Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

44CON London - Attacking VxWorks: from Stone Age to Interstellar

9,483 views

Published on

Attacking VxWorks: from Stone Age to Interstellar presented by Yannick Formaggio at 44CON London 2015.

Published in: Technology

44CON London - Attacking VxWorks: from Stone Age to Interstellar

  1. 1. ATTACKING VXWORKS FROM STONE AGE TO INTERSTELLAR 44CON LONDON 9/10/2015YANNICK FORMAGGIO, RICHARD HSU & ERIC LIU
  2. 2. ABOUT ME Yannick Formaggio Security Researcher at Istuary Innovation Labs @TheLumberJhack || yannickformaggio on LinkedIn Look for vulns using fuzzing techniques, first time speaker, Lego fan… Help from Richard Hsu and Eric Liu (Lead security researcher) 2
  3. 3. AGENDA Introduction to VxWorks & previous researches Inside VxWorks: Memory management & protections From fuzzing to exploit: RPC Integer Overflow RCE Conclusion 3
  4. 4. INTRODUCTION 4
  5. 5. WHAT’S VXWORKS? #1 Embedded devices RTOS Claimed > 1.5 billions devices developed by Wind River supports lot of CPU architectures
  6. 6. SOME STATS 6
  7. 7. WHAT’S VXWORKS? 1987 • First release • 32 bits processing 1990’s • VxWorks 5 released • 1st RTOS w/ network stack 2000’s • VxWorks 6.x (12-2004) • Security improvements (RTPs, no more task shared memory) 2014 • VxWorks 7.x (02-2014) • 64bits, more security improvements
  8. 8. SOME CUSTOMERS 8
  9. 9. “ ” The Real-Time Operating System for the Internet of Things Powering billions of intelligent devices, VxWorks® delivers an industry-leading combination of scalability, safety, security, and virtualization capabilities to meet next-generation requirements. Windriver VxWorks product 9
  10. 10. VXWORKS & SECURITY Source: http://www.cvedetails.com/product/15063/Windriver-Vxworks.html?vendor_id=95 10
  11. 11. VXWORKS & SECURITY Wind River treatsVxWorks security seriously Partnership with McAffee in Feb 2011 Source: http://www.windriver.com/news/press/pr.html?ID=8801
  12. 12. VXWORKS & SECURITY Wind River treats VxWorks security seriously Partnership with McAffee in Feb 2011 6.x introduced some memory protections 7.x improved way further: Digitally signed modules (X.509) Encryption Centralized user database Password management (SHA-256 algorithm) Ability to create/delete users at run time Encrypted data storage
  13. 13. PREVIOUS RESEARCHES & INSPIRATIONS
  14. 14. PREVIOUS RESEARCH & INSPIRATIONS “Shiny Old VxWorks Vulnerabilities” HD Moore (2010) 4 Metasploit modules targeting WDB RPC Weak password hash entropy  rainbow table containing around 200k hashed passwords 14
  15. 15. PREVIOUS RESEARCH & INSPIRATIONS “Reverse Engineering VxWorks Firmware: WRT54Gv8” /dev/ttyS0 15
  16. 16. PREVIOUS RESEARCH & INSPIRATIONS “Digging Inside the VxWorks OS and Firmware The Holistic Security” Aditya K Sood (0kn0ck) – SecNiche Security Lab WDB debugging Interface (again) OS Security 16
  17. 17. INSIDE VXWORKS MEMORY LAYOUT & PROTECTIONS 17
  18. 18. X86 MEMORY LAYOUT: UPPER MEMORY IDT (2KB) Addresss 0x0000 + LOCAL_MEM_LOCAL_ADRS GDT + 0x800 SM Anchor + 0x1100 Boot Line + 0x1200 Exception message + 0x1300 FD DMA Area + 0x2000 + 0x5000 (no memory) + 0xa0000 Initial Stack + 0x100000 System Image + 0x108000 _end WDB Memory Pool Interrupt stack System Memory Pool … sysMemTop() Available Reserved KEY 18
  19. 19. X86 UPPER MEMORY IDT (2KB) Addresss 0x0000 + LOCAL_MEM_LOCAL_ADRS GDT + 0x800 SM Anchor + 0x1100 Boot Line + 0x1200 Exception message + 0x1300 FD DMA Area + 0x2000 + 0x5000 (no memory) + 0xa0000 Initial Stack + 0x100000 System Image + 0x108000 _end WDB Memory Pool Interrupt stack System Memory Pool … sysMemTop() Available Reserved KEY Interrupt Descriptor/Vector Table 19
  20. 20. X86 UPPER MEMORY IDT (2KB) Addresss 0x0000 + LOCAL_MEM_LOCAL_ADRS GDT + 0x800 SM Anchor + 0x1100 Boot Line + 0x1200 Exception message + 0x1300 FD DMA Area + 0x2000 + 0x5000 (no memory) + 0xa0000 Initial Stack + 0x100000 System Image + 0x108000 _end WDB Memory Pool Interrupt stack System Memory Pool … sysMemTop() Available Reserved KEY Interrupt Descriptor/Vector Table ASCII string for fatal exception message 20
  21. 21. X86 UPPER MEMORY IDT (2KB) Addresss 0x0000 + LOCAL_MEM_LOCAL_ADRS GDT + 0x800 SM Anchor + 0x1100 Boot Line + 0x1200 Exception message + 0x1300 FD DMA Area + 0x2000 + 0x5000 (no memory) + 0xa0000 Initial Stack + 0x100000 System Image + 0x108000 _end WDB Memory Pool Interrupt stack System Memory Pool … sysMemTop() Available Reserved KEY Interrupt Decriptor/Vector Table ASCII string for fatal exception message VxWorks image entry point 21
  22. 22. X86 UPPER MEMORY IDT (2KB) Addresss 0x0000 + LOCAL_MEM_LOCAL_ADRS GDT + 0x800 SM Anchor + 0x1100 Boot Line + 0x1200 Exception message + 0x1300 FD DMA Area + 0x2000 + 0x5000 (no memory) + 0xa0000 Initial Stack + 0x100000 System Image + 0x108000 _end WDB Memory Pool Interrupt stack System Memory Pool … sysMemTop() Available Reserved KEY Interrupt Descriptor/Vector Table ASCII string for fatal exception message VxWorks image entry point WDB shared memory 22
  23. 23. MEMORY PROTECTIONS VxWorks provides MMU-based features in addition to the virtual memory support Non MMU based protections: Heap Error Detection 23
  24. 24. MEMORY PROTECTION: Task stack overrun and underrun detection Interrupt stack overrun and underrun detection Stack pages Stack Start Stop 24
  25. 25. MEMORY PROTECTION Non-executable task stacks & Non- writable Text Segment INCLUDE_TASK_STACK_NO_EXEC INCLUDE_PROTECT_TEXT Task stack size = MMU page size Program pages Read Only Raw Data r+w .TEXT.DATA 25
  26. 26. MEMORY PROTECTION -r-w-x Address Space 0x00000000 NULL Pointer usage detection 26
  27. 27. HEAP BLOCK OVERRUN DETECTION / USAGE TRACKING & LEAKAGE DETECTION 27
  28. 28. FROM FUZZING TO EXPLOIT 28
  29. 29. FUZZING TARGETS Network protocols: Portmap (RPC) FTP TFTP NTP … 29
  30. 30. FUZZING Used Sulley fuzzing framework Problem: no accurate crash detection available Solution: using WdbRPC 30
  31. 31. WHAT’S WDB RPC? Debugging Interface Service running on port UDP/17185 Based on SUN-RPC protocol Provides direct access to system memory 31
  32. 32. WDB PROTOCOL V2 Target Server Target Agent WDB Shell Debugger Browser Other tools HOST VxWorks WTX OS 32
  33. 33. WDB PROTOCOL V2 CALL: SENT BY TARGET SERVER IP HEADER (20 bytes) UDP HEADER (8 bytes) RPC Request Header (40 bytes) WDB Param Wrapper (12 bytes) XDR Encoded parameters XDR Encoded stream Checksum (4 bytes) Length (4 bytes) Sequence # (4 bytes) 33
  34. 34. WDB PROTOCOL V2 REPLY: SENT BY TARGET AGENT IP HEADER (20 bytes) UDP HEADER (8 bytes) RPC Reply Header (24 bytes) WDB Param Wrapper (12 bytes) XDR Encoded parameters XDR Encoded stream Checksum (4 bytes) Length (4 bytes) Error code (4 bytes) 34
  35. 35. STEPS FOR PROCESS MONITORING USING WDB: VXWORKS 5.X HOST TARGET CALL REPLY 35
  36. 36. STEPS FOR PROCESS MONITORING USING WDB: VXWORKS 5.X HOST TARGET CALL REPLY 36
  37. 37. STEPS FOR PROCESS MONITORING USING WDB: VXWORKS 5.X HOST TARGET CALL REPLY 37
  38. 38. STEPS FOR PROCESS MONITORING USING WDB: VXWORKS 5.X HOST TARGET CALL REPLY 38
  39. 39. STEPS FOR PROCESS MONITORING USING WDB: VXWORKS 5.X HOST TARGET CALL REPLY 39
  40. 40. STEPS FOR PROCESS MONITORING USING WDB: VXWORKS 5.X HOST TARGET CALL REPLY 40
  41. 41. STEPS FOR PROCESS MONITORING USING WDB: VXWORKS 5.X HOST TARGET CALL REPLY 41
  42. 42. STEPS FOR PROCESS MONITORING USING WDB: VXWORKS 5.X HOST TARGET CALL REPLY 42
  43. 43. STEPS FOR PROCESS MONITORING USING WDB: VXWORKS 6.X HOST TARGET CALL REPLY … 43 Small interpreted language Two objects: pointer and tape Result of the eval stored in tape Tape content returned to the host More info on Gopher
  44. 44. STEPS FOR PROCESS MONITORING USING WDB: VXWORKS 6.X CALL REPLY 44 HOST TARGET … Host reads the pointed memory addresses
  45. 45. CRASH DETECTION Target sends event notification 45 HOST TARGET
  46. 46. CRASH DETECTION Target sends event notification Host acknowledges 46 HOST TARGET
  47. 47. CRASH DETECTION Target sends event notification Host acknowledges Host ask more information (registers content, memory area, …) 47 HOST TARGET
  48. 48. WDBRPC FRAMEWORK Python 2.7 Supports VxWorks 5.x and 6.x Partially implements WDBRPC protocol Implements a basic remote debugger: WdbDbg 48
  49. 49. WDBRPC FRAMEWORK Python 2.7 Supports VxWorks 5.x and 6.x Partially implements WDBRPC protocol Implements a basic remote debugger: WdbDbg 49
  50. 50. WDBRPC FRAMEWORK Some externals dependencies: PyElfTools: reads the imports from the VxWorks Image Capstone Engine: disassemble code around crash area 50
  51. 51. INTERFACING WITH SULLEY Inspiration from the process_monitor.py script coming with Sulley Implementation: DebuggerThread instantiates WdbDbg and implements callback to call when crash occurs ProcessMonitorPedRPCServer interfaces with Sulley’s ped-rpc routines VxMon wraps everything 51
  52. 52. FUZZING 52 Sulley Fuzzer VxWorks Target Test cases VxWorks Process Monitor PED RPC WDB RPC WdbDbg
  53. 53. DEMO 53
  54. 54. CRASH ANALYSIS Portmap task crashed many times on the same RPC field: credential flavor When set to a negative value => PC is set to arbitrary memory value 54
  55. 55. CRASH ANALYSIS 55
  56. 56. CRASH ANALYSIS 56
  57. 57. CRASH ANALYSIS 57
  58. 58. CRASH ANALYSIS 58
  59. 59. CRASH ANALYSIS 59 O_o
  60. 60. CRASH ANALYSIS 60
  61. 61. CRASH ANALYSIS 61
  62. 62. RESPONSIBLE DISCLOSURE Vuln reported to Wind River on July 22nd and acknowledged on 23rd Confirmed August 11th that versions between 5.5 and 6.9.4.1 are vulnerable Wind River is providing patches Every VxWorks customers should check the Knowledge Library for details On Sept 9th 2015 I’ve been authorised to disclose details 62
  63. 63. HOW TO EXPLOIT? Integer overflow leading to RCE Heap spray to place the shellcode Compute credential flavor value Jump into shellcode directly all memory protections bypassed/defeated backdoor account set up 63
  64. 64. EXPLOITATION DEMO 64
  65. 65. ABOUT THE REAL TARGETS Schneider Modicon Quantum PLC runs VxWorks and has port 111 open (https://www.digitalbond.co m/tools/basecamp/schneide r-modicon-quantum/) 65
  66. 66. SOME NUMBERS Schneider Modicon Quantum PLC runs VxWorks 5.4 and has port 111 open 66
  67. 67. FUN FACT 67
  68. 68. MORE BUGS FOUND DURING FUZZING FTP server is susceptible to ring buffer overflow when accessed at a high speed 68
  69. 69. MORE BUGS FOUND DURING FUZZING FTP server crashes when received specially crafted username and password  network stack down 69
  70. 70. CONCLUSION WindRiver takes VxWorks’ security seriously Implemented a lot of memory protections Being defeated by a simple integer overflow bug 70
  71. 71. FUTURE WORK ? VxWorks 7 More complete WDBRPC protocol and Wdb over serial implementation Continuing to find bugs 71
  72. 72. CODE RELEASE The WdbDbg framework should be released in the next weeks here: https://bitbucket.org/yformaggio/wdbdbg Exploit code will not be released unless explicit authorisation given 72
  73. 73. QUESTIONS 73
  74. 74. THANKS !
  75. 75. LINKS http://www.vxdev.com/docs/vx55man/tornado-api/wdbpcl/wdb.html http://www.uio.no/[...]/vxworks_architecture_supplement_6.2.pdf http://www.uio.no/[...]/vxworks_kernel_programmers_guide_6.2.pdf http://cimsol-mc.sourceforge.net/files/vxworks/VxWorks60.pdf Digging Inside the VxWorks OS and Firmware The Holistic Security HD Moore - Fun with VxWorks 75

×