2. ABOUT ME
Yannick Formaggio
Security Researcher at Istuary Innovation Labs
@TheLumberJhack || yannickformaggio on LinkedIn
Look for vulns using fuzzing techniques, first time speaker,
Lego fan…
Help from Richard Hsu and Eric Liu (Lead security
researcher)
2
3. AGENDA
Introduction to VxWorks & previous researches
Inside VxWorks:
Memory management & protections
From fuzzing to exploit: RPC Integer Overflow RCE
Conclusion
3
9. “
”
The Real-Time Operating System for the Internet of
Things
Powering billions of intelligent devices, VxWorks®
delivers an industry-leading combination of scalability,
safety, security, and virtualization capabilities to meet
next-generation requirements.
Windriver VxWorks product
9
11. VXWORKS & SECURITY
Wind River treatsVxWorks security seriously
Partnership with McAffee in Feb 2011
Source: http://www.windriver.com/news/press/pr.html?ID=8801
12. VXWORKS & SECURITY
Wind River treats VxWorks security seriously
Partnership with McAffee in Feb 2011
6.x introduced some memory protections
7.x improved way further:
Digitally signed modules (X.509)
Encryption
Centralized user database
Password management (SHA-256 algorithm)
Ability to create/delete users at run time
Encrypted data storage
16. PREVIOUS RESEARCH & INSPIRATIONS
“Digging Inside the VxWorks OS and Firmware The
Holistic Security”
Aditya K Sood (0kn0ck) – SecNiche Security Lab
WDB debugging Interface (again)
OS Security
16
18. X86 MEMORY LAYOUT:
UPPER MEMORY
IDT (2KB)
Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image
+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
… sysMemTop()
Available
Reserved
KEY
18
19. X86 UPPER MEMORY IDT (2KB)
Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image
+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
… sysMemTop()
Available
Reserved
KEY
Interrupt
Descriptor/Vector
Table
19
20. X86 UPPER MEMORY IDT (2KB)
Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image
+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
… sysMemTop()
Available
Reserved
KEY
Interrupt
Descriptor/Vector
Table
ASCII string for fatal
exception message
20
21. X86 UPPER MEMORY IDT (2KB)
Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image
+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
… sysMemTop()
Available
Reserved
KEY
Interrupt
Decriptor/Vector
Table
ASCII string for fatal
exception message
VxWorks image entry
point
21
22. X86 UPPER MEMORY IDT (2KB)
Addresss
0x0000 + LOCAL_MEM_LOCAL_ADRS
GDT + 0x800
SM Anchor + 0x1100
Boot Line + 0x1200
Exception message + 0x1300
FD DMA Area + 0x2000
+ 0x5000
(no memory) + 0xa0000
Initial Stack + 0x100000
System Image
+ 0x108000
_end
WDB Memory Pool
Interrupt stack
System Memory Pool
… sysMemTop()
Available
Reserved
KEY
Interrupt
Descriptor/Vector
Table
ASCII string for fatal
exception message
VxWorks image entry
point
WDB shared memory
22
23. MEMORY PROTECTIONS
VxWorks provides MMU-based features in addition to
the virtual memory support
Non MMU based protections: Heap Error Detection
23
35. STEPS FOR PROCESS MONITORING USING WDB:
VXWORKS 5.X
HOST TARGET
CALL
REPLY
35
36. STEPS FOR PROCESS MONITORING USING WDB:
VXWORKS 5.X
HOST TARGET
CALL
REPLY
36
37. STEPS FOR PROCESS MONITORING USING WDB:
VXWORKS 5.X
HOST TARGET
CALL
REPLY
37
38. STEPS FOR PROCESS MONITORING USING WDB:
VXWORKS 5.X
HOST TARGET
CALL
REPLY
38
39. STEPS FOR PROCESS MONITORING USING WDB:
VXWORKS 5.X
HOST TARGET
CALL
REPLY
39
40. STEPS FOR PROCESS MONITORING USING WDB:
VXWORKS 5.X
HOST TARGET
CALL
REPLY
40
41. STEPS FOR PROCESS MONITORING USING WDB:
VXWORKS 5.X
HOST TARGET
CALL
REPLY
41
42. STEPS FOR PROCESS MONITORING USING WDB:
VXWORKS 5.X
HOST TARGET
CALL
REPLY
42
43. STEPS FOR PROCESS MONITORING USING WDB:
VXWORKS 6.X
HOST TARGET
CALL
REPLY
…
43
Small interpreted
language
Two objects: pointer
and tape
Result of the eval stored
in tape
Tape content returned
to the host
More info on Gopher
44. STEPS FOR PROCESS MONITORING USING WDB:
VXWORKS 6.X
CALL
REPLY
44
HOST TARGET
…
Host reads the pointed
memory addresses
50. WDBRPC FRAMEWORK
Some externals dependencies:
PyElfTools: reads the imports from the VxWorks Image
Capstone Engine: disassemble code around crash area
50
51. INTERFACING WITH SULLEY
Inspiration from the process_monitor.py script coming with Sulley
Implementation:
DebuggerThread instantiates WdbDbg and implements callback to call
when crash occurs
ProcessMonitorPedRPCServer interfaces with Sulley’s ped-rpc routines
VxMon wraps everything
51
54. CRASH ANALYSIS
Portmap task crashed many times on the same RPC field: credential flavor
When set to a negative value => PC is set to arbitrary memory value
54
62. RESPONSIBLE DISCLOSURE
Vuln reported to Wind River on July 22nd and acknowledged on
23rd
Confirmed August 11th that versions between 5.5 and 6.9.4.1 are
vulnerable
Wind River is providing patches
Every VxWorks customers should check the Knowledge Library for
details
On Sept 9th 2015 I’ve been authorised to disclose details
62
63. HOW TO EXPLOIT?
Integer overflow leading to RCE
Heap spray to place the shellcode
Compute credential flavor value
Jump into shellcode directly
all memory protections bypassed/defeated
backdoor account set up
63
65. ABOUT THE REAL TARGETS
Schneider Modicon
Quantum PLC runs VxWorks
and has port 111 open
(https://www.digitalbond.co
m/tools/basecamp/schneide
r-modicon-quantum/)
65
68. MORE BUGS FOUND DURING FUZZING
FTP server is susceptible
to ring buffer overflow
when accessed at a high
speed
68
69. MORE BUGS FOUND DURING FUZZING
FTP server crashes when
received specially
crafted username and
password
network stack down
69
70. CONCLUSION
WindRiver takes VxWorks’ security seriously
Implemented a lot of memory protections
Being defeated by a simple integer overflow bug
70
71. FUTURE WORK ?
VxWorks 7
More complete WDBRPC protocol and Wdb over serial
implementation
Continuing to find bugs
71
72. CODE RELEASE
The WdbDbg framework should be released in the next
weeks here:
https://bitbucket.org/yformaggio/wdbdbg
Exploit code will not be released unless explicit
authorisation given
72