debugging Interface (again)
OS Security
16
INSIDE VXWORKS
MEMORY LAYOUT amp PROTECTIONS
17
X86 MEMORY LAYOUT UPPER MEMORY
IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
18
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
19
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
ASCII string for fatal
exception message
20
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DecriptorVector
Table
ASCII string for fatal
exception message
VxWorks image entry
point
21
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
ASCII string for fatal
exception message
VxWorks image entry
point
WDB shared memory
22
MEMORY PROTECTIONS
VxWorks provides MMU-based features in addition to
the virtual memory support
Non MMU based protections Heap Error Detection
23
MEMORY PROTECTION
Task stack overrun and underrun
detection
Interrupt stack overrun and
underrun detection
Stack pages
Stack
Start
Stop
24
MEMORY PROTECTION
Non-executable task stacks amp Non-
writable Text Segment
INCLUDE_TASK_STACK_NO_EXEC
INCLUDE_PROTECT_TEXT
Task stack size = MMU page size
Program pages
Read Only
Raw Data
r+w
T
EX
TD
ATA
25
MEMORY PROTECTION
-r-w-x
Address Space
0x00000000
NULL Pointer usage detection
26
MEMORY PROTECTIONHEAP BLOCK OVERRUN DETECTION USAGE TRACKING amp LEAKAGE DETECTION
27
FROM FUZZING TO EXPLOIT
28
FUZZING TARGETS
Network protocols
Portmap (RPC)
FTP
TFTP
NTP
hellip
29
FUZZING
Used Sulley fuzzing framework
Problem no accurate crash detection available
Solution using WdbRPC
30
WHATrsquoS WDB RPC
Debugging Interface
Service running on port UDP17185
Based on SUN-RPC protocol
Provides direct access to system memory
31
WDB PROTOCOL V2
Target Server Target AgentWDB
Shell
Debugger
Browser
Other
tools
HOST VxWorks
WTX
OS
32
WDB PROTOCOL V2CALL SENT BY TARGET SERVER
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Request Header
(40 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Sequence (4 bytes)
33
WDB PROTOCOL V2REPLY SENT BY TARGET AGENT
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Reply Header
(24 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Error code (4 bytes)
34
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
35
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
36
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
37
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
38
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
39
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
40
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
41
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
42
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
HOST TARGET
CALL
REPLY
hellip43
Small interpreted
language
Two objects pointer
and tape
Result of the eval stored
in tape
Tape content returned
to the host
More info on Gopher
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
CALL
REPLY
44HOST TARGET
hellip
Host reads the pointed
memory addresses
CRASH DETECTION
Target sends event
notification
45HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
![Page 14: 44CON London - Attacking VxWorks: from Stone Age to Interstellar](https://reader034.vdocuments.us/reader034/viewer/2022050613/587cfa0a1a28ab1e7e8b49fd/html5/thumbnails/14.jpg)
PREVIOUS RESEARCH amp INSPIRATIONS
ldquoShiny Old VxWorks Vulnerabilitiesrdquo
HD Moore (2010)
4 Metasploit modules targeting WDB RPC
Weak password hash entropy
rainbow table containing around 200k hashed
passwords
14
PREVIOUS RESEARCH amp INSPIRATIONS
ldquoReverse Engineering VxWorks Firmware WRT54Gv8rdquo
devttyS0
15
PREVIOUS RESEARCH amp INSPIRATIONS
ldquoDigging Inside the VxWorks OS and Firmware The
Holistic Securityrdquo
Aditya K Sood (0kn0ck) ndash SecNiche Security Lab
WDB debugging Interface (again)
OS Security
16
INSIDE VXWORKS
MEMORY LAYOUT amp PROTECTIONS
17
X86 MEMORY LAYOUT UPPER MEMORY
IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
18
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
19
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
ASCII string for fatal
exception message
20
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DecriptorVector
Table
ASCII string for fatal
exception message
VxWorks image entry
point
21
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
ASCII string for fatal
exception message
VxWorks image entry
point
WDB shared memory
22
MEMORY PROTECTIONS
VxWorks provides MMU-based features in addition to
the virtual memory support
Non MMU based protections Heap Error Detection
23
MEMORY PROTECTION
Task stack overrun and underrun
detection
Interrupt stack overrun and
underrun detection
Stack pages
Stack
Start
Stop
24
MEMORY PROTECTION
Non-executable task stacks amp Non-
writable Text Segment
INCLUDE_TASK_STACK_NO_EXEC
INCLUDE_PROTECT_TEXT
Task stack size = MMU page size
Program pages
Read Only
Raw Data
r+w
T
EX
TD
ATA
25
MEMORY PROTECTION
-r-w-x
Address Space
0x00000000
NULL Pointer usage detection
26
MEMORY PROTECTIONHEAP BLOCK OVERRUN DETECTION USAGE TRACKING amp LEAKAGE DETECTION
27
FROM FUZZING TO EXPLOIT
28
FUZZING TARGETS
Network protocols
Portmap (RPC)
FTP
TFTP
NTP
hellip
29
FUZZING
Used Sulley fuzzing framework
Problem no accurate crash detection available
Solution using WdbRPC
30
WHATrsquoS WDB RPC
Debugging Interface
Service running on port UDP17185
Based on SUN-RPC protocol
Provides direct access to system memory
31
WDB PROTOCOL V2
Target Server Target AgentWDB
Shell
Debugger
Browser
Other
tools
HOST VxWorks
WTX
OS
32
WDB PROTOCOL V2CALL SENT BY TARGET SERVER
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Request Header
(40 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Sequence (4 bytes)
33
WDB PROTOCOL V2REPLY SENT BY TARGET AGENT
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Reply Header
(24 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Error code (4 bytes)
34
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
35
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
36
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
37
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
38
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
39
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
40
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
41
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
42
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
HOST TARGET
CALL
REPLY
hellip43
Small interpreted
language
Two objects pointer
and tape
Result of the eval stored
in tape
Tape content returned
to the host
More info on Gopher
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
CALL
REPLY
44HOST TARGET
hellip
Host reads the pointed
memory addresses
CRASH DETECTION
Target sends event
notification
45HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
![Page 15: 44CON London - Attacking VxWorks: from Stone Age to Interstellar](https://reader034.vdocuments.us/reader034/viewer/2022050613/587cfa0a1a28ab1e7e8b49fd/html5/thumbnails/15.jpg)
PREVIOUS RESEARCH amp INSPIRATIONS
ldquoReverse Engineering VxWorks Firmware WRT54Gv8rdquo
devttyS0
15
PREVIOUS RESEARCH amp INSPIRATIONS
ldquoDigging Inside the VxWorks OS and Firmware The
Holistic Securityrdquo
Aditya K Sood (0kn0ck) ndash SecNiche Security Lab
WDB debugging Interface (again)
OS Security
16
INSIDE VXWORKS
MEMORY LAYOUT amp PROTECTIONS
17
X86 MEMORY LAYOUT UPPER MEMORY
IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
18
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
19
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
ASCII string for fatal
exception message
20
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DecriptorVector
Table
ASCII string for fatal
exception message
VxWorks image entry
point
21
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
ASCII string for fatal
exception message
VxWorks image entry
point
WDB shared memory
22
MEMORY PROTECTIONS
VxWorks provides MMU-based features in addition to
the virtual memory support
Non MMU based protections Heap Error Detection
23
MEMORY PROTECTION
Task stack overrun and underrun
detection
Interrupt stack overrun and
underrun detection
Stack pages
Stack
Start
Stop
24
MEMORY PROTECTION
Non-executable task stacks amp Non-
writable Text Segment
INCLUDE_TASK_STACK_NO_EXEC
INCLUDE_PROTECT_TEXT
Task stack size = MMU page size
Program pages
Read Only
Raw Data
r+w
T
EX
TD
ATA
25
MEMORY PROTECTION
-r-w-x
Address Space
0x00000000
NULL Pointer usage detection
26
MEMORY PROTECTIONHEAP BLOCK OVERRUN DETECTION USAGE TRACKING amp LEAKAGE DETECTION
27
FROM FUZZING TO EXPLOIT
28
FUZZING TARGETS
Network protocols
Portmap (RPC)
FTP
TFTP
NTP
hellip
29
FUZZING
Used Sulley fuzzing framework
Problem no accurate crash detection available
Solution using WdbRPC
30
WHATrsquoS WDB RPC
Debugging Interface
Service running on port UDP17185
Based on SUN-RPC protocol
Provides direct access to system memory
31
WDB PROTOCOL V2
Target Server Target AgentWDB
Shell
Debugger
Browser
Other
tools
HOST VxWorks
WTX
OS
32
WDB PROTOCOL V2CALL SENT BY TARGET SERVER
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Request Header
(40 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Sequence (4 bytes)
33
WDB PROTOCOL V2REPLY SENT BY TARGET AGENT
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Reply Header
(24 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Error code (4 bytes)
34
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
35
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
36
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
37
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
38
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
39
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
40
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
41
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
42
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
HOST TARGET
CALL
REPLY
hellip43
Small interpreted
language
Two objects pointer
and tape
Result of the eval stored
in tape
Tape content returned
to the host
More info on Gopher
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
CALL
REPLY
44HOST TARGET
hellip
Host reads the pointed
memory addresses
CRASH DETECTION
Target sends event
notification
45HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
![Page 16: 44CON London - Attacking VxWorks: from Stone Age to Interstellar](https://reader034.vdocuments.us/reader034/viewer/2022050613/587cfa0a1a28ab1e7e8b49fd/html5/thumbnails/16.jpg)
PREVIOUS RESEARCH amp INSPIRATIONS
ldquoDigging Inside the VxWorks OS and Firmware The
Holistic Securityrdquo
Aditya K Sood (0kn0ck) ndash SecNiche Security Lab
WDB debugging Interface (again)
OS Security
16
INSIDE VXWORKS
MEMORY LAYOUT amp PROTECTIONS
17
X86 MEMORY LAYOUT UPPER MEMORY
IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
18
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
19
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
ASCII string for fatal
exception message
20
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DecriptorVector
Table
ASCII string for fatal
exception message
VxWorks image entry
point
21
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
ASCII string for fatal
exception message
VxWorks image entry
point
WDB shared memory
22
MEMORY PROTECTIONS
VxWorks provides MMU-based features in addition to
the virtual memory support
Non MMU based protections Heap Error Detection
23
MEMORY PROTECTION
Task stack overrun and underrun
detection
Interrupt stack overrun and
underrun detection
Stack pages
Stack
Start
Stop
24
MEMORY PROTECTION
Non-executable task stacks amp Non-
writable Text Segment
INCLUDE_TASK_STACK_NO_EXEC
INCLUDE_PROTECT_TEXT
Task stack size = MMU page size
Program pages
Read Only
Raw Data
r+w
T
EX
TD
ATA
25
MEMORY PROTECTION
-r-w-x
Address Space
0x00000000
NULL Pointer usage detection
26
MEMORY PROTECTIONHEAP BLOCK OVERRUN DETECTION USAGE TRACKING amp LEAKAGE DETECTION
27
FROM FUZZING TO EXPLOIT
28
FUZZING TARGETS
Network protocols
Portmap (RPC)
FTP
TFTP
NTP
hellip
29
FUZZING
Used Sulley fuzzing framework
Problem no accurate crash detection available
Solution using WdbRPC
30
WHATrsquoS WDB RPC
Debugging Interface
Service running on port UDP17185
Based on SUN-RPC protocol
Provides direct access to system memory
31
WDB PROTOCOL V2
Target Server Target AgentWDB
Shell
Debugger
Browser
Other
tools
HOST VxWorks
WTX
OS
32
WDB PROTOCOL V2CALL SENT BY TARGET SERVER
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Request Header
(40 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Sequence (4 bytes)
33
WDB PROTOCOL V2REPLY SENT BY TARGET AGENT
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Reply Header
(24 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Error code (4 bytes)
34
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
35
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
36
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
37
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
38
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
39
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
40
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
41
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
42
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
HOST TARGET
CALL
REPLY
hellip43
Small interpreted
language
Two objects pointer
and tape
Result of the eval stored
in tape
Tape content returned
to the host
More info on Gopher
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
CALL
REPLY
44HOST TARGET
hellip
Host reads the pointed
memory addresses
CRASH DETECTION
Target sends event
notification
45HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
![Page 17: 44CON London - Attacking VxWorks: from Stone Age to Interstellar](https://reader034.vdocuments.us/reader034/viewer/2022050613/587cfa0a1a28ab1e7e8b49fd/html5/thumbnails/17.jpg)
INSIDE VXWORKS
MEMORY LAYOUT amp PROTECTIONS
17
X86 MEMORY LAYOUT UPPER MEMORY
IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
18
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
19
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
ASCII string for fatal
exception message
20
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DecriptorVector
Table
ASCII string for fatal
exception message
VxWorks image entry
point
21
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
ASCII string for fatal
exception message
VxWorks image entry
point
WDB shared memory
22
MEMORY PROTECTIONS
VxWorks provides MMU-based features in addition to
the virtual memory support
Non MMU based protections Heap Error Detection
23
MEMORY PROTECTION
Task stack overrun and underrun
detection
Interrupt stack overrun and
underrun detection
Stack pages
Stack
Start
Stop
24
MEMORY PROTECTION
Non-executable task stacks amp Non-
writable Text Segment
INCLUDE_TASK_STACK_NO_EXEC
INCLUDE_PROTECT_TEXT
Task stack size = MMU page size
Program pages
Read Only
Raw Data
r+w
T
EX
TD
ATA
25
MEMORY PROTECTION
-r-w-x
Address Space
0x00000000
NULL Pointer usage detection
26
MEMORY PROTECTIONHEAP BLOCK OVERRUN DETECTION USAGE TRACKING amp LEAKAGE DETECTION
27
FROM FUZZING TO EXPLOIT
28
FUZZING TARGETS
Network protocols
Portmap (RPC)
FTP
TFTP
NTP
hellip
29
FUZZING
Used Sulley fuzzing framework
Problem no accurate crash detection available
Solution using WdbRPC
30
WHATrsquoS WDB RPC
Debugging Interface
Service running on port UDP17185
Based on SUN-RPC protocol
Provides direct access to system memory
31
WDB PROTOCOL V2
Target Server Target AgentWDB
Shell
Debugger
Browser
Other
tools
HOST VxWorks
WTX
OS
32
WDB PROTOCOL V2CALL SENT BY TARGET SERVER
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Request Header
(40 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Sequence (4 bytes)
33
WDB PROTOCOL V2REPLY SENT BY TARGET AGENT
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Reply Header
(24 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Error code (4 bytes)
34
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
35
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
36
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
37
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
38
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
39
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
40
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
41
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
42
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
HOST TARGET
CALL
REPLY
hellip43
Small interpreted
language
Two objects pointer
and tape
Result of the eval stored
in tape
Tape content returned
to the host
More info on Gopher
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
CALL
REPLY
44HOST TARGET
hellip
Host reads the pointed
memory addresses
CRASH DETECTION
Target sends event
notification
45HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
![Page 18: 44CON London - Attacking VxWorks: from Stone Age to Interstellar](https://reader034.vdocuments.us/reader034/viewer/2022050613/587cfa0a1a28ab1e7e8b49fd/html5/thumbnails/18.jpg)
X86 MEMORY LAYOUT UPPER MEMORY
IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
18
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
19
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
ASCII string for fatal
exception message
20
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DecriptorVector
Table
ASCII string for fatal
exception message
VxWorks image entry
point
21
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
ASCII string for fatal
exception message
VxWorks image entry
point
WDB shared memory
22
MEMORY PROTECTIONS
VxWorks provides MMU-based features in addition to
the virtual memory support
Non MMU based protections Heap Error Detection
23
MEMORY PROTECTION
Task stack overrun and underrun
detection
Interrupt stack overrun and
underrun detection
Stack pages
Stack
Start
Stop
24
MEMORY PROTECTION
Non-executable task stacks amp Non-
writable Text Segment
INCLUDE_TASK_STACK_NO_EXEC
INCLUDE_PROTECT_TEXT
Task stack size = MMU page size
Program pages
Read Only
Raw Data
r+w
T
EX
TD
ATA
25
MEMORY PROTECTION
-r-w-x
Address Space
0x00000000
NULL Pointer usage detection
26
MEMORY PROTECTIONHEAP BLOCK OVERRUN DETECTION USAGE TRACKING amp LEAKAGE DETECTION
27
FROM FUZZING TO EXPLOIT
28
FUZZING TARGETS
Network protocols
Portmap (RPC)
FTP
TFTP
NTP
hellip
29
FUZZING
Used Sulley fuzzing framework
Problem no accurate crash detection available
Solution using WdbRPC
30
WHATrsquoS WDB RPC
Debugging Interface
Service running on port UDP17185
Based on SUN-RPC protocol
Provides direct access to system memory
31
WDB PROTOCOL V2
Target Server Target AgentWDB
Shell
Debugger
Browser
Other
tools
HOST VxWorks
WTX
OS
32
WDB PROTOCOL V2CALL SENT BY TARGET SERVER
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Request Header
(40 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Sequence (4 bytes)
33
WDB PROTOCOL V2REPLY SENT BY TARGET AGENT
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Reply Header
(24 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Error code (4 bytes)
34
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
35
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
36
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
37
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
38
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
39
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
40
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
41
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
42
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
HOST TARGET
CALL
REPLY
hellip43
Small interpreted
language
Two objects pointer
and tape
Result of the eval stored
in tape
Tape content returned
to the host
More info on Gopher
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
CALL
REPLY
44HOST TARGET
hellip
Host reads the pointed
memory addresses
CRASH DETECTION
Target sends event
notification
45HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
![Page 19: 44CON London - Attacking VxWorks: from Stone Age to Interstellar](https://reader034.vdocuments.us/reader034/viewer/2022050613/587cfa0a1a28ab1e7e8b49fd/html5/thumbnails/19.jpg)
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
19
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
ASCII string for fatal
exception message
20
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DecriptorVector
Table
ASCII string for fatal
exception message
VxWorks image entry
point
21
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
ASCII string for fatal
exception message
VxWorks image entry
point
WDB shared memory
22
MEMORY PROTECTIONS
VxWorks provides MMU-based features in addition to
the virtual memory support
Non MMU based protections Heap Error Detection
23
MEMORY PROTECTION
Task stack overrun and underrun
detection
Interrupt stack overrun and
underrun detection
Stack pages
Stack
Start
Stop
24
MEMORY PROTECTION
Non-executable task stacks amp Non-
writable Text Segment
INCLUDE_TASK_STACK_NO_EXEC
INCLUDE_PROTECT_TEXT
Task stack size = MMU page size
Program pages
Read Only
Raw Data
r+w
T
EX
TD
ATA
25
MEMORY PROTECTION
-r-w-x
Address Space
0x00000000
NULL Pointer usage detection
26
MEMORY PROTECTIONHEAP BLOCK OVERRUN DETECTION USAGE TRACKING amp LEAKAGE DETECTION
27
FROM FUZZING TO EXPLOIT
28
FUZZING TARGETS
Network protocols
Portmap (RPC)
FTP
TFTP
NTP
hellip
29
FUZZING
Used Sulley fuzzing framework
Problem no accurate crash detection available
Solution using WdbRPC
30
WHATrsquoS WDB RPC
Debugging Interface
Service running on port UDP17185
Based on SUN-RPC protocol
Provides direct access to system memory
31
WDB PROTOCOL V2
Target Server Target AgentWDB
Shell
Debugger
Browser
Other
tools
HOST VxWorks
WTX
OS
32
WDB PROTOCOL V2CALL SENT BY TARGET SERVER
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Request Header
(40 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Sequence (4 bytes)
33
WDB PROTOCOL V2REPLY SENT BY TARGET AGENT
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Reply Header
(24 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Error code (4 bytes)
34
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
35
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
36
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
37
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
38
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
39
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
40
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
41
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
42
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
HOST TARGET
CALL
REPLY
hellip43
Small interpreted
language
Two objects pointer
and tape
Result of the eval stored
in tape
Tape content returned
to the host
More info on Gopher
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
CALL
REPLY
44HOST TARGET
hellip
Host reads the pointed
memory addresses
CRASH DETECTION
Target sends event
notification
45HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
![Page 20: 44CON London - Attacking VxWorks: from Stone Age to Interstellar](https://reader034.vdocuments.us/reader034/viewer/2022050613/587cfa0a1a28ab1e7e8b49fd/html5/thumbnails/20.jpg)
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
ASCII string for fatal
exception message
20
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DecriptorVector
Table
ASCII string for fatal
exception message
VxWorks image entry
point
21
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
ASCII string for fatal
exception message
VxWorks image entry
point
WDB shared memory
22
MEMORY PROTECTIONS
VxWorks provides MMU-based features in addition to
the virtual memory support
Non MMU based protections Heap Error Detection
23
MEMORY PROTECTION
Task stack overrun and underrun
detection
Interrupt stack overrun and
underrun detection
Stack pages
Stack
Start
Stop
24
MEMORY PROTECTION
Non-executable task stacks amp Non-
writable Text Segment
INCLUDE_TASK_STACK_NO_EXEC
INCLUDE_PROTECT_TEXT
Task stack size = MMU page size
Program pages
Read Only
Raw Data
r+w
T
EX
TD
ATA
25
MEMORY PROTECTION
-r-w-x
Address Space
0x00000000
NULL Pointer usage detection
26
MEMORY PROTECTIONHEAP BLOCK OVERRUN DETECTION USAGE TRACKING amp LEAKAGE DETECTION
27
FROM FUZZING TO EXPLOIT
28
FUZZING TARGETS
Network protocols
Portmap (RPC)
FTP
TFTP
NTP
hellip
29
FUZZING
Used Sulley fuzzing framework
Problem no accurate crash detection available
Solution using WdbRPC
30
WHATrsquoS WDB RPC
Debugging Interface
Service running on port UDP17185
Based on SUN-RPC protocol
Provides direct access to system memory
31
WDB PROTOCOL V2
Target Server Target AgentWDB
Shell
Debugger
Browser
Other
tools
HOST VxWorks
WTX
OS
32
WDB PROTOCOL V2CALL SENT BY TARGET SERVER
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Request Header
(40 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Sequence (4 bytes)
33
WDB PROTOCOL V2REPLY SENT BY TARGET AGENT
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Reply Header
(24 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Error code (4 bytes)
34
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
35
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
36
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
37
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
38
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
39
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
40
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
41
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
42
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
HOST TARGET
CALL
REPLY
hellip43
Small interpreted
language
Two objects pointer
and tape
Result of the eval stored
in tape
Tape content returned
to the host
More info on Gopher
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
CALL
REPLY
44HOST TARGET
hellip
Host reads the pointed
memory addresses
CRASH DETECTION
Target sends event
notification
45HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
![Page 21: 44CON London - Attacking VxWorks: from Stone Age to Interstellar](https://reader034.vdocuments.us/reader034/viewer/2022050613/587cfa0a1a28ab1e7e8b49fd/html5/thumbnails/21.jpg)
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DecriptorVector
Table
ASCII string for fatal
exception message
VxWorks image entry
point
21
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
ASCII string for fatal
exception message
VxWorks image entry
point
WDB shared memory
22
MEMORY PROTECTIONS
VxWorks provides MMU-based features in addition to
the virtual memory support
Non MMU based protections Heap Error Detection
23
MEMORY PROTECTION
Task stack overrun and underrun
detection
Interrupt stack overrun and
underrun detection
Stack pages
Stack
Start
Stop
24
MEMORY PROTECTION
Non-executable task stacks amp Non-
writable Text Segment
INCLUDE_TASK_STACK_NO_EXEC
INCLUDE_PROTECT_TEXT
Task stack size = MMU page size
Program pages
Read Only
Raw Data
r+w
T
EX
TD
ATA
25
MEMORY PROTECTION
-r-w-x
Address Space
0x00000000
NULL Pointer usage detection
26
MEMORY PROTECTIONHEAP BLOCK OVERRUN DETECTION USAGE TRACKING amp LEAKAGE DETECTION
27
FROM FUZZING TO EXPLOIT
28
FUZZING TARGETS
Network protocols
Portmap (RPC)
FTP
TFTP
NTP
hellip
29
FUZZING
Used Sulley fuzzing framework
Problem no accurate crash detection available
Solution using WdbRPC
30
WHATrsquoS WDB RPC
Debugging Interface
Service running on port UDP17185
Based on SUN-RPC protocol
Provides direct access to system memory
31
WDB PROTOCOL V2
Target Server Target AgentWDB
Shell
Debugger
Browser
Other
tools
HOST VxWorks
WTX
OS
32
WDB PROTOCOL V2CALL SENT BY TARGET SERVER
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Request Header
(40 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Sequence (4 bytes)
33
WDB PROTOCOL V2REPLY SENT BY TARGET AGENT
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Reply Header
(24 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Error code (4 bytes)
34
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
35
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
36
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
37
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
38
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
39
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
40
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
41
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
42
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
HOST TARGET
CALL
REPLY
hellip43
Small interpreted
language
Two objects pointer
and tape
Result of the eval stored
in tape
Tape content returned
to the host
More info on Gopher
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
CALL
REPLY
44HOST TARGET
hellip
Host reads the pointed
memory addresses
CRASH DETECTION
Target sends event
notification
45HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
![Page 22: 44CON London - Attacking VxWorks: from Stone Age to Interstellar](https://reader034.vdocuments.us/reader034/viewer/2022050613/587cfa0a1a28ab1e7e8b49fd/html5/thumbnails/22.jpg)
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
ASCII string for fatal
exception message
VxWorks image entry
point
WDB shared memory
22
MEMORY PROTECTIONS
VxWorks provides MMU-based features in addition to
the virtual memory support
Non MMU based protections Heap Error Detection
23
MEMORY PROTECTION
Task stack overrun and underrun
detection
Interrupt stack overrun and
underrun detection
Stack pages
Stack
Start
Stop
24
MEMORY PROTECTION
Non-executable task stacks amp Non-
writable Text Segment
INCLUDE_TASK_STACK_NO_EXEC
INCLUDE_PROTECT_TEXT
Task stack size = MMU page size
Program pages
Read Only
Raw Data
r+w
T
EX
TD
ATA
25
MEMORY PROTECTION
-r-w-x
Address Space
0x00000000
NULL Pointer usage detection
26
MEMORY PROTECTIONHEAP BLOCK OVERRUN DETECTION USAGE TRACKING amp LEAKAGE DETECTION
27
FROM FUZZING TO EXPLOIT
28
FUZZING TARGETS
Network protocols
Portmap (RPC)
FTP
TFTP
NTP
hellip
29
FUZZING
Used Sulley fuzzing framework
Problem no accurate crash detection available
Solution using WdbRPC
30
WHATrsquoS WDB RPC
Debugging Interface
Service running on port UDP17185
Based on SUN-RPC protocol
Provides direct access to system memory
31
WDB PROTOCOL V2
Target Server Target AgentWDB
Shell
Debugger
Browser
Other
tools
HOST VxWorks
WTX
OS
32
WDB PROTOCOL V2CALL SENT BY TARGET SERVER
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Request Header
(40 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Sequence (4 bytes)
33
WDB PROTOCOL V2REPLY SENT BY TARGET AGENT
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Reply Header
(24 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Error code (4 bytes)
34
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
35
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
36
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
37
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
38
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
39
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
40
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
41
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
42
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
HOST TARGET
CALL
REPLY
hellip43
Small interpreted
language
Two objects pointer
and tape
Result of the eval stored
in tape
Tape content returned
to the host
More info on Gopher
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
CALL
REPLY
44HOST TARGET
hellip
Host reads the pointed
memory addresses
CRASH DETECTION
Target sends event
notification
45HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
![Page 23: 44CON London - Attacking VxWorks: from Stone Age to Interstellar](https://reader034.vdocuments.us/reader034/viewer/2022050613/587cfa0a1a28ab1e7e8b49fd/html5/thumbnails/23.jpg)
MEMORY PROTECTIONS
VxWorks provides MMU-based features in addition to
the virtual memory support
Non MMU based protections Heap Error Detection
23
MEMORY PROTECTION
Task stack overrun and underrun
detection
Interrupt stack overrun and
underrun detection
Stack pages
Stack
Start
Stop
24
MEMORY PROTECTION
Non-executable task stacks amp Non-
writable Text Segment
INCLUDE_TASK_STACK_NO_EXEC
INCLUDE_PROTECT_TEXT
Task stack size = MMU page size
Program pages
Read Only
Raw Data
r+w
T
EX
TD
ATA
25
MEMORY PROTECTION
-r-w-x
Address Space
0x00000000
NULL Pointer usage detection
26
MEMORY PROTECTIONHEAP BLOCK OVERRUN DETECTION USAGE TRACKING amp LEAKAGE DETECTION
27
FROM FUZZING TO EXPLOIT
28
FUZZING TARGETS
Network protocols
Portmap (RPC)
FTP
TFTP
NTP
hellip
29
FUZZING
Used Sulley fuzzing framework
Problem no accurate crash detection available
Solution using WdbRPC
30
WHATrsquoS WDB RPC
Debugging Interface
Service running on port UDP17185
Based on SUN-RPC protocol
Provides direct access to system memory
31
WDB PROTOCOL V2
Target Server Target AgentWDB
Shell
Debugger
Browser
Other
tools
HOST VxWorks
WTX
OS
32
WDB PROTOCOL V2CALL SENT BY TARGET SERVER
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Request Header
(40 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Sequence (4 bytes)
33
WDB PROTOCOL V2REPLY SENT BY TARGET AGENT
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Reply Header
(24 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Error code (4 bytes)
34
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
35
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
36
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
37
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
38
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
39
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
40
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
41
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
42
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
HOST TARGET
CALL
REPLY
hellip43
Small interpreted
language
Two objects pointer
and tape
Result of the eval stored
in tape
Tape content returned
to the host
More info on Gopher
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
CALL
REPLY
44HOST TARGET
hellip
Host reads the pointed
memory addresses
CRASH DETECTION
Target sends event
notification
45HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
![Page 24: 44CON London - Attacking VxWorks: from Stone Age to Interstellar](https://reader034.vdocuments.us/reader034/viewer/2022050613/587cfa0a1a28ab1e7e8b49fd/html5/thumbnails/24.jpg)
MEMORY PROTECTION
Task stack overrun and underrun
detection
Interrupt stack overrun and
underrun detection
Stack pages
Stack
Start
Stop
24
MEMORY PROTECTION
Non-executable task stacks amp Non-
writable Text Segment
INCLUDE_TASK_STACK_NO_EXEC
INCLUDE_PROTECT_TEXT
Task stack size = MMU page size
Program pages
Read Only
Raw Data
r+w
T
EX
TD
ATA
25
MEMORY PROTECTION
-r-w-x
Address Space
0x00000000
NULL Pointer usage detection
26
MEMORY PROTECTIONHEAP BLOCK OVERRUN DETECTION USAGE TRACKING amp LEAKAGE DETECTION
27
FROM FUZZING TO EXPLOIT
28
FUZZING TARGETS
Network protocols
Portmap (RPC)
FTP
TFTP
NTP
hellip
29
FUZZING
Used Sulley fuzzing framework
Problem no accurate crash detection available
Solution using WdbRPC
30
WHATrsquoS WDB RPC
Debugging Interface
Service running on port UDP17185
Based on SUN-RPC protocol
Provides direct access to system memory
31
WDB PROTOCOL V2
Target Server Target AgentWDB
Shell
Debugger
Browser
Other
tools
HOST VxWorks
WTX
OS
32
WDB PROTOCOL V2CALL SENT BY TARGET SERVER
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Request Header
(40 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Sequence (4 bytes)
33
WDB PROTOCOL V2REPLY SENT BY TARGET AGENT
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Reply Header
(24 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Error code (4 bytes)
34
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
35
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
36
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
37
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
38
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
39
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
40
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
41
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
42
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
HOST TARGET
CALL
REPLY
hellip43
Small interpreted
language
Two objects pointer
and tape
Result of the eval stored
in tape
Tape content returned
to the host
More info on Gopher
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
CALL
REPLY
44HOST TARGET
hellip
Host reads the pointed
memory addresses
CRASH DETECTION
Target sends event
notification
45HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
![Page 25: 44CON London - Attacking VxWorks: from Stone Age to Interstellar](https://reader034.vdocuments.us/reader034/viewer/2022050613/587cfa0a1a28ab1e7e8b49fd/html5/thumbnails/25.jpg)
MEMORY PROTECTION
Non-executable task stacks amp Non-
writable Text Segment
INCLUDE_TASK_STACK_NO_EXEC
INCLUDE_PROTECT_TEXT
Task stack size = MMU page size
Program pages
Read Only
Raw Data
r+w
T
EX
TD
ATA
25
MEMORY PROTECTION
-r-w-x
Address Space
0x00000000
NULL Pointer usage detection
26
MEMORY PROTECTIONHEAP BLOCK OVERRUN DETECTION USAGE TRACKING amp LEAKAGE DETECTION
27
FROM FUZZING TO EXPLOIT
28
FUZZING TARGETS
Network protocols
Portmap (RPC)
FTP
TFTP
NTP
hellip
29
FUZZING
Used Sulley fuzzing framework
Problem no accurate crash detection available
Solution using WdbRPC
30
WHATrsquoS WDB RPC
Debugging Interface
Service running on port UDP17185
Based on SUN-RPC protocol
Provides direct access to system memory
31
WDB PROTOCOL V2
Target Server Target AgentWDB
Shell
Debugger
Browser
Other
tools
HOST VxWorks
WTX
OS
32
WDB PROTOCOL V2CALL SENT BY TARGET SERVER
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Request Header
(40 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Sequence (4 bytes)
33
WDB PROTOCOL V2REPLY SENT BY TARGET AGENT
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Reply Header
(24 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Error code (4 bytes)
34
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
35
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
36
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
37
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
38
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
39
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
40
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
41
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
42
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
HOST TARGET
CALL
REPLY
hellip43
Small interpreted
language
Two objects pointer
and tape
Result of the eval stored
in tape
Tape content returned
to the host
More info on Gopher
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
CALL
REPLY
44HOST TARGET
hellip
Host reads the pointed
memory addresses
CRASH DETECTION
Target sends event
notification
45HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
![Page 26: 44CON London - Attacking VxWorks: from Stone Age to Interstellar](https://reader034.vdocuments.us/reader034/viewer/2022050613/587cfa0a1a28ab1e7e8b49fd/html5/thumbnails/26.jpg)
MEMORY PROTECTION
-r-w-x
Address Space
0x00000000
NULL Pointer usage detection
26
MEMORY PROTECTIONHEAP BLOCK OVERRUN DETECTION USAGE TRACKING amp LEAKAGE DETECTION
27
FROM FUZZING TO EXPLOIT
28
FUZZING TARGETS
Network protocols
Portmap (RPC)
FTP
TFTP
NTP
hellip
29
FUZZING
Used Sulley fuzzing framework
Problem no accurate crash detection available
Solution using WdbRPC
30
WHATrsquoS WDB RPC
Debugging Interface
Service running on port UDP17185
Based on SUN-RPC protocol
Provides direct access to system memory
31
WDB PROTOCOL V2
Target Server Target AgentWDB
Shell
Debugger
Browser
Other
tools
HOST VxWorks
WTX
OS
32
WDB PROTOCOL V2CALL SENT BY TARGET SERVER
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Request Header
(40 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Sequence (4 bytes)
33
WDB PROTOCOL V2REPLY SENT BY TARGET AGENT
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Reply Header
(24 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Error code (4 bytes)
34
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
35
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
36
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
37
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
38
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
39
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
40
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
41
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
42
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
HOST TARGET
CALL
REPLY
hellip43
Small interpreted
language
Two objects pointer
and tape
Result of the eval stored
in tape
Tape content returned
to the host
More info on Gopher
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
CALL
REPLY
44HOST TARGET
hellip
Host reads the pointed
memory addresses
CRASH DETECTION
Target sends event
notification
45HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
![Page 27: 44CON London - Attacking VxWorks: from Stone Age to Interstellar](https://reader034.vdocuments.us/reader034/viewer/2022050613/587cfa0a1a28ab1e7e8b49fd/html5/thumbnails/27.jpg)
MEMORY PROTECTIONHEAP BLOCK OVERRUN DETECTION USAGE TRACKING amp LEAKAGE DETECTION
27
FROM FUZZING TO EXPLOIT
28
FUZZING TARGETS
Network protocols
Portmap (RPC)
FTP
TFTP
NTP
hellip
29
FUZZING
Used Sulley fuzzing framework
Problem no accurate crash detection available
Solution using WdbRPC
30
WHATrsquoS WDB RPC
Debugging Interface
Service running on port UDP17185
Based on SUN-RPC protocol
Provides direct access to system memory
31
WDB PROTOCOL V2
Target Server Target AgentWDB
Shell
Debugger
Browser
Other
tools
HOST VxWorks
WTX
OS
32
WDB PROTOCOL V2CALL SENT BY TARGET SERVER
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Request Header
(40 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Sequence (4 bytes)
33
WDB PROTOCOL V2REPLY SENT BY TARGET AGENT
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Reply Header
(24 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Error code (4 bytes)
34
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
35
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
36
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
37
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
38
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
39
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
40
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
41
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
42
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
HOST TARGET
CALL
REPLY
hellip43
Small interpreted
language
Two objects pointer
and tape
Result of the eval stored
in tape
Tape content returned
to the host
More info on Gopher
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
CALL
REPLY
44HOST TARGET
hellip
Host reads the pointed
memory addresses
CRASH DETECTION
Target sends event
notification
45HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
![Page 28: 44CON London - Attacking VxWorks: from Stone Age to Interstellar](https://reader034.vdocuments.us/reader034/viewer/2022050613/587cfa0a1a28ab1e7e8b49fd/html5/thumbnails/28.jpg)
FROM FUZZING TO EXPLOIT
28
FUZZING TARGETS
Network protocols
Portmap (RPC)
FTP
TFTP
NTP
hellip
29
FUZZING
Used Sulley fuzzing framework
Problem no accurate crash detection available
Solution using WdbRPC
30
WHATrsquoS WDB RPC
Debugging Interface
Service running on port UDP17185
Based on SUN-RPC protocol
Provides direct access to system memory
31
WDB PROTOCOL V2
Target Server Target AgentWDB
Shell
Debugger
Browser
Other
tools
HOST VxWorks
WTX
OS
32
WDB PROTOCOL V2CALL SENT BY TARGET SERVER
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Request Header
(40 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Sequence (4 bytes)
33
WDB PROTOCOL V2REPLY SENT BY TARGET AGENT
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Reply Header
(24 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Error code (4 bytes)
34
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
35
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
36
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
37
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
38
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
39
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
40
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
41
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
42
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
HOST TARGET
CALL
REPLY
hellip43
Small interpreted
language
Two objects pointer
and tape
Result of the eval stored
in tape
Tape content returned
to the host
More info on Gopher
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
CALL
REPLY
44HOST TARGET
hellip
Host reads the pointed
memory addresses
CRASH DETECTION
Target sends event
notification
45HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
![Page 29: 44CON London - Attacking VxWorks: from Stone Age to Interstellar](https://reader034.vdocuments.us/reader034/viewer/2022050613/587cfa0a1a28ab1e7e8b49fd/html5/thumbnails/29.jpg)
FUZZING TARGETS
Network protocols
Portmap (RPC)
FTP
TFTP
NTP
hellip
29
FUZZING
Used Sulley fuzzing framework
Problem no accurate crash detection available
Solution using WdbRPC
30
WHATrsquoS WDB RPC
Debugging Interface
Service running on port UDP17185
Based on SUN-RPC protocol
Provides direct access to system memory
31
WDB PROTOCOL V2
Target Server Target AgentWDB
Shell
Debugger
Browser
Other
tools
HOST VxWorks
WTX
OS
32
WDB PROTOCOL V2CALL SENT BY TARGET SERVER
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Request Header
(40 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Sequence (4 bytes)
33
WDB PROTOCOL V2REPLY SENT BY TARGET AGENT
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Reply Header
(24 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Error code (4 bytes)
34
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
35
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
36
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
37
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
38
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
39
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
40
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
41
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
42
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
HOST TARGET
CALL
REPLY
hellip43
Small interpreted
language
Two objects pointer
and tape
Result of the eval stored
in tape
Tape content returned
to the host
More info on Gopher
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
CALL
REPLY
44HOST TARGET
hellip
Host reads the pointed
memory addresses
CRASH DETECTION
Target sends event
notification
45HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
![Page 30: 44CON London - Attacking VxWorks: from Stone Age to Interstellar](https://reader034.vdocuments.us/reader034/viewer/2022050613/587cfa0a1a28ab1e7e8b49fd/html5/thumbnails/30.jpg)
FUZZING
Used Sulley fuzzing framework
Problem no accurate crash detection available
Solution using WdbRPC
30
WHATrsquoS WDB RPC
Debugging Interface
Service running on port UDP17185
Based on SUN-RPC protocol
Provides direct access to system memory
31
WDB PROTOCOL V2
Target Server Target AgentWDB
Shell
Debugger
Browser
Other
tools
HOST VxWorks
WTX
OS
32
WDB PROTOCOL V2CALL SENT BY TARGET SERVER
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Request Header
(40 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Sequence (4 bytes)
33
WDB PROTOCOL V2REPLY SENT BY TARGET AGENT
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Reply Header
(24 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Error code (4 bytes)
34
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
35
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
36
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
37
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
38
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
39
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
40
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
41
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
42
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
HOST TARGET
CALL
REPLY
hellip43
Small interpreted
language
Two objects pointer
and tape
Result of the eval stored
in tape
Tape content returned
to the host
More info on Gopher
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
CALL
REPLY
44HOST TARGET
hellip
Host reads the pointed
memory addresses
CRASH DETECTION
Target sends event
notification
45HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
![Page 31: 44CON London - Attacking VxWorks: from Stone Age to Interstellar](https://reader034.vdocuments.us/reader034/viewer/2022050613/587cfa0a1a28ab1e7e8b49fd/html5/thumbnails/31.jpg)
WHATrsquoS WDB RPC
Debugging Interface
Service running on port UDP17185
Based on SUN-RPC protocol
Provides direct access to system memory
31
WDB PROTOCOL V2
Target Server Target AgentWDB
Shell
Debugger
Browser
Other
tools
HOST VxWorks
WTX
OS
32
WDB PROTOCOL V2CALL SENT BY TARGET SERVER
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Request Header
(40 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Sequence (4 bytes)
33
WDB PROTOCOL V2REPLY SENT BY TARGET AGENT
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Reply Header
(24 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Error code (4 bytes)
34
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
35
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
36
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
37
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
38
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
39
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
40
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
41
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
42
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
HOST TARGET
CALL
REPLY
hellip43
Small interpreted
language
Two objects pointer
and tape
Result of the eval stored
in tape
Tape content returned
to the host
More info on Gopher
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
CALL
REPLY
44HOST TARGET
hellip
Host reads the pointed
memory addresses
CRASH DETECTION
Target sends event
notification
45HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
![Page 32: 44CON London - Attacking VxWorks: from Stone Age to Interstellar](https://reader034.vdocuments.us/reader034/viewer/2022050613/587cfa0a1a28ab1e7e8b49fd/html5/thumbnails/32.jpg)
WDB PROTOCOL V2
Target Server Target AgentWDB
Shell
Debugger
Browser
Other
tools
HOST VxWorks
WTX
OS
32
WDB PROTOCOL V2CALL SENT BY TARGET SERVER
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Request Header
(40 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Sequence (4 bytes)
33
WDB PROTOCOL V2REPLY SENT BY TARGET AGENT
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Reply Header
(24 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Error code (4 bytes)
34
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
35
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
36
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
37
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
38
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
39
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
40
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
41
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
42
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
HOST TARGET
CALL
REPLY
hellip43
Small interpreted
language
Two objects pointer
and tape
Result of the eval stored
in tape
Tape content returned
to the host
More info on Gopher
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
CALL
REPLY
44HOST TARGET
hellip
Host reads the pointed
memory addresses
CRASH DETECTION
Target sends event
notification
45HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
![Page 33: 44CON London - Attacking VxWorks: from Stone Age to Interstellar](https://reader034.vdocuments.us/reader034/viewer/2022050613/587cfa0a1a28ab1e7e8b49fd/html5/thumbnails/33.jpg)
WDB PROTOCOL V2CALL SENT BY TARGET SERVER
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Request Header
(40 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Sequence (4 bytes)
33
WDB PROTOCOL V2REPLY SENT BY TARGET AGENT
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Reply Header
(24 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Error code (4 bytes)
34
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
35
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
36
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
37
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
38
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
39
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
40
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
41
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
42
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
HOST TARGET
CALL
REPLY
hellip43
Small interpreted
language
Two objects pointer
and tape
Result of the eval stored
in tape
Tape content returned
to the host
More info on Gopher
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
CALL
REPLY
44HOST TARGET
hellip
Host reads the pointed
memory addresses
CRASH DETECTION
Target sends event
notification
45HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
![Page 34: 44CON London - Attacking VxWorks: from Stone Age to Interstellar](https://reader034.vdocuments.us/reader034/viewer/2022050613/587cfa0a1a28ab1e7e8b49fd/html5/thumbnails/34.jpg)
WDB PROTOCOL V2REPLY SENT BY TARGET AGENT
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Reply Header
(24 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Error code (4 bytes)
34
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
35
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
36
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
37
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
38
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
39
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
40
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
41
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
42
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
HOST TARGET
CALL
REPLY
hellip43
Small interpreted
language
Two objects pointer
and tape
Result of the eval stored
in tape
Tape content returned
to the host
More info on Gopher
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
CALL
REPLY
44HOST TARGET
hellip
Host reads the pointed
memory addresses
CRASH DETECTION
Target sends event
notification
45HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
![Page 35: 44CON London - Attacking VxWorks: from Stone Age to Interstellar](https://reader034.vdocuments.us/reader034/viewer/2022050613/587cfa0a1a28ab1e7e8b49fd/html5/thumbnails/35.jpg)
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
35
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
36
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
37
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
38
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
39
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
40
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
41
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
42
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
HOST TARGET
CALL
REPLY
hellip43
Small interpreted
language
Two objects pointer
and tape
Result of the eval stored
in tape
Tape content returned
to the host
More info on Gopher
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
CALL
REPLY
44HOST TARGET
hellip
Host reads the pointed
memory addresses
CRASH DETECTION
Target sends event
notification
45HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
![Page 36: 44CON London - Attacking VxWorks: from Stone Age to Interstellar](https://reader034.vdocuments.us/reader034/viewer/2022050613/587cfa0a1a28ab1e7e8b49fd/html5/thumbnails/36.jpg)
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
36
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
37
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
38
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
39
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
40
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
41
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
42
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
HOST TARGET
CALL
REPLY
hellip43
Small interpreted
language
Two objects pointer
and tape
Result of the eval stored
in tape
Tape content returned
to the host
More info on Gopher
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
CALL
REPLY
44HOST TARGET
hellip
Host reads the pointed
memory addresses
CRASH DETECTION
Target sends event
notification
45HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
![Page 37: 44CON London - Attacking VxWorks: from Stone Age to Interstellar](https://reader034.vdocuments.us/reader034/viewer/2022050613/587cfa0a1a28ab1e7e8b49fd/html5/thumbnails/37.jpg)
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
37
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
38
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
39
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
40
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
41
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
42
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
HOST TARGET
CALL
REPLY
hellip43
Small interpreted
language
Two objects pointer
and tape
Result of the eval stored
in tape
Tape content returned
to the host
More info on Gopher
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
CALL
REPLY
44HOST TARGET
hellip
Host reads the pointed
memory addresses
CRASH DETECTION
Target sends event
notification
45HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
![Page 38: 44CON London - Attacking VxWorks: from Stone Age to Interstellar](https://reader034.vdocuments.us/reader034/viewer/2022050613/587cfa0a1a28ab1e7e8b49fd/html5/thumbnails/38.jpg)
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
38
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
39
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
40
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
41
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
42
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
HOST TARGET
CALL
REPLY
hellip43
Small interpreted
language
Two objects pointer
and tape
Result of the eval stored
in tape
Tape content returned
to the host
More info on Gopher
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
CALL
REPLY
44HOST TARGET
hellip
Host reads the pointed
memory addresses
CRASH DETECTION
Target sends event
notification
45HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
![Page 39: 44CON London - Attacking VxWorks: from Stone Age to Interstellar](https://reader034.vdocuments.us/reader034/viewer/2022050613/587cfa0a1a28ab1e7e8b49fd/html5/thumbnails/39.jpg)
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
39
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
40
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
41
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
42
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
HOST TARGET
CALL
REPLY
hellip43
Small interpreted
language
Two objects pointer
and tape
Result of the eval stored
in tape
Tape content returned
to the host
More info on Gopher
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
CALL
REPLY
44HOST TARGET
hellip
Host reads the pointed
memory addresses
CRASH DETECTION
Target sends event
notification
45HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
![Page 40: 44CON London - Attacking VxWorks: from Stone Age to Interstellar](https://reader034.vdocuments.us/reader034/viewer/2022050613/587cfa0a1a28ab1e7e8b49fd/html5/thumbnails/40.jpg)
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
40
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
41
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
42
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
HOST TARGET
CALL
REPLY
hellip43
Small interpreted
language
Two objects pointer
and tape
Result of the eval stored
in tape
Tape content returned
to the host
More info on Gopher
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
CALL
REPLY
44HOST TARGET
hellip
Host reads the pointed
memory addresses
CRASH DETECTION
Target sends event
notification
45HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
![Page 41: 44CON London - Attacking VxWorks: from Stone Age to Interstellar](https://reader034.vdocuments.us/reader034/viewer/2022050613/587cfa0a1a28ab1e7e8b49fd/html5/thumbnails/41.jpg)
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
41
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
42
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
HOST TARGET
CALL
REPLY
hellip43
Small interpreted
language
Two objects pointer
and tape
Result of the eval stored
in tape
Tape content returned
to the host
More info on Gopher
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
CALL
REPLY
44HOST TARGET
hellip
Host reads the pointed
memory addresses
CRASH DETECTION
Target sends event
notification
45HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
![Page 42: 44CON London - Attacking VxWorks: from Stone Age to Interstellar](https://reader034.vdocuments.us/reader034/viewer/2022050613/587cfa0a1a28ab1e7e8b49fd/html5/thumbnails/42.jpg)
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
42
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
HOST TARGET
CALL
REPLY
hellip43
Small interpreted
language
Two objects pointer
and tape
Result of the eval stored
in tape
Tape content returned
to the host
More info on Gopher
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
CALL
REPLY
44HOST TARGET
hellip
Host reads the pointed
memory addresses
CRASH DETECTION
Target sends event
notification
45HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
![Page 43: 44CON London - Attacking VxWorks: from Stone Age to Interstellar](https://reader034.vdocuments.us/reader034/viewer/2022050613/587cfa0a1a28ab1e7e8b49fd/html5/thumbnails/43.jpg)
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
HOST TARGET
CALL
REPLY
hellip43
Small interpreted
language
Two objects pointer
and tape
Result of the eval stored
in tape
Tape content returned
to the host
More info on Gopher
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
CALL
REPLY
44HOST TARGET
hellip
Host reads the pointed
memory addresses
CRASH DETECTION
Target sends event
notification
45HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
![Page 44: 44CON London - Attacking VxWorks: from Stone Age to Interstellar](https://reader034.vdocuments.us/reader034/viewer/2022050613/587cfa0a1a28ab1e7e8b49fd/html5/thumbnails/44.jpg)
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
CALL
REPLY
44HOST TARGET
hellip
Host reads the pointed
memory addresses
CRASH DETECTION
Target sends event
notification
45HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
![Page 45: 44CON London - Attacking VxWorks: from Stone Age to Interstellar](https://reader034.vdocuments.us/reader034/viewer/2022050613/587cfa0a1a28ab1e7e8b49fd/html5/thumbnails/45.jpg)
CRASH DETECTION
Target sends event
notification
45HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
![Page 46: 44CON London - Attacking VxWorks: from Stone Age to Interstellar](https://reader034.vdocuments.us/reader034/viewer/2022050613/587cfa0a1a28ab1e7e8b49fd/html5/thumbnails/46.jpg)
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
![Page 47: 44CON London - Attacking VxWorks: from Stone Age to Interstellar](https://reader034.vdocuments.us/reader034/viewer/2022050613/587cfa0a1a28ab1e7e8b49fd/html5/thumbnails/47.jpg)
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
![Page 48: 44CON London - Attacking VxWorks: from Stone Age to Interstellar](https://reader034.vdocuments.us/reader034/viewer/2022050613/587cfa0a1a28ab1e7e8b49fd/html5/thumbnails/48.jpg)
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
![Page 49: 44CON London - Attacking VxWorks: from Stone Age to Interstellar](https://reader034.vdocuments.us/reader034/viewer/2022050613/587cfa0a1a28ab1e7e8b49fd/html5/thumbnails/49.jpg)
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
![Page 50: 44CON London - Attacking VxWorks: from Stone Age to Interstellar](https://reader034.vdocuments.us/reader034/viewer/2022050613/587cfa0a1a28ab1e7e8b49fd/html5/thumbnails/50.jpg)
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
![Page 51: 44CON London - Attacking VxWorks: from Stone Age to Interstellar](https://reader034.vdocuments.us/reader034/viewer/2022050613/587cfa0a1a28ab1e7e8b49fd/html5/thumbnails/51.jpg)
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
![Page 52: 44CON London - Attacking VxWorks: from Stone Age to Interstellar](https://reader034.vdocuments.us/reader034/viewer/2022050613/587cfa0a1a28ab1e7e8b49fd/html5/thumbnails/52.jpg)
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
![Page 53: 44CON London - Attacking VxWorks: from Stone Age to Interstellar](https://reader034.vdocuments.us/reader034/viewer/2022050613/587cfa0a1a28ab1e7e8b49fd/html5/thumbnails/53.jpg)
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
![Page 54: 44CON London - Attacking VxWorks: from Stone Age to Interstellar](https://reader034.vdocuments.us/reader034/viewer/2022050613/587cfa0a1a28ab1e7e8b49fd/html5/thumbnails/54.jpg)
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
![Page 55: 44CON London - Attacking VxWorks: from Stone Age to Interstellar](https://reader034.vdocuments.us/reader034/viewer/2022050613/587cfa0a1a28ab1e7e8b49fd/html5/thumbnails/55.jpg)
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
![Page 56: 44CON London - Attacking VxWorks: from Stone Age to Interstellar](https://reader034.vdocuments.us/reader034/viewer/2022050613/587cfa0a1a28ab1e7e8b49fd/html5/thumbnails/56.jpg)
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
![Page 57: 44CON London - Attacking VxWorks: from Stone Age to Interstellar](https://reader034.vdocuments.us/reader034/viewer/2022050613/587cfa0a1a28ab1e7e8b49fd/html5/thumbnails/57.jpg)
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
![Page 58: 44CON London - Attacking VxWorks: from Stone Age to Interstellar](https://reader034.vdocuments.us/reader034/viewer/2022050613/587cfa0a1a28ab1e7e8b49fd/html5/thumbnails/58.jpg)
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
![Page 59: 44CON London - Attacking VxWorks: from Stone Age to Interstellar](https://reader034.vdocuments.us/reader034/viewer/2022050613/587cfa0a1a28ab1e7e8b49fd/html5/thumbnails/59.jpg)
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
![Page 60: 44CON London - Attacking VxWorks: from Stone Age to Interstellar](https://reader034.vdocuments.us/reader034/viewer/2022050613/587cfa0a1a28ab1e7e8b49fd/html5/thumbnails/60.jpg)
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
![Page 61: 44CON London - Attacking VxWorks: from Stone Age to Interstellar](https://reader034.vdocuments.us/reader034/viewer/2022050613/587cfa0a1a28ab1e7e8b49fd/html5/thumbnails/61.jpg)
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
![Page 62: 44CON London - Attacking VxWorks: from Stone Age to Interstellar](https://reader034.vdocuments.us/reader034/viewer/2022050613/587cfa0a1a28ab1e7e8b49fd/html5/thumbnails/62.jpg)
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
![Page 63: 44CON London - Attacking VxWorks: from Stone Age to Interstellar](https://reader034.vdocuments.us/reader034/viewer/2022050613/587cfa0a1a28ab1e7e8b49fd/html5/thumbnails/63.jpg)
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
![Page 64: 44CON London - Attacking VxWorks: from Stone Age to Interstellar](https://reader034.vdocuments.us/reader034/viewer/2022050613/587cfa0a1a28ab1e7e8b49fd/html5/thumbnails/64.jpg)
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
![Page 65: 44CON London - Attacking VxWorks: from Stone Age to Interstellar](https://reader034.vdocuments.us/reader034/viewer/2022050613/587cfa0a1a28ab1e7e8b49fd/html5/thumbnails/65.jpg)
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
![Page 66: 44CON London - Attacking VxWorks: from Stone Age to Interstellar](https://reader034.vdocuments.us/reader034/viewer/2022050613/587cfa0a1a28ab1e7e8b49fd/html5/thumbnails/66.jpg)
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
![Page 67: 44CON London - Attacking VxWorks: from Stone Age to Interstellar](https://reader034.vdocuments.us/reader034/viewer/2022050613/587cfa0a1a28ab1e7e8b49fd/html5/thumbnails/67.jpg)
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
![Page 68: 44CON London - Attacking VxWorks: from Stone Age to Interstellar](https://reader034.vdocuments.us/reader034/viewer/2022050613/587cfa0a1a28ab1e7e8b49fd/html5/thumbnails/68.jpg)
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
![Page 69: 44CON London - Attacking VxWorks: from Stone Age to Interstellar](https://reader034.vdocuments.us/reader034/viewer/2022050613/587cfa0a1a28ab1e7e8b49fd/html5/thumbnails/69.jpg)
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
![Page 70: 44CON London - Attacking VxWorks: from Stone Age to Interstellar](https://reader034.vdocuments.us/reader034/viewer/2022050613/587cfa0a1a28ab1e7e8b49fd/html5/thumbnails/70.jpg)
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
![Page 71: 44CON London - Attacking VxWorks: from Stone Age to Interstellar](https://reader034.vdocuments.us/reader034/viewer/2022050613/587cfa0a1a28ab1e7e8b49fd/html5/thumbnails/71.jpg)
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
![Page 72: 44CON London - Attacking VxWorks: from Stone Age to Interstellar](https://reader034.vdocuments.us/reader034/viewer/2022050613/587cfa0a1a28ab1e7e8b49fd/html5/thumbnails/72.jpg)
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
![Page 73: 44CON London - Attacking VxWorks: from Stone Age to Interstellar](https://reader034.vdocuments.us/reader034/viewer/2022050613/587cfa0a1a28ab1e7e8b49fd/html5/thumbnails/73.jpg)
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
![Page 74: 44CON London - Attacking VxWorks: from Stone Age to Interstellar](https://reader034.vdocuments.us/reader034/viewer/2022050613/587cfa0a1a28ab1e7e8b49fd/html5/thumbnails/74.jpg)
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
![Page 75: 44CON London - Attacking VxWorks: from Stone Age to Interstellar](https://reader034.vdocuments.us/reader034/viewer/2022050613/587cfa0a1a28ab1e7e8b49fd/html5/thumbnails/75.jpg)
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75