Date post: | 15-Apr-2017 |
Category: |
Technology |
Upload: | 44con |
View: | 8,998 times |
Download: | 15 times |
ATTACKING VXWORKS
FROM STONE AGE TO INTERSTELLAR
44CON LONDON 9102015YANNICK FORMAGGIO RICHARD HSU amp ERIC LIU
ABOUT ME
Yannick Formaggio
Security Researcher at Istuary Innovation Labs
TheLumberJhack || yannickformaggio on LinkedIn
Look for vulns using fuzzing techniques first time speaker
Lego fanhellip
Help from Richard Hsu and Eric Liu (Lead security
researcher)
2
AGENDA
Introduction to VxWorks amp previous researches
Inside VxWorks
Memory management amp protections
From fuzzing to exploit RPC Integer Overflow RCE
Conclusion
3
INTRODUCTION
4
WHATrsquoS VXWORKS
1 Embedded devices RTOS
Claimed gt 15 billions devices
developed by Wind River
supports lot of CPU architectures
SOME STATS
6
WHATrsquoS VXWORKS
1987
bull First release
bull 32 bits processing
1990rsquos
bull VxWorks 5 released
bull 1st RTOS w network stack
2000rsquos
bull VxWorks 6x (12-2004)
bull Security improvements (RTPs no more task shared memory)
2014
bull VxWorks 7x (02-2014)
bull 64bits more security improvements
SOME CUSTOMERS
8
ldquo
rdquo
The Real-Time Operating System for the Internet of ThingsPowering billions of intelligent devices VxWorksreg delivers an industry-leading combination of scalability safety security and virtualization capabilities to meet next-generation requirements
Windriver VxWorks product
9
VXWORKS amp SECURITY
Source httpwwwcvedetailscomproduct15063Windriver-Vxworkshtmlvendor_id=9510
VXWORKS amp SECURITY
Wind River treatsVxWorks security seriously
Partnership with McAffee in Feb 2011
Source httpwwwwindrivercomnewspressprhtmlID=8801
VXWORKS amp SECURITY
Wind River treats VxWorks security seriously
Partnership with McAffee in Feb 2011
6x introduced some memory protections
7x improved way further
Digitally signed modules (X509)
Encryption
Centralized user database
Password management (SHA-256 algorithm)
Ability to createdelete users at run time
Encrypted data storage
PREVIOUS RESEARCHES
amp INSPIRATIONS
PREVIOUS RESEARCH amp INSPIRATIONS
ldquoShiny Old VxWorks Vulnerabilitiesrdquo
HD Moore (2010)
4 Metasploit modules targeting WDB RPC
Weak password hash entropy
rainbow table containing around 200k hashed
passwords
14
PREVIOUS RESEARCH amp INSPIRATIONS
ldquoReverse Engineering VxWorks Firmware WRT54Gv8rdquo
devttyS0
15
PREVIOUS RESEARCH amp INSPIRATIONS
ldquoDigging Inside the VxWorks OS and Firmware The
Holistic Securityrdquo
Aditya K Sood (0kn0ck) ndash SecNiche Security Lab
WDB debugging Interface (again)
OS Security
16
INSIDE VXWORKS
MEMORY LAYOUT amp PROTECTIONS
17
X86 MEMORY LAYOUT UPPER MEMORY
IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
18
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
19
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
ASCII string for fatal
exception message
20
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DecriptorVector
Table
ASCII string for fatal
exception message
VxWorks image entry
point
21
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
ASCII string for fatal
exception message
VxWorks image entry
point
WDB shared memory
22
MEMORY PROTECTIONS
VxWorks provides MMU-based features in addition to
the virtual memory support
Non MMU based protections Heap Error Detection
23
MEMORY PROTECTION
Task stack overrun and underrun
detection
Interrupt stack overrun and
underrun detection
Stack pages
Stack
Start
Stop
24
MEMORY PROTECTION
Non-executable task stacks amp Non-
writable Text Segment
INCLUDE_TASK_STACK_NO_EXEC
INCLUDE_PROTECT_TEXT
Task stack size = MMU page size
Program pages
Read Only
Raw Data
r+w
T
EX
TD
ATA
25
MEMORY PROTECTION
-r-w-x
Address Space
0x00000000
NULL Pointer usage detection
26
MEMORY PROTECTIONHEAP BLOCK OVERRUN DETECTION USAGE TRACKING amp LEAKAGE DETECTION
27
FROM FUZZING TO EXPLOIT
28
FUZZING TARGETS
Network protocols
Portmap (RPC)
FTP
TFTP
NTP
hellip
29
FUZZING
Used Sulley fuzzing framework
Problem no accurate crash detection available
Solution using WdbRPC
30
WHATrsquoS WDB RPC
Debugging Interface
Service running on port UDP17185
Based on SUN-RPC protocol
Provides direct access to system memory
31
WDB PROTOCOL V2
Target Server Target AgentWDB
Shell
Debugger
Browser
Other
tools
HOST VxWorks
WTX
OS
32
WDB PROTOCOL V2CALL SENT BY TARGET SERVER
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Request Header
(40 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Sequence (4 bytes)
33
WDB PROTOCOL V2REPLY SENT BY TARGET AGENT
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Reply Header
(24 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Error code (4 bytes)
34
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
35
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
36
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
37
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
38
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
39
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
40
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
41
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
42
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
HOST TARGET
CALL
REPLY
hellip43
Small interpreted
language
Two objects pointer
and tape
Result of the eval stored
in tape
Tape content returned
to the host
More info on Gopher
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
CALL
REPLY
44HOST TARGET
hellip
Host reads the pointed
memory addresses
CRASH DETECTION
Target sends event
notification
45HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
ABOUT ME
Yannick Formaggio
Security Researcher at Istuary Innovation Labs
TheLumberJhack || yannickformaggio on LinkedIn
Look for vulns using fuzzing techniques first time speaker
Lego fanhellip
Help from Richard Hsu and Eric Liu (Lead security
researcher)
2
AGENDA
Introduction to VxWorks amp previous researches
Inside VxWorks
Memory management amp protections
From fuzzing to exploit RPC Integer Overflow RCE
Conclusion
3
INTRODUCTION
4
WHATrsquoS VXWORKS
1 Embedded devices RTOS
Claimed gt 15 billions devices
developed by Wind River
supports lot of CPU architectures
SOME STATS
6
WHATrsquoS VXWORKS
1987
bull First release
bull 32 bits processing
1990rsquos
bull VxWorks 5 released
bull 1st RTOS w network stack
2000rsquos
bull VxWorks 6x (12-2004)
bull Security improvements (RTPs no more task shared memory)
2014
bull VxWorks 7x (02-2014)
bull 64bits more security improvements
SOME CUSTOMERS
8
ldquo
rdquo
The Real-Time Operating System for the Internet of ThingsPowering billions of intelligent devices VxWorksreg delivers an industry-leading combination of scalability safety security and virtualization capabilities to meet next-generation requirements
Windriver VxWorks product
9
VXWORKS amp SECURITY
Source httpwwwcvedetailscomproduct15063Windriver-Vxworkshtmlvendor_id=9510
VXWORKS amp SECURITY
Wind River treatsVxWorks security seriously
Partnership with McAffee in Feb 2011
Source httpwwwwindrivercomnewspressprhtmlID=8801
VXWORKS amp SECURITY
Wind River treats VxWorks security seriously
Partnership with McAffee in Feb 2011
6x introduced some memory protections
7x improved way further
Digitally signed modules (X509)
Encryption
Centralized user database
Password management (SHA-256 algorithm)
Ability to createdelete users at run time
Encrypted data storage
PREVIOUS RESEARCHES
amp INSPIRATIONS
PREVIOUS RESEARCH amp INSPIRATIONS
ldquoShiny Old VxWorks Vulnerabilitiesrdquo
HD Moore (2010)
4 Metasploit modules targeting WDB RPC
Weak password hash entropy
rainbow table containing around 200k hashed
passwords
14
PREVIOUS RESEARCH amp INSPIRATIONS
ldquoReverse Engineering VxWorks Firmware WRT54Gv8rdquo
devttyS0
15
PREVIOUS RESEARCH amp INSPIRATIONS
ldquoDigging Inside the VxWorks OS and Firmware The
Holistic Securityrdquo
Aditya K Sood (0kn0ck) ndash SecNiche Security Lab
WDB debugging Interface (again)
OS Security
16
INSIDE VXWORKS
MEMORY LAYOUT amp PROTECTIONS
17
X86 MEMORY LAYOUT UPPER MEMORY
IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
18
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
19
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
ASCII string for fatal
exception message
20
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DecriptorVector
Table
ASCII string for fatal
exception message
VxWorks image entry
point
21
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
ASCII string for fatal
exception message
VxWorks image entry
point
WDB shared memory
22
MEMORY PROTECTIONS
VxWorks provides MMU-based features in addition to
the virtual memory support
Non MMU based protections Heap Error Detection
23
MEMORY PROTECTION
Task stack overrun and underrun
detection
Interrupt stack overrun and
underrun detection
Stack pages
Stack
Start
Stop
24
MEMORY PROTECTION
Non-executable task stacks amp Non-
writable Text Segment
INCLUDE_TASK_STACK_NO_EXEC
INCLUDE_PROTECT_TEXT
Task stack size = MMU page size
Program pages
Read Only
Raw Data
r+w
T
EX
TD
ATA
25
MEMORY PROTECTION
-r-w-x
Address Space
0x00000000
NULL Pointer usage detection
26
MEMORY PROTECTIONHEAP BLOCK OVERRUN DETECTION USAGE TRACKING amp LEAKAGE DETECTION
27
FROM FUZZING TO EXPLOIT
28
FUZZING TARGETS
Network protocols
Portmap (RPC)
FTP
TFTP
NTP
hellip
29
FUZZING
Used Sulley fuzzing framework
Problem no accurate crash detection available
Solution using WdbRPC
30
WHATrsquoS WDB RPC
Debugging Interface
Service running on port UDP17185
Based on SUN-RPC protocol
Provides direct access to system memory
31
WDB PROTOCOL V2
Target Server Target AgentWDB
Shell
Debugger
Browser
Other
tools
HOST VxWorks
WTX
OS
32
WDB PROTOCOL V2CALL SENT BY TARGET SERVER
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Request Header
(40 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Sequence (4 bytes)
33
WDB PROTOCOL V2REPLY SENT BY TARGET AGENT
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Reply Header
(24 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Error code (4 bytes)
34
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
35
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
36
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
37
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
38
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
39
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
40
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
41
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
42
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
HOST TARGET
CALL
REPLY
hellip43
Small interpreted
language
Two objects pointer
and tape
Result of the eval stored
in tape
Tape content returned
to the host
More info on Gopher
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
CALL
REPLY
44HOST TARGET
hellip
Host reads the pointed
memory addresses
CRASH DETECTION
Target sends event
notification
45HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
AGENDA
Introduction to VxWorks amp previous researches
Inside VxWorks
Memory management amp protections
From fuzzing to exploit RPC Integer Overflow RCE
Conclusion
3
INTRODUCTION
4
WHATrsquoS VXWORKS
1 Embedded devices RTOS
Claimed gt 15 billions devices
developed by Wind River
supports lot of CPU architectures
SOME STATS
6
WHATrsquoS VXWORKS
1987
bull First release
bull 32 bits processing
1990rsquos
bull VxWorks 5 released
bull 1st RTOS w network stack
2000rsquos
bull VxWorks 6x (12-2004)
bull Security improvements (RTPs no more task shared memory)
2014
bull VxWorks 7x (02-2014)
bull 64bits more security improvements
SOME CUSTOMERS
8
ldquo
rdquo
The Real-Time Operating System for the Internet of ThingsPowering billions of intelligent devices VxWorksreg delivers an industry-leading combination of scalability safety security and virtualization capabilities to meet next-generation requirements
Windriver VxWorks product
9
VXWORKS amp SECURITY
Source httpwwwcvedetailscomproduct15063Windriver-Vxworkshtmlvendor_id=9510
VXWORKS amp SECURITY
Wind River treatsVxWorks security seriously
Partnership with McAffee in Feb 2011
Source httpwwwwindrivercomnewspressprhtmlID=8801
VXWORKS amp SECURITY
Wind River treats VxWorks security seriously
Partnership with McAffee in Feb 2011
6x introduced some memory protections
7x improved way further
Digitally signed modules (X509)
Encryption
Centralized user database
Password management (SHA-256 algorithm)
Ability to createdelete users at run time
Encrypted data storage
PREVIOUS RESEARCHES
amp INSPIRATIONS
PREVIOUS RESEARCH amp INSPIRATIONS
ldquoShiny Old VxWorks Vulnerabilitiesrdquo
HD Moore (2010)
4 Metasploit modules targeting WDB RPC
Weak password hash entropy
rainbow table containing around 200k hashed
passwords
14
PREVIOUS RESEARCH amp INSPIRATIONS
ldquoReverse Engineering VxWorks Firmware WRT54Gv8rdquo
devttyS0
15
PREVIOUS RESEARCH amp INSPIRATIONS
ldquoDigging Inside the VxWorks OS and Firmware The
Holistic Securityrdquo
Aditya K Sood (0kn0ck) ndash SecNiche Security Lab
WDB debugging Interface (again)
OS Security
16
INSIDE VXWORKS
MEMORY LAYOUT amp PROTECTIONS
17
X86 MEMORY LAYOUT UPPER MEMORY
IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
18
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
19
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
ASCII string for fatal
exception message
20
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DecriptorVector
Table
ASCII string for fatal
exception message
VxWorks image entry
point
21
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
ASCII string for fatal
exception message
VxWorks image entry
point
WDB shared memory
22
MEMORY PROTECTIONS
VxWorks provides MMU-based features in addition to
the virtual memory support
Non MMU based protections Heap Error Detection
23
MEMORY PROTECTION
Task stack overrun and underrun
detection
Interrupt stack overrun and
underrun detection
Stack pages
Stack
Start
Stop
24
MEMORY PROTECTION
Non-executable task stacks amp Non-
writable Text Segment
INCLUDE_TASK_STACK_NO_EXEC
INCLUDE_PROTECT_TEXT
Task stack size = MMU page size
Program pages
Read Only
Raw Data
r+w
T
EX
TD
ATA
25
MEMORY PROTECTION
-r-w-x
Address Space
0x00000000
NULL Pointer usage detection
26
MEMORY PROTECTIONHEAP BLOCK OVERRUN DETECTION USAGE TRACKING amp LEAKAGE DETECTION
27
FROM FUZZING TO EXPLOIT
28
FUZZING TARGETS
Network protocols
Portmap (RPC)
FTP
TFTP
NTP
hellip
29
FUZZING
Used Sulley fuzzing framework
Problem no accurate crash detection available
Solution using WdbRPC
30
WHATrsquoS WDB RPC
Debugging Interface
Service running on port UDP17185
Based on SUN-RPC protocol
Provides direct access to system memory
31
WDB PROTOCOL V2
Target Server Target AgentWDB
Shell
Debugger
Browser
Other
tools
HOST VxWorks
WTX
OS
32
WDB PROTOCOL V2CALL SENT BY TARGET SERVER
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Request Header
(40 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Sequence (4 bytes)
33
WDB PROTOCOL V2REPLY SENT BY TARGET AGENT
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Reply Header
(24 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Error code (4 bytes)
34
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
35
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
36
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
37
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
38
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
39
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
40
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
41
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
42
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
HOST TARGET
CALL
REPLY
hellip43
Small interpreted
language
Two objects pointer
and tape
Result of the eval stored
in tape
Tape content returned
to the host
More info on Gopher
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
CALL
REPLY
44HOST TARGET
hellip
Host reads the pointed
memory addresses
CRASH DETECTION
Target sends event
notification
45HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
INTRODUCTION
4
WHATrsquoS VXWORKS
1 Embedded devices RTOS
Claimed gt 15 billions devices
developed by Wind River
supports lot of CPU architectures
SOME STATS
6
WHATrsquoS VXWORKS
1987
bull First release
bull 32 bits processing
1990rsquos
bull VxWorks 5 released
bull 1st RTOS w network stack
2000rsquos
bull VxWorks 6x (12-2004)
bull Security improvements (RTPs no more task shared memory)
2014
bull VxWorks 7x (02-2014)
bull 64bits more security improvements
SOME CUSTOMERS
8
ldquo
rdquo
The Real-Time Operating System for the Internet of ThingsPowering billions of intelligent devices VxWorksreg delivers an industry-leading combination of scalability safety security and virtualization capabilities to meet next-generation requirements
Windriver VxWorks product
9
VXWORKS amp SECURITY
Source httpwwwcvedetailscomproduct15063Windriver-Vxworkshtmlvendor_id=9510
VXWORKS amp SECURITY
Wind River treatsVxWorks security seriously
Partnership with McAffee in Feb 2011
Source httpwwwwindrivercomnewspressprhtmlID=8801
VXWORKS amp SECURITY
Wind River treats VxWorks security seriously
Partnership with McAffee in Feb 2011
6x introduced some memory protections
7x improved way further
Digitally signed modules (X509)
Encryption
Centralized user database
Password management (SHA-256 algorithm)
Ability to createdelete users at run time
Encrypted data storage
PREVIOUS RESEARCHES
amp INSPIRATIONS
PREVIOUS RESEARCH amp INSPIRATIONS
ldquoShiny Old VxWorks Vulnerabilitiesrdquo
HD Moore (2010)
4 Metasploit modules targeting WDB RPC
Weak password hash entropy
rainbow table containing around 200k hashed
passwords
14
PREVIOUS RESEARCH amp INSPIRATIONS
ldquoReverse Engineering VxWorks Firmware WRT54Gv8rdquo
devttyS0
15
PREVIOUS RESEARCH amp INSPIRATIONS
ldquoDigging Inside the VxWorks OS and Firmware The
Holistic Securityrdquo
Aditya K Sood (0kn0ck) ndash SecNiche Security Lab
WDB debugging Interface (again)
OS Security
16
INSIDE VXWORKS
MEMORY LAYOUT amp PROTECTIONS
17
X86 MEMORY LAYOUT UPPER MEMORY
IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
18
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
19
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
ASCII string for fatal
exception message
20
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DecriptorVector
Table
ASCII string for fatal
exception message
VxWorks image entry
point
21
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
ASCII string for fatal
exception message
VxWorks image entry
point
WDB shared memory
22
MEMORY PROTECTIONS
VxWorks provides MMU-based features in addition to
the virtual memory support
Non MMU based protections Heap Error Detection
23
MEMORY PROTECTION
Task stack overrun and underrun
detection
Interrupt stack overrun and
underrun detection
Stack pages
Stack
Start
Stop
24
MEMORY PROTECTION
Non-executable task stacks amp Non-
writable Text Segment
INCLUDE_TASK_STACK_NO_EXEC
INCLUDE_PROTECT_TEXT
Task stack size = MMU page size
Program pages
Read Only
Raw Data
r+w
T
EX
TD
ATA
25
MEMORY PROTECTION
-r-w-x
Address Space
0x00000000
NULL Pointer usage detection
26
MEMORY PROTECTIONHEAP BLOCK OVERRUN DETECTION USAGE TRACKING amp LEAKAGE DETECTION
27
FROM FUZZING TO EXPLOIT
28
FUZZING TARGETS
Network protocols
Portmap (RPC)
FTP
TFTP
NTP
hellip
29
FUZZING
Used Sulley fuzzing framework
Problem no accurate crash detection available
Solution using WdbRPC
30
WHATrsquoS WDB RPC
Debugging Interface
Service running on port UDP17185
Based on SUN-RPC protocol
Provides direct access to system memory
31
WDB PROTOCOL V2
Target Server Target AgentWDB
Shell
Debugger
Browser
Other
tools
HOST VxWorks
WTX
OS
32
WDB PROTOCOL V2CALL SENT BY TARGET SERVER
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Request Header
(40 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Sequence (4 bytes)
33
WDB PROTOCOL V2REPLY SENT BY TARGET AGENT
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Reply Header
(24 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Error code (4 bytes)
34
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
35
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
36
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
37
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
38
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
39
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
40
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
41
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
42
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
HOST TARGET
CALL
REPLY
hellip43
Small interpreted
language
Two objects pointer
and tape
Result of the eval stored
in tape
Tape content returned
to the host
More info on Gopher
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
CALL
REPLY
44HOST TARGET
hellip
Host reads the pointed
memory addresses
CRASH DETECTION
Target sends event
notification
45HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
WHATrsquoS VXWORKS
1 Embedded devices RTOS
Claimed gt 15 billions devices
developed by Wind River
supports lot of CPU architectures
SOME STATS
6
WHATrsquoS VXWORKS
1987
bull First release
bull 32 bits processing
1990rsquos
bull VxWorks 5 released
bull 1st RTOS w network stack
2000rsquos
bull VxWorks 6x (12-2004)
bull Security improvements (RTPs no more task shared memory)
2014
bull VxWorks 7x (02-2014)
bull 64bits more security improvements
SOME CUSTOMERS
8
ldquo
rdquo
The Real-Time Operating System for the Internet of ThingsPowering billions of intelligent devices VxWorksreg delivers an industry-leading combination of scalability safety security and virtualization capabilities to meet next-generation requirements
Windriver VxWorks product
9
VXWORKS amp SECURITY
Source httpwwwcvedetailscomproduct15063Windriver-Vxworkshtmlvendor_id=9510
VXWORKS amp SECURITY
Wind River treatsVxWorks security seriously
Partnership with McAffee in Feb 2011
Source httpwwwwindrivercomnewspressprhtmlID=8801
VXWORKS amp SECURITY
Wind River treats VxWorks security seriously
Partnership with McAffee in Feb 2011
6x introduced some memory protections
7x improved way further
Digitally signed modules (X509)
Encryption
Centralized user database
Password management (SHA-256 algorithm)
Ability to createdelete users at run time
Encrypted data storage
PREVIOUS RESEARCHES
amp INSPIRATIONS
PREVIOUS RESEARCH amp INSPIRATIONS
ldquoShiny Old VxWorks Vulnerabilitiesrdquo
HD Moore (2010)
4 Metasploit modules targeting WDB RPC
Weak password hash entropy
rainbow table containing around 200k hashed
passwords
14
PREVIOUS RESEARCH amp INSPIRATIONS
ldquoReverse Engineering VxWorks Firmware WRT54Gv8rdquo
devttyS0
15
PREVIOUS RESEARCH amp INSPIRATIONS
ldquoDigging Inside the VxWorks OS and Firmware The
Holistic Securityrdquo
Aditya K Sood (0kn0ck) ndash SecNiche Security Lab
WDB debugging Interface (again)
OS Security
16
INSIDE VXWORKS
MEMORY LAYOUT amp PROTECTIONS
17
X86 MEMORY LAYOUT UPPER MEMORY
IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
18
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
19
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
ASCII string for fatal
exception message
20
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DecriptorVector
Table
ASCII string for fatal
exception message
VxWorks image entry
point
21
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
ASCII string for fatal
exception message
VxWorks image entry
point
WDB shared memory
22
MEMORY PROTECTIONS
VxWorks provides MMU-based features in addition to
the virtual memory support
Non MMU based protections Heap Error Detection
23
MEMORY PROTECTION
Task stack overrun and underrun
detection
Interrupt stack overrun and
underrun detection
Stack pages
Stack
Start
Stop
24
MEMORY PROTECTION
Non-executable task stacks amp Non-
writable Text Segment
INCLUDE_TASK_STACK_NO_EXEC
INCLUDE_PROTECT_TEXT
Task stack size = MMU page size
Program pages
Read Only
Raw Data
r+w
T
EX
TD
ATA
25
MEMORY PROTECTION
-r-w-x
Address Space
0x00000000
NULL Pointer usage detection
26
MEMORY PROTECTIONHEAP BLOCK OVERRUN DETECTION USAGE TRACKING amp LEAKAGE DETECTION
27
FROM FUZZING TO EXPLOIT
28
FUZZING TARGETS
Network protocols
Portmap (RPC)
FTP
TFTP
NTP
hellip
29
FUZZING
Used Sulley fuzzing framework
Problem no accurate crash detection available
Solution using WdbRPC
30
WHATrsquoS WDB RPC
Debugging Interface
Service running on port UDP17185
Based on SUN-RPC protocol
Provides direct access to system memory
31
WDB PROTOCOL V2
Target Server Target AgentWDB
Shell
Debugger
Browser
Other
tools
HOST VxWorks
WTX
OS
32
WDB PROTOCOL V2CALL SENT BY TARGET SERVER
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Request Header
(40 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Sequence (4 bytes)
33
WDB PROTOCOL V2REPLY SENT BY TARGET AGENT
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Reply Header
(24 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Error code (4 bytes)
34
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
35
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
36
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
37
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
38
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
39
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
40
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
41
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
42
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
HOST TARGET
CALL
REPLY
hellip43
Small interpreted
language
Two objects pointer
and tape
Result of the eval stored
in tape
Tape content returned
to the host
More info on Gopher
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
CALL
REPLY
44HOST TARGET
hellip
Host reads the pointed
memory addresses
CRASH DETECTION
Target sends event
notification
45HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
SOME STATS
6
WHATrsquoS VXWORKS
1987
bull First release
bull 32 bits processing
1990rsquos
bull VxWorks 5 released
bull 1st RTOS w network stack
2000rsquos
bull VxWorks 6x (12-2004)
bull Security improvements (RTPs no more task shared memory)
2014
bull VxWorks 7x (02-2014)
bull 64bits more security improvements
SOME CUSTOMERS
8
ldquo
rdquo
The Real-Time Operating System for the Internet of ThingsPowering billions of intelligent devices VxWorksreg delivers an industry-leading combination of scalability safety security and virtualization capabilities to meet next-generation requirements
Windriver VxWorks product
9
VXWORKS amp SECURITY
Source httpwwwcvedetailscomproduct15063Windriver-Vxworkshtmlvendor_id=9510
VXWORKS amp SECURITY
Wind River treatsVxWorks security seriously
Partnership with McAffee in Feb 2011
Source httpwwwwindrivercomnewspressprhtmlID=8801
VXWORKS amp SECURITY
Wind River treats VxWorks security seriously
Partnership with McAffee in Feb 2011
6x introduced some memory protections
7x improved way further
Digitally signed modules (X509)
Encryption
Centralized user database
Password management (SHA-256 algorithm)
Ability to createdelete users at run time
Encrypted data storage
PREVIOUS RESEARCHES
amp INSPIRATIONS
PREVIOUS RESEARCH amp INSPIRATIONS
ldquoShiny Old VxWorks Vulnerabilitiesrdquo
HD Moore (2010)
4 Metasploit modules targeting WDB RPC
Weak password hash entropy
rainbow table containing around 200k hashed
passwords
14
PREVIOUS RESEARCH amp INSPIRATIONS
ldquoReverse Engineering VxWorks Firmware WRT54Gv8rdquo
devttyS0
15
PREVIOUS RESEARCH amp INSPIRATIONS
ldquoDigging Inside the VxWorks OS and Firmware The
Holistic Securityrdquo
Aditya K Sood (0kn0ck) ndash SecNiche Security Lab
WDB debugging Interface (again)
OS Security
16
INSIDE VXWORKS
MEMORY LAYOUT amp PROTECTIONS
17
X86 MEMORY LAYOUT UPPER MEMORY
IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
18
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
19
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
ASCII string for fatal
exception message
20
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DecriptorVector
Table
ASCII string for fatal
exception message
VxWorks image entry
point
21
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
ASCII string for fatal
exception message
VxWorks image entry
point
WDB shared memory
22
MEMORY PROTECTIONS
VxWorks provides MMU-based features in addition to
the virtual memory support
Non MMU based protections Heap Error Detection
23
MEMORY PROTECTION
Task stack overrun and underrun
detection
Interrupt stack overrun and
underrun detection
Stack pages
Stack
Start
Stop
24
MEMORY PROTECTION
Non-executable task stacks amp Non-
writable Text Segment
INCLUDE_TASK_STACK_NO_EXEC
INCLUDE_PROTECT_TEXT
Task stack size = MMU page size
Program pages
Read Only
Raw Data
r+w
T
EX
TD
ATA
25
MEMORY PROTECTION
-r-w-x
Address Space
0x00000000
NULL Pointer usage detection
26
MEMORY PROTECTIONHEAP BLOCK OVERRUN DETECTION USAGE TRACKING amp LEAKAGE DETECTION
27
FROM FUZZING TO EXPLOIT
28
FUZZING TARGETS
Network protocols
Portmap (RPC)
FTP
TFTP
NTP
hellip
29
FUZZING
Used Sulley fuzzing framework
Problem no accurate crash detection available
Solution using WdbRPC
30
WHATrsquoS WDB RPC
Debugging Interface
Service running on port UDP17185
Based on SUN-RPC protocol
Provides direct access to system memory
31
WDB PROTOCOL V2
Target Server Target AgentWDB
Shell
Debugger
Browser
Other
tools
HOST VxWorks
WTX
OS
32
WDB PROTOCOL V2CALL SENT BY TARGET SERVER
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Request Header
(40 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Sequence (4 bytes)
33
WDB PROTOCOL V2REPLY SENT BY TARGET AGENT
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Reply Header
(24 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Error code (4 bytes)
34
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
35
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
36
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
37
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
38
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
39
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
40
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
41
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
42
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
HOST TARGET
CALL
REPLY
hellip43
Small interpreted
language
Two objects pointer
and tape
Result of the eval stored
in tape
Tape content returned
to the host
More info on Gopher
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
CALL
REPLY
44HOST TARGET
hellip
Host reads the pointed
memory addresses
CRASH DETECTION
Target sends event
notification
45HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
WHATrsquoS VXWORKS
1987
bull First release
bull 32 bits processing
1990rsquos
bull VxWorks 5 released
bull 1st RTOS w network stack
2000rsquos
bull VxWorks 6x (12-2004)
bull Security improvements (RTPs no more task shared memory)
2014
bull VxWorks 7x (02-2014)
bull 64bits more security improvements
SOME CUSTOMERS
8
ldquo
rdquo
The Real-Time Operating System for the Internet of ThingsPowering billions of intelligent devices VxWorksreg delivers an industry-leading combination of scalability safety security and virtualization capabilities to meet next-generation requirements
Windriver VxWorks product
9
VXWORKS amp SECURITY
Source httpwwwcvedetailscomproduct15063Windriver-Vxworkshtmlvendor_id=9510
VXWORKS amp SECURITY
Wind River treatsVxWorks security seriously
Partnership with McAffee in Feb 2011
Source httpwwwwindrivercomnewspressprhtmlID=8801
VXWORKS amp SECURITY
Wind River treats VxWorks security seriously
Partnership with McAffee in Feb 2011
6x introduced some memory protections
7x improved way further
Digitally signed modules (X509)
Encryption
Centralized user database
Password management (SHA-256 algorithm)
Ability to createdelete users at run time
Encrypted data storage
PREVIOUS RESEARCHES
amp INSPIRATIONS
PREVIOUS RESEARCH amp INSPIRATIONS
ldquoShiny Old VxWorks Vulnerabilitiesrdquo
HD Moore (2010)
4 Metasploit modules targeting WDB RPC
Weak password hash entropy
rainbow table containing around 200k hashed
passwords
14
PREVIOUS RESEARCH amp INSPIRATIONS
ldquoReverse Engineering VxWorks Firmware WRT54Gv8rdquo
devttyS0
15
PREVIOUS RESEARCH amp INSPIRATIONS
ldquoDigging Inside the VxWorks OS and Firmware The
Holistic Securityrdquo
Aditya K Sood (0kn0ck) ndash SecNiche Security Lab
WDB debugging Interface (again)
OS Security
16
INSIDE VXWORKS
MEMORY LAYOUT amp PROTECTIONS
17
X86 MEMORY LAYOUT UPPER MEMORY
IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
18
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
19
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
ASCII string for fatal
exception message
20
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DecriptorVector
Table
ASCII string for fatal
exception message
VxWorks image entry
point
21
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
ASCII string for fatal
exception message
VxWorks image entry
point
WDB shared memory
22
MEMORY PROTECTIONS
VxWorks provides MMU-based features in addition to
the virtual memory support
Non MMU based protections Heap Error Detection
23
MEMORY PROTECTION
Task stack overrun and underrun
detection
Interrupt stack overrun and
underrun detection
Stack pages
Stack
Start
Stop
24
MEMORY PROTECTION
Non-executable task stacks amp Non-
writable Text Segment
INCLUDE_TASK_STACK_NO_EXEC
INCLUDE_PROTECT_TEXT
Task stack size = MMU page size
Program pages
Read Only
Raw Data
r+w
T
EX
TD
ATA
25
MEMORY PROTECTION
-r-w-x
Address Space
0x00000000
NULL Pointer usage detection
26
MEMORY PROTECTIONHEAP BLOCK OVERRUN DETECTION USAGE TRACKING amp LEAKAGE DETECTION
27
FROM FUZZING TO EXPLOIT
28
FUZZING TARGETS
Network protocols
Portmap (RPC)
FTP
TFTP
NTP
hellip
29
FUZZING
Used Sulley fuzzing framework
Problem no accurate crash detection available
Solution using WdbRPC
30
WHATrsquoS WDB RPC
Debugging Interface
Service running on port UDP17185
Based on SUN-RPC protocol
Provides direct access to system memory
31
WDB PROTOCOL V2
Target Server Target AgentWDB
Shell
Debugger
Browser
Other
tools
HOST VxWorks
WTX
OS
32
WDB PROTOCOL V2CALL SENT BY TARGET SERVER
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Request Header
(40 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Sequence (4 bytes)
33
WDB PROTOCOL V2REPLY SENT BY TARGET AGENT
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Reply Header
(24 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Error code (4 bytes)
34
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
35
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
36
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
37
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
38
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
39
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
40
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
41
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
42
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
HOST TARGET
CALL
REPLY
hellip43
Small interpreted
language
Two objects pointer
and tape
Result of the eval stored
in tape
Tape content returned
to the host
More info on Gopher
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
CALL
REPLY
44HOST TARGET
hellip
Host reads the pointed
memory addresses
CRASH DETECTION
Target sends event
notification
45HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
SOME CUSTOMERS
8
ldquo
rdquo
The Real-Time Operating System for the Internet of ThingsPowering billions of intelligent devices VxWorksreg delivers an industry-leading combination of scalability safety security and virtualization capabilities to meet next-generation requirements
Windriver VxWorks product
9
VXWORKS amp SECURITY
Source httpwwwcvedetailscomproduct15063Windriver-Vxworkshtmlvendor_id=9510
VXWORKS amp SECURITY
Wind River treatsVxWorks security seriously
Partnership with McAffee in Feb 2011
Source httpwwwwindrivercomnewspressprhtmlID=8801
VXWORKS amp SECURITY
Wind River treats VxWorks security seriously
Partnership with McAffee in Feb 2011
6x introduced some memory protections
7x improved way further
Digitally signed modules (X509)
Encryption
Centralized user database
Password management (SHA-256 algorithm)
Ability to createdelete users at run time
Encrypted data storage
PREVIOUS RESEARCHES
amp INSPIRATIONS
PREVIOUS RESEARCH amp INSPIRATIONS
ldquoShiny Old VxWorks Vulnerabilitiesrdquo
HD Moore (2010)
4 Metasploit modules targeting WDB RPC
Weak password hash entropy
rainbow table containing around 200k hashed
passwords
14
PREVIOUS RESEARCH amp INSPIRATIONS
ldquoReverse Engineering VxWorks Firmware WRT54Gv8rdquo
devttyS0
15
PREVIOUS RESEARCH amp INSPIRATIONS
ldquoDigging Inside the VxWorks OS and Firmware The
Holistic Securityrdquo
Aditya K Sood (0kn0ck) ndash SecNiche Security Lab
WDB debugging Interface (again)
OS Security
16
INSIDE VXWORKS
MEMORY LAYOUT amp PROTECTIONS
17
X86 MEMORY LAYOUT UPPER MEMORY
IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
18
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
19
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
ASCII string for fatal
exception message
20
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DecriptorVector
Table
ASCII string for fatal
exception message
VxWorks image entry
point
21
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
ASCII string for fatal
exception message
VxWorks image entry
point
WDB shared memory
22
MEMORY PROTECTIONS
VxWorks provides MMU-based features in addition to
the virtual memory support
Non MMU based protections Heap Error Detection
23
MEMORY PROTECTION
Task stack overrun and underrun
detection
Interrupt stack overrun and
underrun detection
Stack pages
Stack
Start
Stop
24
MEMORY PROTECTION
Non-executable task stacks amp Non-
writable Text Segment
INCLUDE_TASK_STACK_NO_EXEC
INCLUDE_PROTECT_TEXT
Task stack size = MMU page size
Program pages
Read Only
Raw Data
r+w
T
EX
TD
ATA
25
MEMORY PROTECTION
-r-w-x
Address Space
0x00000000
NULL Pointer usage detection
26
MEMORY PROTECTIONHEAP BLOCK OVERRUN DETECTION USAGE TRACKING amp LEAKAGE DETECTION
27
FROM FUZZING TO EXPLOIT
28
FUZZING TARGETS
Network protocols
Portmap (RPC)
FTP
TFTP
NTP
hellip
29
FUZZING
Used Sulley fuzzing framework
Problem no accurate crash detection available
Solution using WdbRPC
30
WHATrsquoS WDB RPC
Debugging Interface
Service running on port UDP17185
Based on SUN-RPC protocol
Provides direct access to system memory
31
WDB PROTOCOL V2
Target Server Target AgentWDB
Shell
Debugger
Browser
Other
tools
HOST VxWorks
WTX
OS
32
WDB PROTOCOL V2CALL SENT BY TARGET SERVER
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Request Header
(40 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Sequence (4 bytes)
33
WDB PROTOCOL V2REPLY SENT BY TARGET AGENT
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Reply Header
(24 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Error code (4 bytes)
34
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
35
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
36
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
37
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
38
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
39
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
40
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
41
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
42
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
HOST TARGET
CALL
REPLY
hellip43
Small interpreted
language
Two objects pointer
and tape
Result of the eval stored
in tape
Tape content returned
to the host
More info on Gopher
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
CALL
REPLY
44HOST TARGET
hellip
Host reads the pointed
memory addresses
CRASH DETECTION
Target sends event
notification
45HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
ldquo
rdquo
The Real-Time Operating System for the Internet of ThingsPowering billions of intelligent devices VxWorksreg delivers an industry-leading combination of scalability safety security and virtualization capabilities to meet next-generation requirements
Windriver VxWorks product
9
VXWORKS amp SECURITY
Source httpwwwcvedetailscomproduct15063Windriver-Vxworkshtmlvendor_id=9510
VXWORKS amp SECURITY
Wind River treatsVxWorks security seriously
Partnership with McAffee in Feb 2011
Source httpwwwwindrivercomnewspressprhtmlID=8801
VXWORKS amp SECURITY
Wind River treats VxWorks security seriously
Partnership with McAffee in Feb 2011
6x introduced some memory protections
7x improved way further
Digitally signed modules (X509)
Encryption
Centralized user database
Password management (SHA-256 algorithm)
Ability to createdelete users at run time
Encrypted data storage
PREVIOUS RESEARCHES
amp INSPIRATIONS
PREVIOUS RESEARCH amp INSPIRATIONS
ldquoShiny Old VxWorks Vulnerabilitiesrdquo
HD Moore (2010)
4 Metasploit modules targeting WDB RPC
Weak password hash entropy
rainbow table containing around 200k hashed
passwords
14
PREVIOUS RESEARCH amp INSPIRATIONS
ldquoReverse Engineering VxWorks Firmware WRT54Gv8rdquo
devttyS0
15
PREVIOUS RESEARCH amp INSPIRATIONS
ldquoDigging Inside the VxWorks OS and Firmware The
Holistic Securityrdquo
Aditya K Sood (0kn0ck) ndash SecNiche Security Lab
WDB debugging Interface (again)
OS Security
16
INSIDE VXWORKS
MEMORY LAYOUT amp PROTECTIONS
17
X86 MEMORY LAYOUT UPPER MEMORY
IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
18
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
19
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
ASCII string for fatal
exception message
20
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DecriptorVector
Table
ASCII string for fatal
exception message
VxWorks image entry
point
21
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
ASCII string for fatal
exception message
VxWorks image entry
point
WDB shared memory
22
MEMORY PROTECTIONS
VxWorks provides MMU-based features in addition to
the virtual memory support
Non MMU based protections Heap Error Detection
23
MEMORY PROTECTION
Task stack overrun and underrun
detection
Interrupt stack overrun and
underrun detection
Stack pages
Stack
Start
Stop
24
MEMORY PROTECTION
Non-executable task stacks amp Non-
writable Text Segment
INCLUDE_TASK_STACK_NO_EXEC
INCLUDE_PROTECT_TEXT
Task stack size = MMU page size
Program pages
Read Only
Raw Data
r+w
T
EX
TD
ATA
25
MEMORY PROTECTION
-r-w-x
Address Space
0x00000000
NULL Pointer usage detection
26
MEMORY PROTECTIONHEAP BLOCK OVERRUN DETECTION USAGE TRACKING amp LEAKAGE DETECTION
27
FROM FUZZING TO EXPLOIT
28
FUZZING TARGETS
Network protocols
Portmap (RPC)
FTP
TFTP
NTP
hellip
29
FUZZING
Used Sulley fuzzing framework
Problem no accurate crash detection available
Solution using WdbRPC
30
WHATrsquoS WDB RPC
Debugging Interface
Service running on port UDP17185
Based on SUN-RPC protocol
Provides direct access to system memory
31
WDB PROTOCOL V2
Target Server Target AgentWDB
Shell
Debugger
Browser
Other
tools
HOST VxWorks
WTX
OS
32
WDB PROTOCOL V2CALL SENT BY TARGET SERVER
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Request Header
(40 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Sequence (4 bytes)
33
WDB PROTOCOL V2REPLY SENT BY TARGET AGENT
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Reply Header
(24 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Error code (4 bytes)
34
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
35
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
36
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
37
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
38
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
39
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
40
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
41
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
42
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
HOST TARGET
CALL
REPLY
hellip43
Small interpreted
language
Two objects pointer
and tape
Result of the eval stored
in tape
Tape content returned
to the host
More info on Gopher
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
CALL
REPLY
44HOST TARGET
hellip
Host reads the pointed
memory addresses
CRASH DETECTION
Target sends event
notification
45HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
VXWORKS amp SECURITY
Source httpwwwcvedetailscomproduct15063Windriver-Vxworkshtmlvendor_id=9510
VXWORKS amp SECURITY
Wind River treatsVxWorks security seriously
Partnership with McAffee in Feb 2011
Source httpwwwwindrivercomnewspressprhtmlID=8801
VXWORKS amp SECURITY
Wind River treats VxWorks security seriously
Partnership with McAffee in Feb 2011
6x introduced some memory protections
7x improved way further
Digitally signed modules (X509)
Encryption
Centralized user database
Password management (SHA-256 algorithm)
Ability to createdelete users at run time
Encrypted data storage
PREVIOUS RESEARCHES
amp INSPIRATIONS
PREVIOUS RESEARCH amp INSPIRATIONS
ldquoShiny Old VxWorks Vulnerabilitiesrdquo
HD Moore (2010)
4 Metasploit modules targeting WDB RPC
Weak password hash entropy
rainbow table containing around 200k hashed
passwords
14
PREVIOUS RESEARCH amp INSPIRATIONS
ldquoReverse Engineering VxWorks Firmware WRT54Gv8rdquo
devttyS0
15
PREVIOUS RESEARCH amp INSPIRATIONS
ldquoDigging Inside the VxWorks OS and Firmware The
Holistic Securityrdquo
Aditya K Sood (0kn0ck) ndash SecNiche Security Lab
WDB debugging Interface (again)
OS Security
16
INSIDE VXWORKS
MEMORY LAYOUT amp PROTECTIONS
17
X86 MEMORY LAYOUT UPPER MEMORY
IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
18
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
19
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
ASCII string for fatal
exception message
20
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DecriptorVector
Table
ASCII string for fatal
exception message
VxWorks image entry
point
21
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
ASCII string for fatal
exception message
VxWorks image entry
point
WDB shared memory
22
MEMORY PROTECTIONS
VxWorks provides MMU-based features in addition to
the virtual memory support
Non MMU based protections Heap Error Detection
23
MEMORY PROTECTION
Task stack overrun and underrun
detection
Interrupt stack overrun and
underrun detection
Stack pages
Stack
Start
Stop
24
MEMORY PROTECTION
Non-executable task stacks amp Non-
writable Text Segment
INCLUDE_TASK_STACK_NO_EXEC
INCLUDE_PROTECT_TEXT
Task stack size = MMU page size
Program pages
Read Only
Raw Data
r+w
T
EX
TD
ATA
25
MEMORY PROTECTION
-r-w-x
Address Space
0x00000000
NULL Pointer usage detection
26
MEMORY PROTECTIONHEAP BLOCK OVERRUN DETECTION USAGE TRACKING amp LEAKAGE DETECTION
27
FROM FUZZING TO EXPLOIT
28
FUZZING TARGETS
Network protocols
Portmap (RPC)
FTP
TFTP
NTP
hellip
29
FUZZING
Used Sulley fuzzing framework
Problem no accurate crash detection available
Solution using WdbRPC
30
WHATrsquoS WDB RPC
Debugging Interface
Service running on port UDP17185
Based on SUN-RPC protocol
Provides direct access to system memory
31
WDB PROTOCOL V2
Target Server Target AgentWDB
Shell
Debugger
Browser
Other
tools
HOST VxWorks
WTX
OS
32
WDB PROTOCOL V2CALL SENT BY TARGET SERVER
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Request Header
(40 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Sequence (4 bytes)
33
WDB PROTOCOL V2REPLY SENT BY TARGET AGENT
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Reply Header
(24 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Error code (4 bytes)
34
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
35
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
36
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
37
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
38
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
39
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
40
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
41
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
42
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
HOST TARGET
CALL
REPLY
hellip43
Small interpreted
language
Two objects pointer
and tape
Result of the eval stored
in tape
Tape content returned
to the host
More info on Gopher
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
CALL
REPLY
44HOST TARGET
hellip
Host reads the pointed
memory addresses
CRASH DETECTION
Target sends event
notification
45HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
VXWORKS amp SECURITY
Wind River treatsVxWorks security seriously
Partnership with McAffee in Feb 2011
Source httpwwwwindrivercomnewspressprhtmlID=8801
VXWORKS amp SECURITY
Wind River treats VxWorks security seriously
Partnership with McAffee in Feb 2011
6x introduced some memory protections
7x improved way further
Digitally signed modules (X509)
Encryption
Centralized user database
Password management (SHA-256 algorithm)
Ability to createdelete users at run time
Encrypted data storage
PREVIOUS RESEARCHES
amp INSPIRATIONS
PREVIOUS RESEARCH amp INSPIRATIONS
ldquoShiny Old VxWorks Vulnerabilitiesrdquo
HD Moore (2010)
4 Metasploit modules targeting WDB RPC
Weak password hash entropy
rainbow table containing around 200k hashed
passwords
14
PREVIOUS RESEARCH amp INSPIRATIONS
ldquoReverse Engineering VxWorks Firmware WRT54Gv8rdquo
devttyS0
15
PREVIOUS RESEARCH amp INSPIRATIONS
ldquoDigging Inside the VxWorks OS and Firmware The
Holistic Securityrdquo
Aditya K Sood (0kn0ck) ndash SecNiche Security Lab
WDB debugging Interface (again)
OS Security
16
INSIDE VXWORKS
MEMORY LAYOUT amp PROTECTIONS
17
X86 MEMORY LAYOUT UPPER MEMORY
IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
18
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
19
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
ASCII string for fatal
exception message
20
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DecriptorVector
Table
ASCII string for fatal
exception message
VxWorks image entry
point
21
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
ASCII string for fatal
exception message
VxWorks image entry
point
WDB shared memory
22
MEMORY PROTECTIONS
VxWorks provides MMU-based features in addition to
the virtual memory support
Non MMU based protections Heap Error Detection
23
MEMORY PROTECTION
Task stack overrun and underrun
detection
Interrupt stack overrun and
underrun detection
Stack pages
Stack
Start
Stop
24
MEMORY PROTECTION
Non-executable task stacks amp Non-
writable Text Segment
INCLUDE_TASK_STACK_NO_EXEC
INCLUDE_PROTECT_TEXT
Task stack size = MMU page size
Program pages
Read Only
Raw Data
r+w
T
EX
TD
ATA
25
MEMORY PROTECTION
-r-w-x
Address Space
0x00000000
NULL Pointer usage detection
26
MEMORY PROTECTIONHEAP BLOCK OVERRUN DETECTION USAGE TRACKING amp LEAKAGE DETECTION
27
FROM FUZZING TO EXPLOIT
28
FUZZING TARGETS
Network protocols
Portmap (RPC)
FTP
TFTP
NTP
hellip
29
FUZZING
Used Sulley fuzzing framework
Problem no accurate crash detection available
Solution using WdbRPC
30
WHATrsquoS WDB RPC
Debugging Interface
Service running on port UDP17185
Based on SUN-RPC protocol
Provides direct access to system memory
31
WDB PROTOCOL V2
Target Server Target AgentWDB
Shell
Debugger
Browser
Other
tools
HOST VxWorks
WTX
OS
32
WDB PROTOCOL V2CALL SENT BY TARGET SERVER
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Request Header
(40 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Sequence (4 bytes)
33
WDB PROTOCOL V2REPLY SENT BY TARGET AGENT
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Reply Header
(24 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Error code (4 bytes)
34
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
35
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
36
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
37
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
38
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
39
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
40
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
41
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
42
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
HOST TARGET
CALL
REPLY
hellip43
Small interpreted
language
Two objects pointer
and tape
Result of the eval stored
in tape
Tape content returned
to the host
More info on Gopher
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
CALL
REPLY
44HOST TARGET
hellip
Host reads the pointed
memory addresses
CRASH DETECTION
Target sends event
notification
45HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
VXWORKS amp SECURITY
Wind River treats VxWorks security seriously
Partnership with McAffee in Feb 2011
6x introduced some memory protections
7x improved way further
Digitally signed modules (X509)
Encryption
Centralized user database
Password management (SHA-256 algorithm)
Ability to createdelete users at run time
Encrypted data storage
PREVIOUS RESEARCHES
amp INSPIRATIONS
PREVIOUS RESEARCH amp INSPIRATIONS
ldquoShiny Old VxWorks Vulnerabilitiesrdquo
HD Moore (2010)
4 Metasploit modules targeting WDB RPC
Weak password hash entropy
rainbow table containing around 200k hashed
passwords
14
PREVIOUS RESEARCH amp INSPIRATIONS
ldquoReverse Engineering VxWorks Firmware WRT54Gv8rdquo
devttyS0
15
PREVIOUS RESEARCH amp INSPIRATIONS
ldquoDigging Inside the VxWorks OS and Firmware The
Holistic Securityrdquo
Aditya K Sood (0kn0ck) ndash SecNiche Security Lab
WDB debugging Interface (again)
OS Security
16
INSIDE VXWORKS
MEMORY LAYOUT amp PROTECTIONS
17
X86 MEMORY LAYOUT UPPER MEMORY
IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
18
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
19
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
ASCII string for fatal
exception message
20
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DecriptorVector
Table
ASCII string for fatal
exception message
VxWorks image entry
point
21
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
ASCII string for fatal
exception message
VxWorks image entry
point
WDB shared memory
22
MEMORY PROTECTIONS
VxWorks provides MMU-based features in addition to
the virtual memory support
Non MMU based protections Heap Error Detection
23
MEMORY PROTECTION
Task stack overrun and underrun
detection
Interrupt stack overrun and
underrun detection
Stack pages
Stack
Start
Stop
24
MEMORY PROTECTION
Non-executable task stacks amp Non-
writable Text Segment
INCLUDE_TASK_STACK_NO_EXEC
INCLUDE_PROTECT_TEXT
Task stack size = MMU page size
Program pages
Read Only
Raw Data
r+w
T
EX
TD
ATA
25
MEMORY PROTECTION
-r-w-x
Address Space
0x00000000
NULL Pointer usage detection
26
MEMORY PROTECTIONHEAP BLOCK OVERRUN DETECTION USAGE TRACKING amp LEAKAGE DETECTION
27
FROM FUZZING TO EXPLOIT
28
FUZZING TARGETS
Network protocols
Portmap (RPC)
FTP
TFTP
NTP
hellip
29
FUZZING
Used Sulley fuzzing framework
Problem no accurate crash detection available
Solution using WdbRPC
30
WHATrsquoS WDB RPC
Debugging Interface
Service running on port UDP17185
Based on SUN-RPC protocol
Provides direct access to system memory
31
WDB PROTOCOL V2
Target Server Target AgentWDB
Shell
Debugger
Browser
Other
tools
HOST VxWorks
WTX
OS
32
WDB PROTOCOL V2CALL SENT BY TARGET SERVER
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Request Header
(40 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Sequence (4 bytes)
33
WDB PROTOCOL V2REPLY SENT BY TARGET AGENT
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Reply Header
(24 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Error code (4 bytes)
34
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
35
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
36
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
37
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
38
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
39
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
40
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
41
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
42
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
HOST TARGET
CALL
REPLY
hellip43
Small interpreted
language
Two objects pointer
and tape
Result of the eval stored
in tape
Tape content returned
to the host
More info on Gopher
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
CALL
REPLY
44HOST TARGET
hellip
Host reads the pointed
memory addresses
CRASH DETECTION
Target sends event
notification
45HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
PREVIOUS RESEARCHES
amp INSPIRATIONS
PREVIOUS RESEARCH amp INSPIRATIONS
ldquoShiny Old VxWorks Vulnerabilitiesrdquo
HD Moore (2010)
4 Metasploit modules targeting WDB RPC
Weak password hash entropy
rainbow table containing around 200k hashed
passwords
14
PREVIOUS RESEARCH amp INSPIRATIONS
ldquoReverse Engineering VxWorks Firmware WRT54Gv8rdquo
devttyS0
15
PREVIOUS RESEARCH amp INSPIRATIONS
ldquoDigging Inside the VxWorks OS and Firmware The
Holistic Securityrdquo
Aditya K Sood (0kn0ck) ndash SecNiche Security Lab
WDB debugging Interface (again)
OS Security
16
INSIDE VXWORKS
MEMORY LAYOUT amp PROTECTIONS
17
X86 MEMORY LAYOUT UPPER MEMORY
IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
18
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
19
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
ASCII string for fatal
exception message
20
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DecriptorVector
Table
ASCII string for fatal
exception message
VxWorks image entry
point
21
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
ASCII string for fatal
exception message
VxWorks image entry
point
WDB shared memory
22
MEMORY PROTECTIONS
VxWorks provides MMU-based features in addition to
the virtual memory support
Non MMU based protections Heap Error Detection
23
MEMORY PROTECTION
Task stack overrun and underrun
detection
Interrupt stack overrun and
underrun detection
Stack pages
Stack
Start
Stop
24
MEMORY PROTECTION
Non-executable task stacks amp Non-
writable Text Segment
INCLUDE_TASK_STACK_NO_EXEC
INCLUDE_PROTECT_TEXT
Task stack size = MMU page size
Program pages
Read Only
Raw Data
r+w
T
EX
TD
ATA
25
MEMORY PROTECTION
-r-w-x
Address Space
0x00000000
NULL Pointer usage detection
26
MEMORY PROTECTIONHEAP BLOCK OVERRUN DETECTION USAGE TRACKING amp LEAKAGE DETECTION
27
FROM FUZZING TO EXPLOIT
28
FUZZING TARGETS
Network protocols
Portmap (RPC)
FTP
TFTP
NTP
hellip
29
FUZZING
Used Sulley fuzzing framework
Problem no accurate crash detection available
Solution using WdbRPC
30
WHATrsquoS WDB RPC
Debugging Interface
Service running on port UDP17185
Based on SUN-RPC protocol
Provides direct access to system memory
31
WDB PROTOCOL V2
Target Server Target AgentWDB
Shell
Debugger
Browser
Other
tools
HOST VxWorks
WTX
OS
32
WDB PROTOCOL V2CALL SENT BY TARGET SERVER
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Request Header
(40 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Sequence (4 bytes)
33
WDB PROTOCOL V2REPLY SENT BY TARGET AGENT
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Reply Header
(24 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Error code (4 bytes)
34
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
35
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
36
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
37
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
38
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
39
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
40
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
41
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
42
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
HOST TARGET
CALL
REPLY
hellip43
Small interpreted
language
Two objects pointer
and tape
Result of the eval stored
in tape
Tape content returned
to the host
More info on Gopher
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
CALL
REPLY
44HOST TARGET
hellip
Host reads the pointed
memory addresses
CRASH DETECTION
Target sends event
notification
45HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
PREVIOUS RESEARCH amp INSPIRATIONS
ldquoShiny Old VxWorks Vulnerabilitiesrdquo
HD Moore (2010)
4 Metasploit modules targeting WDB RPC
Weak password hash entropy
rainbow table containing around 200k hashed
passwords
14
PREVIOUS RESEARCH amp INSPIRATIONS
ldquoReverse Engineering VxWorks Firmware WRT54Gv8rdquo
devttyS0
15
PREVIOUS RESEARCH amp INSPIRATIONS
ldquoDigging Inside the VxWorks OS and Firmware The
Holistic Securityrdquo
Aditya K Sood (0kn0ck) ndash SecNiche Security Lab
WDB debugging Interface (again)
OS Security
16
INSIDE VXWORKS
MEMORY LAYOUT amp PROTECTIONS
17
X86 MEMORY LAYOUT UPPER MEMORY
IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
18
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
19
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
ASCII string for fatal
exception message
20
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DecriptorVector
Table
ASCII string for fatal
exception message
VxWorks image entry
point
21
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
ASCII string for fatal
exception message
VxWorks image entry
point
WDB shared memory
22
MEMORY PROTECTIONS
VxWorks provides MMU-based features in addition to
the virtual memory support
Non MMU based protections Heap Error Detection
23
MEMORY PROTECTION
Task stack overrun and underrun
detection
Interrupt stack overrun and
underrun detection
Stack pages
Stack
Start
Stop
24
MEMORY PROTECTION
Non-executable task stacks amp Non-
writable Text Segment
INCLUDE_TASK_STACK_NO_EXEC
INCLUDE_PROTECT_TEXT
Task stack size = MMU page size
Program pages
Read Only
Raw Data
r+w
T
EX
TD
ATA
25
MEMORY PROTECTION
-r-w-x
Address Space
0x00000000
NULL Pointer usage detection
26
MEMORY PROTECTIONHEAP BLOCK OVERRUN DETECTION USAGE TRACKING amp LEAKAGE DETECTION
27
FROM FUZZING TO EXPLOIT
28
FUZZING TARGETS
Network protocols
Portmap (RPC)
FTP
TFTP
NTP
hellip
29
FUZZING
Used Sulley fuzzing framework
Problem no accurate crash detection available
Solution using WdbRPC
30
WHATrsquoS WDB RPC
Debugging Interface
Service running on port UDP17185
Based on SUN-RPC protocol
Provides direct access to system memory
31
WDB PROTOCOL V2
Target Server Target AgentWDB
Shell
Debugger
Browser
Other
tools
HOST VxWorks
WTX
OS
32
WDB PROTOCOL V2CALL SENT BY TARGET SERVER
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Request Header
(40 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Sequence (4 bytes)
33
WDB PROTOCOL V2REPLY SENT BY TARGET AGENT
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Reply Header
(24 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Error code (4 bytes)
34
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
35
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
36
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
37
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
38
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
39
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
40
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
41
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
42
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
HOST TARGET
CALL
REPLY
hellip43
Small interpreted
language
Two objects pointer
and tape
Result of the eval stored
in tape
Tape content returned
to the host
More info on Gopher
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
CALL
REPLY
44HOST TARGET
hellip
Host reads the pointed
memory addresses
CRASH DETECTION
Target sends event
notification
45HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
PREVIOUS RESEARCH amp INSPIRATIONS
ldquoReverse Engineering VxWorks Firmware WRT54Gv8rdquo
devttyS0
15
PREVIOUS RESEARCH amp INSPIRATIONS
ldquoDigging Inside the VxWorks OS and Firmware The
Holistic Securityrdquo
Aditya K Sood (0kn0ck) ndash SecNiche Security Lab
WDB debugging Interface (again)
OS Security
16
INSIDE VXWORKS
MEMORY LAYOUT amp PROTECTIONS
17
X86 MEMORY LAYOUT UPPER MEMORY
IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
18
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
19
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
ASCII string for fatal
exception message
20
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DecriptorVector
Table
ASCII string for fatal
exception message
VxWorks image entry
point
21
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
ASCII string for fatal
exception message
VxWorks image entry
point
WDB shared memory
22
MEMORY PROTECTIONS
VxWorks provides MMU-based features in addition to
the virtual memory support
Non MMU based protections Heap Error Detection
23
MEMORY PROTECTION
Task stack overrun and underrun
detection
Interrupt stack overrun and
underrun detection
Stack pages
Stack
Start
Stop
24
MEMORY PROTECTION
Non-executable task stacks amp Non-
writable Text Segment
INCLUDE_TASK_STACK_NO_EXEC
INCLUDE_PROTECT_TEXT
Task stack size = MMU page size
Program pages
Read Only
Raw Data
r+w
T
EX
TD
ATA
25
MEMORY PROTECTION
-r-w-x
Address Space
0x00000000
NULL Pointer usage detection
26
MEMORY PROTECTIONHEAP BLOCK OVERRUN DETECTION USAGE TRACKING amp LEAKAGE DETECTION
27
FROM FUZZING TO EXPLOIT
28
FUZZING TARGETS
Network protocols
Portmap (RPC)
FTP
TFTP
NTP
hellip
29
FUZZING
Used Sulley fuzzing framework
Problem no accurate crash detection available
Solution using WdbRPC
30
WHATrsquoS WDB RPC
Debugging Interface
Service running on port UDP17185
Based on SUN-RPC protocol
Provides direct access to system memory
31
WDB PROTOCOL V2
Target Server Target AgentWDB
Shell
Debugger
Browser
Other
tools
HOST VxWorks
WTX
OS
32
WDB PROTOCOL V2CALL SENT BY TARGET SERVER
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Request Header
(40 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Sequence (4 bytes)
33
WDB PROTOCOL V2REPLY SENT BY TARGET AGENT
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Reply Header
(24 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Error code (4 bytes)
34
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
35
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
36
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
37
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
38
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
39
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
40
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
41
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
42
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
HOST TARGET
CALL
REPLY
hellip43
Small interpreted
language
Two objects pointer
and tape
Result of the eval stored
in tape
Tape content returned
to the host
More info on Gopher
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
CALL
REPLY
44HOST TARGET
hellip
Host reads the pointed
memory addresses
CRASH DETECTION
Target sends event
notification
45HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
PREVIOUS RESEARCH amp INSPIRATIONS
ldquoDigging Inside the VxWorks OS and Firmware The
Holistic Securityrdquo
Aditya K Sood (0kn0ck) ndash SecNiche Security Lab
WDB debugging Interface (again)
OS Security
16
INSIDE VXWORKS
MEMORY LAYOUT amp PROTECTIONS
17
X86 MEMORY LAYOUT UPPER MEMORY
IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
18
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
19
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
ASCII string for fatal
exception message
20
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DecriptorVector
Table
ASCII string for fatal
exception message
VxWorks image entry
point
21
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
ASCII string for fatal
exception message
VxWorks image entry
point
WDB shared memory
22
MEMORY PROTECTIONS
VxWorks provides MMU-based features in addition to
the virtual memory support
Non MMU based protections Heap Error Detection
23
MEMORY PROTECTION
Task stack overrun and underrun
detection
Interrupt stack overrun and
underrun detection
Stack pages
Stack
Start
Stop
24
MEMORY PROTECTION
Non-executable task stacks amp Non-
writable Text Segment
INCLUDE_TASK_STACK_NO_EXEC
INCLUDE_PROTECT_TEXT
Task stack size = MMU page size
Program pages
Read Only
Raw Data
r+w
T
EX
TD
ATA
25
MEMORY PROTECTION
-r-w-x
Address Space
0x00000000
NULL Pointer usage detection
26
MEMORY PROTECTIONHEAP BLOCK OVERRUN DETECTION USAGE TRACKING amp LEAKAGE DETECTION
27
FROM FUZZING TO EXPLOIT
28
FUZZING TARGETS
Network protocols
Portmap (RPC)
FTP
TFTP
NTP
hellip
29
FUZZING
Used Sulley fuzzing framework
Problem no accurate crash detection available
Solution using WdbRPC
30
WHATrsquoS WDB RPC
Debugging Interface
Service running on port UDP17185
Based on SUN-RPC protocol
Provides direct access to system memory
31
WDB PROTOCOL V2
Target Server Target AgentWDB
Shell
Debugger
Browser
Other
tools
HOST VxWorks
WTX
OS
32
WDB PROTOCOL V2CALL SENT BY TARGET SERVER
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Request Header
(40 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Sequence (4 bytes)
33
WDB PROTOCOL V2REPLY SENT BY TARGET AGENT
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Reply Header
(24 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Error code (4 bytes)
34
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
35
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
36
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
37
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
38
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
39
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
40
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
41
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
42
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
HOST TARGET
CALL
REPLY
hellip43
Small interpreted
language
Two objects pointer
and tape
Result of the eval stored
in tape
Tape content returned
to the host
More info on Gopher
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
CALL
REPLY
44HOST TARGET
hellip
Host reads the pointed
memory addresses
CRASH DETECTION
Target sends event
notification
45HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
INSIDE VXWORKS
MEMORY LAYOUT amp PROTECTIONS
17
X86 MEMORY LAYOUT UPPER MEMORY
IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
18
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
19
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
ASCII string for fatal
exception message
20
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DecriptorVector
Table
ASCII string for fatal
exception message
VxWorks image entry
point
21
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
ASCII string for fatal
exception message
VxWorks image entry
point
WDB shared memory
22
MEMORY PROTECTIONS
VxWorks provides MMU-based features in addition to
the virtual memory support
Non MMU based protections Heap Error Detection
23
MEMORY PROTECTION
Task stack overrun and underrun
detection
Interrupt stack overrun and
underrun detection
Stack pages
Stack
Start
Stop
24
MEMORY PROTECTION
Non-executable task stacks amp Non-
writable Text Segment
INCLUDE_TASK_STACK_NO_EXEC
INCLUDE_PROTECT_TEXT
Task stack size = MMU page size
Program pages
Read Only
Raw Data
r+w
T
EX
TD
ATA
25
MEMORY PROTECTION
-r-w-x
Address Space
0x00000000
NULL Pointer usage detection
26
MEMORY PROTECTIONHEAP BLOCK OVERRUN DETECTION USAGE TRACKING amp LEAKAGE DETECTION
27
FROM FUZZING TO EXPLOIT
28
FUZZING TARGETS
Network protocols
Portmap (RPC)
FTP
TFTP
NTP
hellip
29
FUZZING
Used Sulley fuzzing framework
Problem no accurate crash detection available
Solution using WdbRPC
30
WHATrsquoS WDB RPC
Debugging Interface
Service running on port UDP17185
Based on SUN-RPC protocol
Provides direct access to system memory
31
WDB PROTOCOL V2
Target Server Target AgentWDB
Shell
Debugger
Browser
Other
tools
HOST VxWorks
WTX
OS
32
WDB PROTOCOL V2CALL SENT BY TARGET SERVER
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Request Header
(40 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Sequence (4 bytes)
33
WDB PROTOCOL V2REPLY SENT BY TARGET AGENT
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Reply Header
(24 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Error code (4 bytes)
34
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
35
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
36
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
37
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
38
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
39
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
40
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
41
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
42
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
HOST TARGET
CALL
REPLY
hellip43
Small interpreted
language
Two objects pointer
and tape
Result of the eval stored
in tape
Tape content returned
to the host
More info on Gopher
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
CALL
REPLY
44HOST TARGET
hellip
Host reads the pointed
memory addresses
CRASH DETECTION
Target sends event
notification
45HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
X86 MEMORY LAYOUT UPPER MEMORY
IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
18
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
19
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
ASCII string for fatal
exception message
20
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DecriptorVector
Table
ASCII string for fatal
exception message
VxWorks image entry
point
21
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
ASCII string for fatal
exception message
VxWorks image entry
point
WDB shared memory
22
MEMORY PROTECTIONS
VxWorks provides MMU-based features in addition to
the virtual memory support
Non MMU based protections Heap Error Detection
23
MEMORY PROTECTION
Task stack overrun and underrun
detection
Interrupt stack overrun and
underrun detection
Stack pages
Stack
Start
Stop
24
MEMORY PROTECTION
Non-executable task stacks amp Non-
writable Text Segment
INCLUDE_TASK_STACK_NO_EXEC
INCLUDE_PROTECT_TEXT
Task stack size = MMU page size
Program pages
Read Only
Raw Data
r+w
T
EX
TD
ATA
25
MEMORY PROTECTION
-r-w-x
Address Space
0x00000000
NULL Pointer usage detection
26
MEMORY PROTECTIONHEAP BLOCK OVERRUN DETECTION USAGE TRACKING amp LEAKAGE DETECTION
27
FROM FUZZING TO EXPLOIT
28
FUZZING TARGETS
Network protocols
Portmap (RPC)
FTP
TFTP
NTP
hellip
29
FUZZING
Used Sulley fuzzing framework
Problem no accurate crash detection available
Solution using WdbRPC
30
WHATrsquoS WDB RPC
Debugging Interface
Service running on port UDP17185
Based on SUN-RPC protocol
Provides direct access to system memory
31
WDB PROTOCOL V2
Target Server Target AgentWDB
Shell
Debugger
Browser
Other
tools
HOST VxWorks
WTX
OS
32
WDB PROTOCOL V2CALL SENT BY TARGET SERVER
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Request Header
(40 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Sequence (4 bytes)
33
WDB PROTOCOL V2REPLY SENT BY TARGET AGENT
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Reply Header
(24 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Error code (4 bytes)
34
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
35
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
36
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
37
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
38
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
39
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
40
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
41
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
42
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
HOST TARGET
CALL
REPLY
hellip43
Small interpreted
language
Two objects pointer
and tape
Result of the eval stored
in tape
Tape content returned
to the host
More info on Gopher
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
CALL
REPLY
44HOST TARGET
hellip
Host reads the pointed
memory addresses
CRASH DETECTION
Target sends event
notification
45HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
19
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
ASCII string for fatal
exception message
20
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DecriptorVector
Table
ASCII string for fatal
exception message
VxWorks image entry
point
21
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
ASCII string for fatal
exception message
VxWorks image entry
point
WDB shared memory
22
MEMORY PROTECTIONS
VxWorks provides MMU-based features in addition to
the virtual memory support
Non MMU based protections Heap Error Detection
23
MEMORY PROTECTION
Task stack overrun and underrun
detection
Interrupt stack overrun and
underrun detection
Stack pages
Stack
Start
Stop
24
MEMORY PROTECTION
Non-executable task stacks amp Non-
writable Text Segment
INCLUDE_TASK_STACK_NO_EXEC
INCLUDE_PROTECT_TEXT
Task stack size = MMU page size
Program pages
Read Only
Raw Data
r+w
T
EX
TD
ATA
25
MEMORY PROTECTION
-r-w-x
Address Space
0x00000000
NULL Pointer usage detection
26
MEMORY PROTECTIONHEAP BLOCK OVERRUN DETECTION USAGE TRACKING amp LEAKAGE DETECTION
27
FROM FUZZING TO EXPLOIT
28
FUZZING TARGETS
Network protocols
Portmap (RPC)
FTP
TFTP
NTP
hellip
29
FUZZING
Used Sulley fuzzing framework
Problem no accurate crash detection available
Solution using WdbRPC
30
WHATrsquoS WDB RPC
Debugging Interface
Service running on port UDP17185
Based on SUN-RPC protocol
Provides direct access to system memory
31
WDB PROTOCOL V2
Target Server Target AgentWDB
Shell
Debugger
Browser
Other
tools
HOST VxWorks
WTX
OS
32
WDB PROTOCOL V2CALL SENT BY TARGET SERVER
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Request Header
(40 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Sequence (4 bytes)
33
WDB PROTOCOL V2REPLY SENT BY TARGET AGENT
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Reply Header
(24 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Error code (4 bytes)
34
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
35
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
36
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
37
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
38
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
39
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
40
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
41
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
42
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
HOST TARGET
CALL
REPLY
hellip43
Small interpreted
language
Two objects pointer
and tape
Result of the eval stored
in tape
Tape content returned
to the host
More info on Gopher
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
CALL
REPLY
44HOST TARGET
hellip
Host reads the pointed
memory addresses
CRASH DETECTION
Target sends event
notification
45HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
ASCII string for fatal
exception message
20
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DecriptorVector
Table
ASCII string for fatal
exception message
VxWorks image entry
point
21
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
ASCII string for fatal
exception message
VxWorks image entry
point
WDB shared memory
22
MEMORY PROTECTIONS
VxWorks provides MMU-based features in addition to
the virtual memory support
Non MMU based protections Heap Error Detection
23
MEMORY PROTECTION
Task stack overrun and underrun
detection
Interrupt stack overrun and
underrun detection
Stack pages
Stack
Start
Stop
24
MEMORY PROTECTION
Non-executable task stacks amp Non-
writable Text Segment
INCLUDE_TASK_STACK_NO_EXEC
INCLUDE_PROTECT_TEXT
Task stack size = MMU page size
Program pages
Read Only
Raw Data
r+w
T
EX
TD
ATA
25
MEMORY PROTECTION
-r-w-x
Address Space
0x00000000
NULL Pointer usage detection
26
MEMORY PROTECTIONHEAP BLOCK OVERRUN DETECTION USAGE TRACKING amp LEAKAGE DETECTION
27
FROM FUZZING TO EXPLOIT
28
FUZZING TARGETS
Network protocols
Portmap (RPC)
FTP
TFTP
NTP
hellip
29
FUZZING
Used Sulley fuzzing framework
Problem no accurate crash detection available
Solution using WdbRPC
30
WHATrsquoS WDB RPC
Debugging Interface
Service running on port UDP17185
Based on SUN-RPC protocol
Provides direct access to system memory
31
WDB PROTOCOL V2
Target Server Target AgentWDB
Shell
Debugger
Browser
Other
tools
HOST VxWorks
WTX
OS
32
WDB PROTOCOL V2CALL SENT BY TARGET SERVER
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Request Header
(40 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Sequence (4 bytes)
33
WDB PROTOCOL V2REPLY SENT BY TARGET AGENT
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Reply Header
(24 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Error code (4 bytes)
34
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
35
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
36
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
37
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
38
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
39
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
40
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
41
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
42
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
HOST TARGET
CALL
REPLY
hellip43
Small interpreted
language
Two objects pointer
and tape
Result of the eval stored
in tape
Tape content returned
to the host
More info on Gopher
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
CALL
REPLY
44HOST TARGET
hellip
Host reads the pointed
memory addresses
CRASH DETECTION
Target sends event
notification
45HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DecriptorVector
Table
ASCII string for fatal
exception message
VxWorks image entry
point
21
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
ASCII string for fatal
exception message
VxWorks image entry
point
WDB shared memory
22
MEMORY PROTECTIONS
VxWorks provides MMU-based features in addition to
the virtual memory support
Non MMU based protections Heap Error Detection
23
MEMORY PROTECTION
Task stack overrun and underrun
detection
Interrupt stack overrun and
underrun detection
Stack pages
Stack
Start
Stop
24
MEMORY PROTECTION
Non-executable task stacks amp Non-
writable Text Segment
INCLUDE_TASK_STACK_NO_EXEC
INCLUDE_PROTECT_TEXT
Task stack size = MMU page size
Program pages
Read Only
Raw Data
r+w
T
EX
TD
ATA
25
MEMORY PROTECTION
-r-w-x
Address Space
0x00000000
NULL Pointer usage detection
26
MEMORY PROTECTIONHEAP BLOCK OVERRUN DETECTION USAGE TRACKING amp LEAKAGE DETECTION
27
FROM FUZZING TO EXPLOIT
28
FUZZING TARGETS
Network protocols
Portmap (RPC)
FTP
TFTP
NTP
hellip
29
FUZZING
Used Sulley fuzzing framework
Problem no accurate crash detection available
Solution using WdbRPC
30
WHATrsquoS WDB RPC
Debugging Interface
Service running on port UDP17185
Based on SUN-RPC protocol
Provides direct access to system memory
31
WDB PROTOCOL V2
Target Server Target AgentWDB
Shell
Debugger
Browser
Other
tools
HOST VxWorks
WTX
OS
32
WDB PROTOCOL V2CALL SENT BY TARGET SERVER
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Request Header
(40 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Sequence (4 bytes)
33
WDB PROTOCOL V2REPLY SENT BY TARGET AGENT
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Reply Header
(24 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Error code (4 bytes)
34
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
35
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
36
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
37
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
38
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
39
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
40
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
41
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
42
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
HOST TARGET
CALL
REPLY
hellip43
Small interpreted
language
Two objects pointer
and tape
Result of the eval stored
in tape
Tape content returned
to the host
More info on Gopher
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
CALL
REPLY
44HOST TARGET
hellip
Host reads the pointed
memory addresses
CRASH DETECTION
Target sends event
notification
45HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
X86 UPPER MEMORY IDT (2KB)Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
hellip sysMemTop()
Available
Reserved
KEY
Interrupt
DescriptorVector
Table
ASCII string for fatal
exception message
VxWorks image entry
point
WDB shared memory
22
MEMORY PROTECTIONS
VxWorks provides MMU-based features in addition to
the virtual memory support
Non MMU based protections Heap Error Detection
23
MEMORY PROTECTION
Task stack overrun and underrun
detection
Interrupt stack overrun and
underrun detection
Stack pages
Stack
Start
Stop
24
MEMORY PROTECTION
Non-executable task stacks amp Non-
writable Text Segment
INCLUDE_TASK_STACK_NO_EXEC
INCLUDE_PROTECT_TEXT
Task stack size = MMU page size
Program pages
Read Only
Raw Data
r+w
T
EX
TD
ATA
25
MEMORY PROTECTION
-r-w-x
Address Space
0x00000000
NULL Pointer usage detection
26
MEMORY PROTECTIONHEAP BLOCK OVERRUN DETECTION USAGE TRACKING amp LEAKAGE DETECTION
27
FROM FUZZING TO EXPLOIT
28
FUZZING TARGETS
Network protocols
Portmap (RPC)
FTP
TFTP
NTP
hellip
29
FUZZING
Used Sulley fuzzing framework
Problem no accurate crash detection available
Solution using WdbRPC
30
WHATrsquoS WDB RPC
Debugging Interface
Service running on port UDP17185
Based on SUN-RPC protocol
Provides direct access to system memory
31
WDB PROTOCOL V2
Target Server Target AgentWDB
Shell
Debugger
Browser
Other
tools
HOST VxWorks
WTX
OS
32
WDB PROTOCOL V2CALL SENT BY TARGET SERVER
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Request Header
(40 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Sequence (4 bytes)
33
WDB PROTOCOL V2REPLY SENT BY TARGET AGENT
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Reply Header
(24 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Error code (4 bytes)
34
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
35
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
36
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
37
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
38
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
39
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
40
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
41
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
42
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
HOST TARGET
CALL
REPLY
hellip43
Small interpreted
language
Two objects pointer
and tape
Result of the eval stored
in tape
Tape content returned
to the host
More info on Gopher
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
CALL
REPLY
44HOST TARGET
hellip
Host reads the pointed
memory addresses
CRASH DETECTION
Target sends event
notification
45HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
MEMORY PROTECTIONS
VxWorks provides MMU-based features in addition to
the virtual memory support
Non MMU based protections Heap Error Detection
23
MEMORY PROTECTION
Task stack overrun and underrun
detection
Interrupt stack overrun and
underrun detection
Stack pages
Stack
Start
Stop
24
MEMORY PROTECTION
Non-executable task stacks amp Non-
writable Text Segment
INCLUDE_TASK_STACK_NO_EXEC
INCLUDE_PROTECT_TEXT
Task stack size = MMU page size
Program pages
Read Only
Raw Data
r+w
T
EX
TD
ATA
25
MEMORY PROTECTION
-r-w-x
Address Space
0x00000000
NULL Pointer usage detection
26
MEMORY PROTECTIONHEAP BLOCK OVERRUN DETECTION USAGE TRACKING amp LEAKAGE DETECTION
27
FROM FUZZING TO EXPLOIT
28
FUZZING TARGETS
Network protocols
Portmap (RPC)
FTP
TFTP
NTP
hellip
29
FUZZING
Used Sulley fuzzing framework
Problem no accurate crash detection available
Solution using WdbRPC
30
WHATrsquoS WDB RPC
Debugging Interface
Service running on port UDP17185
Based on SUN-RPC protocol
Provides direct access to system memory
31
WDB PROTOCOL V2
Target Server Target AgentWDB
Shell
Debugger
Browser
Other
tools
HOST VxWorks
WTX
OS
32
WDB PROTOCOL V2CALL SENT BY TARGET SERVER
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Request Header
(40 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Sequence (4 bytes)
33
WDB PROTOCOL V2REPLY SENT BY TARGET AGENT
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Reply Header
(24 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Error code (4 bytes)
34
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
35
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
36
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
37
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
38
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
39
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
40
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
41
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
42
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
HOST TARGET
CALL
REPLY
hellip43
Small interpreted
language
Two objects pointer
and tape
Result of the eval stored
in tape
Tape content returned
to the host
More info on Gopher
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
CALL
REPLY
44HOST TARGET
hellip
Host reads the pointed
memory addresses
CRASH DETECTION
Target sends event
notification
45HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
MEMORY PROTECTION
Task stack overrun and underrun
detection
Interrupt stack overrun and
underrun detection
Stack pages
Stack
Start
Stop
24
MEMORY PROTECTION
Non-executable task stacks amp Non-
writable Text Segment
INCLUDE_TASK_STACK_NO_EXEC
INCLUDE_PROTECT_TEXT
Task stack size = MMU page size
Program pages
Read Only
Raw Data
r+w
T
EX
TD
ATA
25
MEMORY PROTECTION
-r-w-x
Address Space
0x00000000
NULL Pointer usage detection
26
MEMORY PROTECTIONHEAP BLOCK OVERRUN DETECTION USAGE TRACKING amp LEAKAGE DETECTION
27
FROM FUZZING TO EXPLOIT
28
FUZZING TARGETS
Network protocols
Portmap (RPC)
FTP
TFTP
NTP
hellip
29
FUZZING
Used Sulley fuzzing framework
Problem no accurate crash detection available
Solution using WdbRPC
30
WHATrsquoS WDB RPC
Debugging Interface
Service running on port UDP17185
Based on SUN-RPC protocol
Provides direct access to system memory
31
WDB PROTOCOL V2
Target Server Target AgentWDB
Shell
Debugger
Browser
Other
tools
HOST VxWorks
WTX
OS
32
WDB PROTOCOL V2CALL SENT BY TARGET SERVER
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Request Header
(40 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Sequence (4 bytes)
33
WDB PROTOCOL V2REPLY SENT BY TARGET AGENT
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Reply Header
(24 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Error code (4 bytes)
34
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
35
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
36
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
37
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
38
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
39
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
40
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
41
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
42
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
HOST TARGET
CALL
REPLY
hellip43
Small interpreted
language
Two objects pointer
and tape
Result of the eval stored
in tape
Tape content returned
to the host
More info on Gopher
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
CALL
REPLY
44HOST TARGET
hellip
Host reads the pointed
memory addresses
CRASH DETECTION
Target sends event
notification
45HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
MEMORY PROTECTION
Non-executable task stacks amp Non-
writable Text Segment
INCLUDE_TASK_STACK_NO_EXEC
INCLUDE_PROTECT_TEXT
Task stack size = MMU page size
Program pages
Read Only
Raw Data
r+w
T
EX
TD
ATA
25
MEMORY PROTECTION
-r-w-x
Address Space
0x00000000
NULL Pointer usage detection
26
MEMORY PROTECTIONHEAP BLOCK OVERRUN DETECTION USAGE TRACKING amp LEAKAGE DETECTION
27
FROM FUZZING TO EXPLOIT
28
FUZZING TARGETS
Network protocols
Portmap (RPC)
FTP
TFTP
NTP
hellip
29
FUZZING
Used Sulley fuzzing framework
Problem no accurate crash detection available
Solution using WdbRPC
30
WHATrsquoS WDB RPC
Debugging Interface
Service running on port UDP17185
Based on SUN-RPC protocol
Provides direct access to system memory
31
WDB PROTOCOL V2
Target Server Target AgentWDB
Shell
Debugger
Browser
Other
tools
HOST VxWorks
WTX
OS
32
WDB PROTOCOL V2CALL SENT BY TARGET SERVER
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Request Header
(40 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Sequence (4 bytes)
33
WDB PROTOCOL V2REPLY SENT BY TARGET AGENT
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Reply Header
(24 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Error code (4 bytes)
34
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
35
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
36
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
37
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
38
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
39
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
40
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
41
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
42
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
HOST TARGET
CALL
REPLY
hellip43
Small interpreted
language
Two objects pointer
and tape
Result of the eval stored
in tape
Tape content returned
to the host
More info on Gopher
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
CALL
REPLY
44HOST TARGET
hellip
Host reads the pointed
memory addresses
CRASH DETECTION
Target sends event
notification
45HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
MEMORY PROTECTION
-r-w-x
Address Space
0x00000000
NULL Pointer usage detection
26
MEMORY PROTECTIONHEAP BLOCK OVERRUN DETECTION USAGE TRACKING amp LEAKAGE DETECTION
27
FROM FUZZING TO EXPLOIT
28
FUZZING TARGETS
Network protocols
Portmap (RPC)
FTP
TFTP
NTP
hellip
29
FUZZING
Used Sulley fuzzing framework
Problem no accurate crash detection available
Solution using WdbRPC
30
WHATrsquoS WDB RPC
Debugging Interface
Service running on port UDP17185
Based on SUN-RPC protocol
Provides direct access to system memory
31
WDB PROTOCOL V2
Target Server Target AgentWDB
Shell
Debugger
Browser
Other
tools
HOST VxWorks
WTX
OS
32
WDB PROTOCOL V2CALL SENT BY TARGET SERVER
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Request Header
(40 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Sequence (4 bytes)
33
WDB PROTOCOL V2REPLY SENT BY TARGET AGENT
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Reply Header
(24 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Error code (4 bytes)
34
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
35
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
36
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
37
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
38
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
39
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
40
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
41
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
42
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
HOST TARGET
CALL
REPLY
hellip43
Small interpreted
language
Two objects pointer
and tape
Result of the eval stored
in tape
Tape content returned
to the host
More info on Gopher
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
CALL
REPLY
44HOST TARGET
hellip
Host reads the pointed
memory addresses
CRASH DETECTION
Target sends event
notification
45HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
MEMORY PROTECTIONHEAP BLOCK OVERRUN DETECTION USAGE TRACKING amp LEAKAGE DETECTION
27
FROM FUZZING TO EXPLOIT
28
FUZZING TARGETS
Network protocols
Portmap (RPC)
FTP
TFTP
NTP
hellip
29
FUZZING
Used Sulley fuzzing framework
Problem no accurate crash detection available
Solution using WdbRPC
30
WHATrsquoS WDB RPC
Debugging Interface
Service running on port UDP17185
Based on SUN-RPC protocol
Provides direct access to system memory
31
WDB PROTOCOL V2
Target Server Target AgentWDB
Shell
Debugger
Browser
Other
tools
HOST VxWorks
WTX
OS
32
WDB PROTOCOL V2CALL SENT BY TARGET SERVER
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Request Header
(40 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Sequence (4 bytes)
33
WDB PROTOCOL V2REPLY SENT BY TARGET AGENT
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Reply Header
(24 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Error code (4 bytes)
34
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
35
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
36
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
37
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
38
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
39
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
40
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
41
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
42
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
HOST TARGET
CALL
REPLY
hellip43
Small interpreted
language
Two objects pointer
and tape
Result of the eval stored
in tape
Tape content returned
to the host
More info on Gopher
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
CALL
REPLY
44HOST TARGET
hellip
Host reads the pointed
memory addresses
CRASH DETECTION
Target sends event
notification
45HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
FROM FUZZING TO EXPLOIT
28
FUZZING TARGETS
Network protocols
Portmap (RPC)
FTP
TFTP
NTP
hellip
29
FUZZING
Used Sulley fuzzing framework
Problem no accurate crash detection available
Solution using WdbRPC
30
WHATrsquoS WDB RPC
Debugging Interface
Service running on port UDP17185
Based on SUN-RPC protocol
Provides direct access to system memory
31
WDB PROTOCOL V2
Target Server Target AgentWDB
Shell
Debugger
Browser
Other
tools
HOST VxWorks
WTX
OS
32
WDB PROTOCOL V2CALL SENT BY TARGET SERVER
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Request Header
(40 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Sequence (4 bytes)
33
WDB PROTOCOL V2REPLY SENT BY TARGET AGENT
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Reply Header
(24 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Error code (4 bytes)
34
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
35
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
36
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
37
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
38
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
39
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
40
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
41
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
42
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
HOST TARGET
CALL
REPLY
hellip43
Small interpreted
language
Two objects pointer
and tape
Result of the eval stored
in tape
Tape content returned
to the host
More info on Gopher
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
CALL
REPLY
44HOST TARGET
hellip
Host reads the pointed
memory addresses
CRASH DETECTION
Target sends event
notification
45HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
FUZZING TARGETS
Network protocols
Portmap (RPC)
FTP
TFTP
NTP
hellip
29
FUZZING
Used Sulley fuzzing framework
Problem no accurate crash detection available
Solution using WdbRPC
30
WHATrsquoS WDB RPC
Debugging Interface
Service running on port UDP17185
Based on SUN-RPC protocol
Provides direct access to system memory
31
WDB PROTOCOL V2
Target Server Target AgentWDB
Shell
Debugger
Browser
Other
tools
HOST VxWorks
WTX
OS
32
WDB PROTOCOL V2CALL SENT BY TARGET SERVER
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Request Header
(40 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Sequence (4 bytes)
33
WDB PROTOCOL V2REPLY SENT BY TARGET AGENT
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Reply Header
(24 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Error code (4 bytes)
34
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
35
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
36
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
37
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
38
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
39
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
40
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
41
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
42
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
HOST TARGET
CALL
REPLY
hellip43
Small interpreted
language
Two objects pointer
and tape
Result of the eval stored
in tape
Tape content returned
to the host
More info on Gopher
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
CALL
REPLY
44HOST TARGET
hellip
Host reads the pointed
memory addresses
CRASH DETECTION
Target sends event
notification
45HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
FUZZING
Used Sulley fuzzing framework
Problem no accurate crash detection available
Solution using WdbRPC
30
WHATrsquoS WDB RPC
Debugging Interface
Service running on port UDP17185
Based on SUN-RPC protocol
Provides direct access to system memory
31
WDB PROTOCOL V2
Target Server Target AgentWDB
Shell
Debugger
Browser
Other
tools
HOST VxWorks
WTX
OS
32
WDB PROTOCOL V2CALL SENT BY TARGET SERVER
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Request Header
(40 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Sequence (4 bytes)
33
WDB PROTOCOL V2REPLY SENT BY TARGET AGENT
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Reply Header
(24 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Error code (4 bytes)
34
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
35
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
36
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
37
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
38
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
39
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
40
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
41
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
42
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
HOST TARGET
CALL
REPLY
hellip43
Small interpreted
language
Two objects pointer
and tape
Result of the eval stored
in tape
Tape content returned
to the host
More info on Gopher
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
CALL
REPLY
44HOST TARGET
hellip
Host reads the pointed
memory addresses
CRASH DETECTION
Target sends event
notification
45HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
WHATrsquoS WDB RPC
Debugging Interface
Service running on port UDP17185
Based on SUN-RPC protocol
Provides direct access to system memory
31
WDB PROTOCOL V2
Target Server Target AgentWDB
Shell
Debugger
Browser
Other
tools
HOST VxWorks
WTX
OS
32
WDB PROTOCOL V2CALL SENT BY TARGET SERVER
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Request Header
(40 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Sequence (4 bytes)
33
WDB PROTOCOL V2REPLY SENT BY TARGET AGENT
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Reply Header
(24 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Error code (4 bytes)
34
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
35
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
36
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
37
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
38
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
39
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
40
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
41
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
42
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
HOST TARGET
CALL
REPLY
hellip43
Small interpreted
language
Two objects pointer
and tape
Result of the eval stored
in tape
Tape content returned
to the host
More info on Gopher
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
CALL
REPLY
44HOST TARGET
hellip
Host reads the pointed
memory addresses
CRASH DETECTION
Target sends event
notification
45HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
WDB PROTOCOL V2
Target Server Target AgentWDB
Shell
Debugger
Browser
Other
tools
HOST VxWorks
WTX
OS
32
WDB PROTOCOL V2CALL SENT BY TARGET SERVER
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Request Header
(40 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Sequence (4 bytes)
33
WDB PROTOCOL V2REPLY SENT BY TARGET AGENT
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Reply Header
(24 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Error code (4 bytes)
34
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
35
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
36
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
37
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
38
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
39
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
40
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
41
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
42
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
HOST TARGET
CALL
REPLY
hellip43
Small interpreted
language
Two objects pointer
and tape
Result of the eval stored
in tape
Tape content returned
to the host
More info on Gopher
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
CALL
REPLY
44HOST TARGET
hellip
Host reads the pointed
memory addresses
CRASH DETECTION
Target sends event
notification
45HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
WDB PROTOCOL V2CALL SENT BY TARGET SERVER
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Request Header
(40 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Sequence (4 bytes)
33
WDB PROTOCOL V2REPLY SENT BY TARGET AGENT
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Reply Header
(24 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Error code (4 bytes)
34
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
35
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
36
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
37
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
38
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
39
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
40
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
41
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
42
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
HOST TARGET
CALL
REPLY
hellip43
Small interpreted
language
Two objects pointer
and tape
Result of the eval stored
in tape
Tape content returned
to the host
More info on Gopher
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
CALL
REPLY
44HOST TARGET
hellip
Host reads the pointed
memory addresses
CRASH DETECTION
Target sends event
notification
45HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
WDB PROTOCOL V2REPLY SENT BY TARGET AGENT
IP HEADER
(20 bytes)
UDP HEADER
(8 bytes)
RPC Reply Header
(24 bytes)
WDB Param Wrapper
(12 bytes)
XDR Encoded
parameters
XDR Encoded stream
Checksum (4 bytes)
Length (4 bytes)
Error code (4 bytes)
34
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
35
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
36
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
37
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
38
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
39
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
40
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
41
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
42
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
HOST TARGET
CALL
REPLY
hellip43
Small interpreted
language
Two objects pointer
and tape
Result of the eval stored
in tape
Tape content returned
to the host
More info on Gopher
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
CALL
REPLY
44HOST TARGET
hellip
Host reads the pointed
memory addresses
CRASH DETECTION
Target sends event
notification
45HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
35
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
36
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
37
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
38
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
39
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
40
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
41
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
42
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
HOST TARGET
CALL
REPLY
hellip43
Small interpreted
language
Two objects pointer
and tape
Result of the eval stored
in tape
Tape content returned
to the host
More info on Gopher
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
CALL
REPLY
44HOST TARGET
hellip
Host reads the pointed
memory addresses
CRASH DETECTION
Target sends event
notification
45HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
36
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
37
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
38
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
39
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
40
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
41
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
42
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
HOST TARGET
CALL
REPLY
hellip43
Small interpreted
language
Two objects pointer
and tape
Result of the eval stored
in tape
Tape content returned
to the host
More info on Gopher
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
CALL
REPLY
44HOST TARGET
hellip
Host reads the pointed
memory addresses
CRASH DETECTION
Target sends event
notification
45HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
37
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
38
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
39
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
40
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
41
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
42
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
HOST TARGET
CALL
REPLY
hellip43
Small interpreted
language
Two objects pointer
and tape
Result of the eval stored
in tape
Tape content returned
to the host
More info on Gopher
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
CALL
REPLY
44HOST TARGET
hellip
Host reads the pointed
memory addresses
CRASH DETECTION
Target sends event
notification
45HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
38
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
39
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
40
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
41
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
42
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
HOST TARGET
CALL
REPLY
hellip43
Small interpreted
language
Two objects pointer
and tape
Result of the eval stored
in tape
Tape content returned
to the host
More info on Gopher
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
CALL
REPLY
44HOST TARGET
hellip
Host reads the pointed
memory addresses
CRASH DETECTION
Target sends event
notification
45HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
39
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
40
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
41
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
42
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
HOST TARGET
CALL
REPLY
hellip43
Small interpreted
language
Two objects pointer
and tape
Result of the eval stored
in tape
Tape content returned
to the host
More info on Gopher
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
CALL
REPLY
44HOST TARGET
hellip
Host reads the pointed
memory addresses
CRASH DETECTION
Target sends event
notification
45HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
40
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
41
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
42
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
HOST TARGET
CALL
REPLY
hellip43
Small interpreted
language
Two objects pointer
and tape
Result of the eval stored
in tape
Tape content returned
to the host
More info on Gopher
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
CALL
REPLY
44HOST TARGET
hellip
Host reads the pointed
memory addresses
CRASH DETECTION
Target sends event
notification
45HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
41
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
42
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
HOST TARGET
CALL
REPLY
hellip43
Small interpreted
language
Two objects pointer
and tape
Result of the eval stored
in tape
Tape content returned
to the host
More info on Gopher
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
CALL
REPLY
44HOST TARGET
hellip
Host reads the pointed
memory addresses
CRASH DETECTION
Target sends event
notification
45HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 5X
HOST TARGET
CALL
REPLY
42
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
HOST TARGET
CALL
REPLY
hellip43
Small interpreted
language
Two objects pointer
and tape
Result of the eval stored
in tape
Tape content returned
to the host
More info on Gopher
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
CALL
REPLY
44HOST TARGET
hellip
Host reads the pointed
memory addresses
CRASH DETECTION
Target sends event
notification
45HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
HOST TARGET
CALL
REPLY
hellip43
Small interpreted
language
Two objects pointer
and tape
Result of the eval stored
in tape
Tape content returned
to the host
More info on Gopher
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
CALL
REPLY
44HOST TARGET
hellip
Host reads the pointed
memory addresses
CRASH DETECTION
Target sends event
notification
45HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
STEPS FOR PROCESS MONITORING USING WDBVXWORKS 6X
CALL
REPLY
44HOST TARGET
hellip
Host reads the pointed
memory addresses
CRASH DETECTION
Target sends event
notification
45HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
CRASH DETECTION
Target sends event
notification
45HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
CRASH DETECTION
Target sends event
notification
Host acknowledges
46HOST TARGET
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
CRASH DETECTION
Target sends event
notification
Host acknowledges
Host ask more
information (registers
content memory area
hellip)
47HOST TARGET
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
48
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
WDBRPC FRAMEWORK
Python 27
Supports VxWorks 5x and 6x
Partially implements WDBRPC protocol
Implements a basic remote debugger WdbDbg
49
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
WDBRPC FRAMEWORK
Some externals dependencies
PyElfTools reads the imports from the VxWorks Image
Capstone Engine disassemble code around crash area
50
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
INTERFACING WITH SULLEY
Inspiration from the process_monitorpy script coming with Sulley
Implementation
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulleyrsquos ped-rpc routines
VxMon wraps everything
51
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
FUZZING
52
Sulley
Fuzzer
VxWorks
Target
Test cases
VxWorks Process
Monitor
PED RPC WDB RPC
WdbDbg
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
DEMO
53
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
CRASH ANALYSIS
Portmap task crashed many times on the same RPC field credential flavor
When set to a negative value =gt PC is set to arbitrary memory value
54
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
CRASH ANALYSIS
55
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
CRASH ANALYSIS
56
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
CRASH ANALYSIS
57
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
CRASH ANALYSIS
58
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
CRASH ANALYSIS
59
O_o
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
CRASH ANALYSIS
60
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
CRASH ANALYSIS
61
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 55 and 6941 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 Irsquove been authorised to disclose details
62
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
HOW TO EXPLOIT
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypasseddefeated
backdoor account set up
63
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
EXPLOITATION DEMO
64
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(httpswwwdigitalbondco
mtoolsbasecampschneide
r-modicon-quantum)
65
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
SOME NUMBERS
Schneider Modicon Quantum PLC runs VxWorks 54 and has port 111 open
66
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
FUN FACT
67
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
CONCLUSION
WindRiver takes VxWorksrsquo security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
FUTURE WORK
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
CODE RELEASE
The WdbDbg framework should be released in the next
weeks here
httpsbitbucketorgyformaggiowdbdbg
Exploit code will not be released unless explicit
authorisation given
72
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
QUESTIONS
73
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
THANKS
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75
LINKS
httpwwwvxdevcomdocsvx55mantornado-apiwdbpclwdbhtml
httpwwwuiono[]vxworks_architecture_supplement_62pdf
httpwwwuiono[]vxworks_kernel_programmers_guide_62pdf
httpcimsol-mcsourceforgenetfilesvxworksVxWorks60pdf
Digging Inside the VxWorks OS and Firmware The Holistic Security
HD Moore - Fun with VxWorks
75