Lucene search
+L

VxWorks Debugging Service Security Bypass Vulnerability

🗓️ 14 Dec 2011 00:00:00Reported by Copyright (C) 2011 Greenbone AGType 
openvas
 openvas
🔗 plugins.openvas.org👁 57 Views

VxWorks Debugging Service Security-Bypass Vulnerabilit

Related
Refs
Code
ReporterTitlePublishedViews
Family
Tenable Nessus
Rockwell Automation 1756-ENBT/A 3.2.6 and 3.6.1 Unauthorized Memory Access
8 May 201900:00
nessus
Tenable Nessus
Windriver Vxworks Unspecified Vulnerability
8 Nov 201900:00
nessus
Tenable Nessus
Rockwell Automation 1756 Incorrect Authorization (CVE-2010-2965)
7 Feb 202200:00
nessus
Tenable Nessus
VxWorks WDB Debug Service Detection
6 Aug 201000:00
nessus
ATTACKERKB
CVE-2010-2965
5 Aug 201013:22
attackerkb
Circl
CVE-2010-2965
27 Jan 202515:26
circl
CVE
CVE-2010-2965
4 Aug 201021:00
cve
Cvelist
CVE-2010-2965
4 Aug 201021:00
cvelist
NVD
CVE-2010-2965
5 Aug 201013:22
nvd
OpenVAS
VxWorks Debugging Service Security-Bypass Vulnerability
14 Dec 201100:00
openvas
Rows per page
# SPDX-FileCopyrightText: 2011 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.103367");
  script_cve_id("CVE-2010-2965");
  script_version("2025-01-17T15:39:18+0000");
  script_tag(name:"cvss_base", value:"10.0");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_tag(name:"last_modification", value:"2025-01-17 15:39:18 +0000 (Fri, 17 Jan 2025)");
  script_tag(name:"creation_date", value:"2011-12-14 16:57:31 +0100 (Wed, 14 Dec 2011)");
  script_name("VxWorks Debugging Service Security Bypass Vulnerability");
  script_category(ACT_ATTACK);
  script_family("General");
  script_copyright("Copyright (C) 2011 Greenbone AG");
  script_require_udp_ports(17185);

  script_xref(name:"URL", value:"http://www.securityfocus.com/bid/42158");
  script_xref(name:"URL", value:"http://blog.metasploit.com/2010/08/vxworks-vulnerabilities.html");
  script_xref(name:"URL", value:"http://www.securityfocus.com/archive/1/512825");
  script_xref(name:"URL", value:"http://www.kb.cert.org/vuls/id/362332");

  script_tag(name:"summary", value:"VxWorks is prone to a remote security bypass vulnerability.");

  script_tag(name:"impact", value:"Successful exploits will allow remote attackers to perform
  debugging tasks on the vulnerable device.");

  script_tag(name:"affected", value:"The issue affects multiple products from multiple vendors that ship
  with the VxWorks operating system.");

  script_tag(name:"solution", value:"No known solution was made available for at least one year since the
  disclosure of this vulnerability. Likely none will be provided anymore. General solution options are to
  upgrade to a newer release, disable respective features, remove the product or replace the product by
  another one.");

  script_tag(name:"qod_type", value:"remote_vul");
  script_tag(name:"solution_type", value:"WillNotFix");

  exit(0);
}

port = 17185;
if(!get_udp_port_state(port))
  exit(0);

if(!soc = open_sock_udp(port))
  exit(0);

function get_value(data, blob) {

  local_var data, blob;
  local_var tmp, i, value;

  tmp = substr(data, blob);
  for(i = 0; i < strlen(data); i++) {
    if(tmp[i] == '\0') {
      return value;
    } else {
      value += tmp[i];
    }
  }
  return value;
}

packet = raw_string(0x50,0x26,0x30,0x91,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x02,0x55,0x55,0x55,0x55,
                    0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
                    0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x2c,
                    0x8b,0x12,0x00,0x01);

send(socket:soc, data:packet);
recv = recv(socket:soc, length:4096);
if(!recv || strlen(recv) < 8 || ord(recv[7]) != 1)
  exit(0);

agent_vers = get_value(data:recv, blob:40);
if(!isnull(agent_vers)) {
  report += string("Agent version: ", agent_vers, "\n");
}

rtv = get_value(data:recv, blob:60);
if(!isnull(rtv)) {
  report += string("Run time version: ", rtv, "\n");
}

bname = get_value(data:recv, blob:88);
if(!isnull(bname)) {
  report += string("Board name: ", bname, "\n");
}

if(report) {
  report = string("It was possible to gather the following information from the remote host:\n\n") + report;
  security_message(port:port, data:report, proto:"udp");
} else {
  security_message(port:port, proto:"udp");
}

exit(0);

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation