SlideShare ist ein Scribd-Unternehmen logo

44CON London - Attacking VxWorks: from Stone Age to Interstellar

44CON
44CON

Attacking VxWorks: from Stone Age to Interstellar presented by Yannick Formaggio at 44CON London 2015.

Technologie
1 von 75
Downloaden Sie, um offline zu lesen
ATTACKING VXWORKS FROM STONE AGE TO INTERSTELLAR 44CON LONDON 9/10/2015YANNICK FORMAGGIO, RICHARD HSU & ERIC LIU
ABOUT ME Yannick Formaggio Security Researcher at Istuary Innovation Labs @TheLumberJhack || yannickformaggio on LinkedIn Look for vulns using fuzzing techniques, first time speaker, Lego fan… Help from Richard Hsu and Eric Liu (Lead security researcher) 2
AGENDA Introduction to VxWorks & previous researches Inside VxWorks: Memory management & protections From fuzzing to exploit: RPC Integer Overflow RCE Conclusion 3
INTRODUCTION 4
WHAT’S VXWORKS? #1 Embedded devices RTOS Claimed > 1.5 billions devices developed by Wind River supports lot of CPU architectures
SOME STATS 6
WHAT’S VXWORKS? 1987 • First release • 32 bits processing 1990’s • VxWorks 5 released • 1st RTOS w/ network stack 2000’s • VxWorks 6.x (12-2004) • Security improvements (RTPs, no more task shared memory) 2014 • VxWorks 7.x (02-2014) • 64bits, more security improvements
SOME CUSTOMERS 8
“ ” The Real-Time Operating System for the Internet of Things Powering billions of intelligent devices, VxWorks® delivers an industry-leading combination of scalability, safety, security, and virtualization capabilities to meet next-generation requirements. Windriver VxWorks product 9
VXWORKS & SECURITY Source: http://www.cvedetails.com/product/15063/Windriver-Vxworks.html?vendor_id=95 10
VXWORKS & SECURITY Wind River treatsVxWorks security seriously Partnership with McAffee in Feb 2011 Source: http://www.windriver.com/news/press/pr.html?ID=8801
VXWORKS & SECURITY Wind River treats VxWorks security seriously Partnership with McAffee in Feb 2011 6.x introduced some memory protections 7.x improved way further: Digitally signed modules (X.509) Encryption Centralized user database Password management (SHA-256 algorithm) Ability to create/delete users at run time Encrypted data storage
PREVIOUS RESEARCHES & INSPIRATIONS
PREVIOUS RESEARCH & INSPIRATIONS “Shiny Old VxWorks Vulnerabilities” HD Moore (2010) 4 Metasploit modules targeting WDB RPC Weak password hash entropy  rainbow table containing around 200k hashed passwords 14
PREVIOUS RESEARCH & INSPIRATIONS “Reverse Engineering VxWorks Firmware: WRT54Gv8” /dev/ttyS0 15
PREVIOUS RESEARCH & INSPIRATIONS “Digging Inside the VxWorks OS and Firmware The Holistic Security” Aditya K Sood (0kn0ck) – SecNiche Security Lab WDB debugging Interface (again) OS Security 16
INSIDE VXWORKS MEMORY LAYOUT & PROTECTIONS 17
X86 MEMORY LAYOUT: UPPER MEMORY IDT (2KB) Addresss 0x0000 + LOCAL_MEM_LOCAL_ADRS GDT + 0x800 SM Anchor + 0x1100 Boot Line + 0x1200 Exception message + 0x1300 FD DMA Area + 0x2000 + 0x5000 (no memory) + 0xa0000 Initial Stack + 0x100000 System Image + 0x108000 _end WDB Memory Pool Interrupt stack System Memory Pool … sysMemTop() Available Reserved KEY 18
X86 UPPER MEMORY IDT (2KB) Addresss 0x0000 + LOCAL_MEM_LOCAL_ADRS GDT + 0x800 SM Anchor + 0x1100 Boot Line + 0x1200 Exception message + 0x1300 FD DMA Area + 0x2000 + 0x5000 (no memory) + 0xa0000 Initial Stack + 0x100000 System Image + 0x108000 _end WDB Memory Pool Interrupt stack System Memory Pool … sysMemTop() Available Reserved KEY Interrupt Descriptor/Vector Table 19
X86 UPPER MEMORY IDT (2KB) Addresss 0x0000 + LOCAL_MEM_LOCAL_ADRS GDT + 0x800 SM Anchor + 0x1100 Boot Line + 0x1200 Exception message + 0x1300 FD DMA Area + 0x2000 + 0x5000 (no memory) + 0xa0000 Initial Stack + 0x100000 System Image + 0x108000 _end WDB Memory Pool Interrupt stack System Memory Pool … sysMemTop() Available Reserved KEY Interrupt Descriptor/Vector Table ASCII string for fatal exception message 20
X86 UPPER MEMORY IDT (2KB) Addresss 0x0000 + LOCAL_MEM_LOCAL_ADRS GDT + 0x800 SM Anchor + 0x1100 Boot Line + 0x1200 Exception message + 0x1300 FD DMA Area + 0x2000 + 0x5000 (no memory) + 0xa0000 Initial Stack + 0x100000 System Image + 0x108000 _end WDB Memory Pool Interrupt stack System Memory Pool … sysMemTop() Available Reserved KEY Interrupt Decriptor/Vector Table ASCII string for fatal exception message VxWorks image entry point 21
X86 UPPER MEMORY IDT (2KB) Addresss 0x0000 + LOCAL_MEM_LOCAL_ADRS GDT + 0x800 SM Anchor + 0x1100 Boot Line + 0x1200 Exception message + 0x1300 FD DMA Area + 0x2000 + 0x5000 (no memory) + 0xa0000 Initial Stack + 0x100000 System Image + 0x108000 _end WDB Memory Pool Interrupt stack System Memory Pool … sysMemTop() Available Reserved KEY Interrupt Descriptor/Vector Table ASCII string for fatal exception message VxWorks image entry point WDB shared memory 22
MEMORY PROTECTIONS VxWorks provides MMU-based features in addition to the virtual memory support Non MMU based protections: Heap Error Detection 23
MEMORY PROTECTION: Task stack overrun and underrun detection Interrupt stack overrun and underrun detection Stack pages Stack Start Stop 24
MEMORY PROTECTION Non-executable task stacks & Non- writable Text Segment INCLUDE_TASK_STACK_NO_EXEC INCLUDE_PROTECT_TEXT Task stack size = MMU page size Program pages Read Only Raw Data r+w .TEXT.DATA 25
MEMORY PROTECTION -r-w-x Address Space 0x00000000 NULL Pointer usage detection 26
HEAP BLOCK OVERRUN DETECTION / USAGE TRACKING & LEAKAGE DETECTION 27
FROM FUZZING TO EXPLOIT 28
FUZZING TARGETS Network protocols: Portmap (RPC) FTP TFTP NTP … 29
FUZZING Used Sulley fuzzing framework Problem: no accurate crash detection available Solution: using WdbRPC 30
WHAT’S WDB RPC? Debugging Interface Service running on port UDP/17185 Based on SUN-RPC protocol Provides direct access to system memory 31
WDB PROTOCOL V2 Target Server Target Agent WDB Shell Debugger Browser Other tools HOST VxWorks WTX OS 32
WDB PROTOCOL V2 CALL: SENT BY TARGET SERVER IP HEADER (20 bytes) UDP HEADER (8 bytes) RPC Request Header (40 bytes) WDB Param Wrapper (12 bytes) XDR Encoded parameters XDR Encoded stream Checksum (4 bytes) Length (4 bytes) Sequence # (4 bytes) 33
WDB PROTOCOL V2 REPLY: SENT BY TARGET AGENT IP HEADER (20 bytes) UDP HEADER (8 bytes) RPC Reply Header (24 bytes) WDB Param Wrapper (12 bytes) XDR Encoded parameters XDR Encoded stream Checksum (4 bytes) Length (4 bytes) Error code (4 bytes) 34
STEPS FOR PROCESS MONITORING USING WDB: VXWORKS 5.X HOST TARGET CALL REPLY 35
STEPS FOR PROCESS MONITORING USING WDB: VXWORKS 5.X HOST TARGET CALL REPLY 36
STEPS FOR PROCESS MONITORING USING WDB: VXWORKS 5.X HOST TARGET CALL REPLY 37
STEPS FOR PROCESS MONITORING USING WDB: VXWORKS 5.X HOST TARGET CALL REPLY 38
STEPS FOR PROCESS MONITORING USING WDB: VXWORKS 5.X HOST TARGET CALL REPLY 39
STEPS FOR PROCESS MONITORING USING WDB: VXWORKS 5.X HOST TARGET CALL REPLY 40
STEPS FOR PROCESS MONITORING USING WDB: VXWORKS 5.X HOST TARGET CALL REPLY 41
STEPS FOR PROCESS MONITORING USING WDB: VXWORKS 5.X HOST TARGET CALL REPLY 42
STEPS FOR PROCESS MONITORING USING WDB: VXWORKS 6.X HOST TARGET CALL REPLY … 43 Small interpreted language Two objects: pointer and tape Result of the eval stored in tape Tape content returned to the host More info on Gopher
STEPS FOR PROCESS MONITORING USING WDB: VXWORKS 6.X CALL REPLY 44 HOST TARGET … Host reads the pointed memory addresses
CRASH DETECTION Target sends event notification 45 HOST TARGET
CRASH DETECTION Target sends event notification Host acknowledges 46 HOST TARGET
CRASH DETECTION Target sends event notification Host acknowledges Host ask more information (registers content, memory area, …) 47 HOST TARGET
WDBRPC FRAMEWORK Python 2.7 Supports VxWorks 5.x and 6.x Partially implements WDBRPC protocol Implements a basic remote debugger: WdbDbg 48
WDBRPC FRAMEWORK Python 2.7 Supports VxWorks 5.x and 6.x Partially implements WDBRPC protocol Implements a basic remote debugger: WdbDbg 49
WDBRPC FRAMEWORK Some externals dependencies: PyElfTools: reads the imports from the VxWorks Image Capstone Engine: disassemble code around crash area 50
INTERFACING WITH SULLEY Inspiration from the process_monitor.py script coming with Sulley Implementation: DebuggerThread instantiates WdbDbg and implements callback to call when crash occurs ProcessMonitorPedRPCServer interfaces with Sulley’s ped-rpc routines VxMon wraps everything 51
FUZZING 52 Sulley Fuzzer VxWorks Target Test cases VxWorks Process Monitor PED RPC WDB RPC WdbDbg
DEMO 53
CRASH ANALYSIS Portmap task crashed many times on the same RPC field: credential flavor When set to a negative value => PC is set to arbitrary memory value 54
CRASH ANALYSIS 55
CRASH ANALYSIS 56
CRASH ANALYSIS 57
CRASH ANALYSIS 58
CRASH ANALYSIS 59 O_o
CRASH ANALYSIS 60
CRASH ANALYSIS 61
RESPONSIBLE DISCLOSURE Vuln reported to Wind River on July 22nd and acknowledged on 23rd Confirmed August 11th that versions between 5.5 and 6.9.4.1 are vulnerable Wind River is providing patches Every VxWorks customers should check the Knowledge Library for details On Sept 9th 2015 I’ve been authorised to disclose details 62
HOW TO EXPLOIT? Integer overflow leading to RCE Heap spray to place the shellcode Compute credential flavor value Jump into shellcode directly all memory protections bypassed/defeated backdoor account set up 63
EXPLOITATION DEMO 64
ABOUT THE REAL TARGETS Schneider Modicon Quantum PLC runs VxWorks and has port 111 open (https://www.digitalbond.co m/tools/basecamp/schneide r-modicon-quantum/) 65
SOME NUMBERS Schneider Modicon Quantum PLC runs VxWorks 5.4 and has port 111 open 66
FUN FACT 67
MORE BUGS FOUND DURING FUZZING FTP server is susceptible to ring buffer overflow when accessed at a high speed 68
MORE BUGS FOUND DURING FUZZING FTP server crashes when received specially crafted username and password  network stack down 69
CONCLUSION WindRiver takes VxWorks’ security seriously Implemented a lot of memory protections Being defeated by a simple integer overflow bug 70
FUTURE WORK ? VxWorks 7 More complete WDBRPC protocol and Wdb over serial implementation Continuing to find bugs 71
CODE RELEASE The WdbDbg framework should be released in the next weeks here: https://bitbucket.org/yformaggio/wdbdbg Exploit code will not be released unless explicit authorisation given 72
QUESTIONS 73
THANKS !
LINKS http://www.vxdev.com/docs/vx55man/tornado-api/wdbpcl/wdb.html http://www.uio.no/[...]/vxworks_architecture_supplement_6.2.pdf http://www.uio.no/[...]/vxworks_kernel_programmers_guide_6.2.pdf http://cimsol-mc.sourceforge.net/files/vxworks/VxWorks60.pdf Digging Inside the VxWorks OS and Firmware The Holistic Security HD Moore - Fun with VxWorks 75

Empfohlen

CNIT 127 Ch Ch 1: Before you Begin
CNIT 127 Ch Ch 1: Before you BeginCNIT 127 Ch Ch 1: Before you Begin
CNIT 127 Ch Ch 1: Before you Begin
Sam Bowne
 
Katagaitai CTF勉強会 #4 Crypto
Katagaitai CTF勉強会 #4 CryptoKatagaitai CTF勉強会 #4 Crypto
Katagaitai CTF勉強会 #4 Crypto
trmr
 
Introduction to CMake
Introduction to CMakeIntroduction to CMake
Introduction to CMake
Dimitrios Platis
 
Linux commands
Linux commandsLinux commands
Linux commands
Mannu Khani
 
Jump statment in python
Jump statment in pythonJump statment in python
Jump statment in python
RaginiJain21
 
CMake - Introduction and best practices
CMake - Introduction and best practicesCMake - Introduction and best practices
CMake - Introduction and best practices
Daniel Pfeifer
 
[131]해커의 관점에서 바라보기
[131]해커의 관점에서 바라보기[131]해커의 관점에서 바라보기
[131]해커의 관점에서 바라보기
NAVER D2
 
History & Practices for UniRx UniRxの歴史、或いは開発(中)タイトルの用例と落とし穴の回避法
History & Practices for UniRx UniRxの歴史、或いは開発(中)タイトルの用例と落とし穴の回避法History & Practices for UniRx UniRxの歴史、或いは開発(中)タイトルの用例と落とし穴の回避法
History & Practices for UniRx UniRxの歴史、或いは開発(中)タイトルの用例と落とし穴の回避法
Yoshifumi Kawai
 

Empfohlen

CNIT 127 Ch Ch 1: Before you Begin
CNIT 127 Ch Ch 1: Before you BeginCNIT 127 Ch Ch 1: Before you Begin
CNIT 127 Ch Ch 1: Before you Begin
Sam Bowne
 
Katagaitai CTF勉強会 #4 Crypto
Katagaitai CTF勉強会 #4 CryptoKatagaitai CTF勉強会 #4 Crypto
Katagaitai CTF勉強会 #4 Crypto
trmr
 
Introduction to CMake
Introduction to CMakeIntroduction to CMake
Introduction to CMake
Dimitrios Platis
 
Linux commands
Linux commandsLinux commands
Linux commands
Mannu Khani
 
Jump statment in python
Jump statment in pythonJump statment in python
Jump statment in python
RaginiJain21
 
CMake - Introduction and best practices
CMake - Introduction and best practicesCMake - Introduction and best practices
CMake - Introduction and best practices
Daniel Pfeifer
 
[131]해커의 관점에서 바라보기
[131]해커의 관점에서 바라보기[131]해커의 관점에서 바라보기
[131]해커의 관점에서 바라보기
NAVER D2
 
History & Practices for UniRx UniRxの歴史、或いは開発(中)タイトルの用例と落とし穴の回避法
History & Practices for UniRx UniRxの歴史、或いは開発(中)タイトルの用例と落とし穴の回避法History & Practices for UniRx UniRxの歴史、或いは開発(中)タイトルの用例と落とし穴の回避法
History & Practices for UniRx UniRxの歴史、或いは開発(中)タイトルの用例と落とし穴の回避法
Yoshifumi Kawai
 
VerilatorとSystemCでSoftware Driven Verification
VerilatorとSystemCでSoftware Driven VerificationVerilatorとSystemCでSoftware Driven Verification
VerilatorとSystemCでSoftware Driven Verification
Mr. Vengineer
 
how-to-bypass-AM-PPL
how-to-bypass-AM-PPLhow-to-bypass-AM-PPL
how-to-bypass-AM-PPL
nitinscribd
 
Linux Internals - Interview essentials 4.0
Linux Internals - Interview essentials 4.0Linux Internals - Interview essentials 4.0
Linux Internals - Interview essentials 4.0
Emertxe Information Technologies Pvt Ltd
 
CNIT 127 Ch 8: Windows overflows (Part 1)
CNIT 127 Ch 8: Windows overflows (Part 1)CNIT 127 Ch 8: Windows overflows (Part 1)
CNIT 127 Ch 8: Windows overflows (Part 1)
Sam Bowne
 
LLVM
LLVMLLVM
LLVM
guest3e5046
 
Insecure coding in C (and C++)
Insecure coding in C (and C++)Insecure coding in C (and C++)
Insecure coding in C (and C++)
Olve Maudal
 
Effective testing with pytest
Effective testing with pytestEffective testing with pytest
Effective testing with pytest
Hector Canto
 
Control structures in c
Control structures in cControl structures in c
Control structures in c
baabtra.com - No. 1 supplier of quality freshers
 
The Rust Programming Language
The Rust Programming LanguageThe Rust Programming Language
The Rust Programming Language
Mario Alexandro Santini
 
Hack.LU 2018 ARM IoT Firmware Emulation Workshop
Hack.LU 2018 ARM IoT Firmware Emulation WorkshopHack.LU 2018 ARM IoT Firmware Emulation Workshop
Hack.LU 2018 ARM IoT Firmware Emulation Workshop
Saumil Shah
 
Alphorm.com Formation PowerShell : Niveau Initiation
Alphorm.com Formation PowerShell : Niveau InitiationAlphorm.com Formation PowerShell : Niveau Initiation
Alphorm.com Formation PowerShell : Niveau Initiation
Alphorm
 
[143] Modern C++ 무조건 써야 해?
[143] Modern C++ 무조건 써야 해?[143] Modern C++ 무조건 써야 해?
[143] Modern C++ 무조건 써야 해?
NAVER D2
 
Switch statement, break statement, go to statement
Switch statement, break statement, go to statementSwitch statement, break statement, go to statement
Switch statement, break statement, go to statement
Raj Parekh
 
SystemC Tutorial
SystemC TutorialSystemC Tutorial
SystemC Tutorial
kocha2012
 
CNIT 127 Ch 5: Introduction to heap overflows
CNIT 127 Ch 5: Introduction to heap overflowsCNIT 127 Ch 5: Introduction to heap overflows
CNIT 127 Ch 5: Introduction to heap overflows
Sam Bowne
 
Effective CMake
Effective CMakeEffective CMake
Effective CMake
Daniel Pfeifer
 
Private cloud without vendor lock // Serverless
Private cloud without vendor lock // ServerlessPrivate cloud without vendor lock // Serverless
Private cloud without vendor lock // Serverless
Timur Shemsedinov
 
Effective Modern C++ Item 9 and 10
Effective Modern C++ Item 9 and 10Effective Modern C++ Item 9 and 10
Effective Modern C++ Item 9 and 10
uchan_nos
 
WSL2 and Docker Desktop
WSL2 and Docker DesktopWSL2 and Docker Desktop
WSL2 and Docker Desktop
Stefan Scherer
 
An Introduction to CMake
An Introduction to CMakeAn Introduction to CMake
An Introduction to CMake
ICS
 
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON
 
44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy
44CON
 

Weitere ähnliche Inhalte

Was ist angesagt?

Insecure coding in C (and C++)
Insecure coding in C (and C++)Insecure coding in C (and C++)
Insecure coding in C (and C++)
Olve Maudal
 
Hack.LU 2018 ARM IoT Firmware Emulation Workshop
Hack.LU 2018 ARM IoT Firmware Emulation WorkshopHack.LU 2018 ARM IoT Firmware Emulation Workshop
Hack.LU 2018 ARM IoT Firmware Emulation Workshop
Saumil Shah
 
Alphorm.com Formation PowerShell : Niveau Initiation
Alphorm.com Formation PowerShell : Niveau InitiationAlphorm.com Formation PowerShell : Niveau Initiation
Alphorm.com Formation PowerShell : Niveau Initiation
Alphorm
 
SystemC Tutorial
SystemC TutorialSystemC Tutorial
SystemC Tutorial
kocha2012
 
WSL2 and Docker Desktop
WSL2 and Docker DesktopWSL2 and Docker Desktop
WSL2 and Docker Desktop
Stefan Scherer
 

Was ist angesagt? (20)

VerilatorとSystemCでSoftware Driven Verification
VerilatorとSystemCでSoftware Driven VerificationVerilatorとSystemCでSoftware Driven Verification
VerilatorとSystemCでSoftware Driven Verification
 
how-to-bypass-AM-PPL
how-to-bypass-AM-PPLhow-to-bypass-AM-PPL
how-to-bypass-AM-PPL
 
Linux Internals - Interview essentials 4.0
Linux Internals - Interview essentials 4.0Linux Internals - Interview essentials 4.0
Linux Internals - Interview essentials 4.0
 
CNIT 127 Ch 8: Windows overflows (Part 1)
CNIT 127 Ch 8: Windows overflows (Part 1)CNIT 127 Ch 8: Windows overflows (Part 1)
CNIT 127 Ch 8: Windows overflows (Part 1)
 
LLVM
LLVMLLVM
LLVM
 
Insecure coding in C (and C++)
Insecure coding in C (and C++)Insecure coding in C (and C++)
Insecure coding in C (and C++)
 
Effective testing with pytest
Effective testing with pytestEffective testing with pytest
Effective testing with pytest
 
Control structures in c
Control structures in cControl structures in c
Control structures in c
 
The Rust Programming Language
The Rust Programming LanguageThe Rust Programming Language
The Rust Programming Language
 
Hack.LU 2018 ARM IoT Firmware Emulation Workshop
Hack.LU 2018 ARM IoT Firmware Emulation WorkshopHack.LU 2018 ARM IoT Firmware Emulation Workshop
Hack.LU 2018 ARM IoT Firmware Emulation Workshop
 
Alphorm.com Formation PowerShell : Niveau Initiation
Alphorm.com Formation PowerShell : Niveau InitiationAlphorm.com Formation PowerShell : Niveau Initiation
Alphorm.com Formation PowerShell : Niveau Initiation
 
[143] Modern C++ 무조건 써야 해?
[143] Modern C++ 무조건 써야 해?[143] Modern C++ 무조건 써야 해?
[143] Modern C++ 무조건 써야 해?
 
Switch statement, break statement, go to statement
Switch statement, break statement, go to statementSwitch statement, break statement, go to statement
Switch statement, break statement, go to statement
 
SystemC Tutorial
SystemC TutorialSystemC Tutorial
SystemC Tutorial
 
CNIT 127 Ch 5: Introduction to heap overflows
CNIT 127 Ch 5: Introduction to heap overflowsCNIT 127 Ch 5: Introduction to heap overflows
CNIT 127 Ch 5: Introduction to heap overflows
 
Effective CMake
Effective CMakeEffective CMake
Effective CMake
 
Private cloud without vendor lock // Serverless
Private cloud without vendor lock // ServerlessPrivate cloud without vendor lock // Serverless
Private cloud without vendor lock // Serverless
 
Effective Modern C++ Item 9 and 10
Effective Modern C++ Item 9 and 10Effective Modern C++ Item 9 and 10
Effective Modern C++ Item 9 and 10
 
WSL2 and Docker Desktop
WSL2 and Docker DesktopWSL2 and Docker Desktop
WSL2 and Docker Desktop
 
An Introduction to CMake
An Introduction to CMakeAn Introduction to CMake
An Introduction to CMake
 

Andere mochten auch

Andere mochten auch (8)

44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
 
44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy
 
44CON @ IPexpo - You're fighting an APT with what exactly?
44CON @ IPexpo - You're fighting an APT with what exactly?44CON @ IPexpo - You're fighting an APT with what exactly?
44CON @ IPexpo - You're fighting an APT with what exactly?
 
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
 
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
 
44CON London 2015 - Inside Terracotta VPN
44CON London 2015 - Inside Terracotta VPN44CON London 2015 - Inside Terracotta VPN
44CON London 2015 - Inside Terracotta VPN
 
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell
 
44CON London 2015 - DDoS mitigation EPIC FAIL collection
44CON London 2015 - DDoS mitigation EPIC FAIL collection44CON London 2015 - DDoS mitigation EPIC FAIL collection
44CON London 2015 - DDoS mitigation EPIC FAIL collection
 

Ähnlich wie 44CON London - Attacking VxWorks: from Stone Age to Interstellar

Novel Instruction Set Architecture Based Side Channels in popular SSL/TLS Imp...
Novel Instruction Set Architecture Based Side Channels in popular SSL/TLS Imp...Novel Instruction Set Architecture Based Side Channels in popular SSL/TLS Imp...
Novel Instruction Set Architecture Based Side Channels in popular SSL/TLS Imp...
Cybersecurity Education and Research Centre
 
CONFidence 2017: Hacking embedded with OpenWrt (Vladimir Mitiouchev)
CONFidence 2017: Hacking embedded with OpenWrt (Vladimir Mitiouchev)CONFidence 2017: Hacking embedded with OpenWrt (Vladimir Mitiouchev)
CONFidence 2017: Hacking embedded with OpenWrt (Vladimir Mitiouchev)
PROIDEA
 
Potapenko, vyukov forewarned is forearmed. a san and tsan
Potapenko, vyukov forewarned is forearmed. a san and tsanPotapenko, vyukov forewarned is forearmed. a san and tsan
Potapenko, vyukov forewarned is forearmed. a san and tsan
DefconRussia
 
Track c-High speed transaction-based hw-sw coverification -eve
Track c-High speed transaction-based hw-sw coverification -eveTrack c-High speed transaction-based hw-sw coverification -eve
Track c-High speed transaction-based hw-sw coverification -eve
chiportal
 
Using Smalltalk for controlling robotics systems
Using Smalltalk for controlling robotics systemsUsing Smalltalk for controlling robotics systems
Using Smalltalk for controlling robotics systems
Serge Stinckwich
 

Ähnlich wie 44CON London - Attacking VxWorks: from Stone Age to Interstellar (20)

FreeLix: Semplicità & Controllo
FreeLix: Semplicità & ControlloFreeLix: Semplicità & Controllo
FreeLix: Semplicità & Controllo
 
Hardware accelerated switching with Linux @ SWLUG Talks May 2014
Hardware accelerated switching with Linux @ SWLUG Talks May 2014Hardware accelerated switching with Linux @ SWLUG Talks May 2014
Hardware accelerated switching with Linux @ SWLUG Talks May 2014
 
PVS-Studio, a solution for resource intensive applications development
PVS-Studio, a solution for resource intensive applications developmentPVS-Studio, a solution for resource intensive applications development
PVS-Studio, a solution for resource intensive applications development
 
Novel Instruction Set Architecture Based Side Channels in popular SSL/TLS Imp...
Novel Instruction Set Architecture Based Side Channels in popular SSL/TLS Imp...Novel Instruction Set Architecture Based Side Channels in popular SSL/TLS Imp...
Novel Instruction Set Architecture Based Side Channels in popular SSL/TLS Imp...
 
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
 
Windows Debugging with WinDbg
Windows Debugging with WinDbgWindows Debugging with WinDbg
Windows Debugging with WinDbg
 
Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)
Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)
Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)
 
How Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protectionsHow Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protections
 
OT Security - h-c0n 2020
OT Security - h-c0n 2020OT Security - h-c0n 2020
OT Security - h-c0n 2020
 
Docker Multihost Networking
Docker Multihost Networking Docker Multihost Networking
Docker Multihost Networking
 
Compiling P4 to XDP, IOVISOR Summit 2017
Compiling P4 to XDP, IOVISOR Summit 2017Compiling P4 to XDP, IOVISOR Summit 2017
Compiling P4 to XDP, IOVISOR Summit 2017
 
Buffer Overflow - Smashing the Stack
Buffer Overflow - Smashing the StackBuffer Overflow - Smashing the Stack
Buffer Overflow - Smashing the Stack
 
CONFidence 2017: Hacking embedded with OpenWrt (Vladimir Mitiouchev)
CONFidence 2017: Hacking embedded with OpenWrt (Vladimir Mitiouchev)CONFidence 2017: Hacking embedded with OpenWrt (Vladimir Mitiouchev)
CONFidence 2017: Hacking embedded with OpenWrt (Vladimir Mitiouchev)
 
Potapenko, vyukov forewarned is forearmed. a san and tsan
Potapenko, vyukov forewarned is forearmed. a san and tsanPotapenko, vyukov forewarned is forearmed. a san and tsan
Potapenko, vyukov forewarned is forearmed. a san and tsan
 
Swug July 2010 - windows debugging by sainath
Swug July 2010 - windows debugging by sainathSwug July 2010 - windows debugging by sainath
Swug July 2010 - windows debugging by sainath
 
Track c-High speed transaction-based hw-sw coverification -eve
Track c-High speed transaction-based hw-sw coverification -eveTrack c-High speed transaction-based hw-sw coverification -eve
Track c-High speed transaction-based hw-sw coverification -eve
 
Using Smalltalk for controlling robotics systems
Using Smalltalk for controlling robotics systemsUsing Smalltalk for controlling robotics systems
Using Smalltalk for controlling robotics systems
 
Technical Overview of QUIC
Technical Overview of QUICTechnical Overview of QUIC
Technical Overview of QUIC
 
Red Hat demo of OpenStack and ODL at ODL summit 2016
Red Hat demo of OpenStack and ODL at ODL summit 2016 Red Hat demo of OpenStack and ODL at ODL summit 2016
Red Hat demo of OpenStack and ODL at ODL summit 2016
 
Deep submicron-backdoors-ortega-syscan-2014-slides
Deep submicron-backdoors-ortega-syscan-2014-slidesDeep submicron-backdoors-ortega-syscan-2014-slides
Deep submicron-backdoors-ortega-syscan-2014-slides
 

Mehr von 44CON

They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
44CON
 
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
44CON
 
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
44CON
 
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
44CON
 
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
44CON
 
The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...
44CON
 
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
44CON
 
Pwning the 44CON Nerf Tank
Pwning the 44CON Nerf TankPwning the 44CON Nerf Tank
Pwning the 44CON Nerf Tank
44CON
 
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
44CON
 

Mehr von 44CON (20)

They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
 
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
 
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
 
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
 
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
 
The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...
 
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
 
Pwning the 44CON Nerf Tank
Pwning the 44CON Nerf TankPwning the 44CON Nerf Tank
Pwning the 44CON Nerf Tank
 
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
 
44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?
 
44CON London 2015 - Going AUTH the Rails on a Crazy Train
44CON London 2015 - Going AUTH the Rails on a Crazy Train44CON London 2015 - Going AUTH the Rails on a Crazy Train
44CON London 2015 - Going AUTH the Rails on a Crazy Train
 
44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security
 
44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities
 
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
 
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
 
44CON London 2015 - reverse reverse engineering
44CON London 2015 - reverse reverse engineering44CON London 2015 - reverse reverse engineering
44CON London 2015 - reverse reverse engineering
 
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
 
44CON London 2015 - Playing with Fire: Attacking the FireEye MPS
44CON London 2015 - Playing with Fire: Attacking the FireEye MPS44CON London 2015 - Playing with Fire: Attacking the FireEye MPS
44CON London 2015 - Playing with Fire: Attacking the FireEye MPS
 
44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...
44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...
44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...
 
44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software
 

Kürzlich hochgeladen

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 

Kürzlich hochgeladen (20)

Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 

44CON London - Attacking VxWorks: from Stone Age to Interstellar

  • 1. ATTACKING VXWORKS FROM STONE AGE TO INTERSTELLAR 44CON LONDON 9/10/2015YANNICK FORMAGGIO, RICHARD HSU & ERIC LIU
  • 2. ABOUT ME Yannick Formaggio Security Researcher at Istuary Innovation Labs @TheLumberJhack || yannickformaggio on LinkedIn Look for vulns using fuzzing techniques, first time speaker, Lego fan… Help from Richard Hsu and Eric Liu (Lead security researcher) 2
  • 3. AGENDA Introduction to VxWorks & previous researches Inside VxWorks: Memory management & protections From fuzzing to exploit: RPC Integer Overflow RCE Conclusion 3
  • 5. WHAT’S VXWORKS? #1 Embedded devices RTOS Claimed > 1.5 billions devices developed by Wind River supports lot of CPU architectures
  • 7. WHAT’S VXWORKS? 1987 • First release • 32 bits processing 1990’s • VxWorks 5 released • 1st RTOS w/ network stack 2000’s • VxWorks 6.x (12-2004) • Security improvements (RTPs, no more task shared memory) 2014 • VxWorks 7.x (02-2014) • 64bits, more security improvements
  • 9. “ ” The Real-Time Operating System for the Internet of Things Powering billions of intelligent devices, VxWorks® delivers an industry-leading combination of scalability, safety, security, and virtualization capabilities to meet next-generation requirements. Windriver VxWorks product 9
  • 10. VXWORKS & SECURITY Source: http://www.cvedetails.com/product/15063/Windriver-Vxworks.html?vendor_id=95 10
  • 11. VXWORKS & SECURITY Wind River treatsVxWorks security seriously Partnership with McAffee in Feb 2011 Source: http://www.windriver.com/news/press/pr.html?ID=8801
  • 12. VXWORKS & SECURITY Wind River treats VxWorks security seriously Partnership with McAffee in Feb 2011 6.x introduced some memory protections 7.x improved way further: Digitally signed modules (X.509) Encryption Centralized user database Password management (SHA-256 algorithm) Ability to create/delete users at run time Encrypted data storage
  • 14. PREVIOUS RESEARCH & INSPIRATIONS “Shiny Old VxWorks Vulnerabilities” HD Moore (2010) 4 Metasploit modules targeting WDB RPC Weak password hash entropy  rainbow table containing around 200k hashed passwords 14
  • 15. PREVIOUS RESEARCH & INSPIRATIONS “Reverse Engineering VxWorks Firmware: WRT54Gv8” /dev/ttyS0 15
  • 16. PREVIOUS RESEARCH & INSPIRATIONS “Digging Inside the VxWorks OS and Firmware The Holistic Security” Aditya K Sood (0kn0ck) – SecNiche Security Lab WDB debugging Interface (again) OS Security 16
  • 17. INSIDE VXWORKS MEMORY LAYOUT & PROTECTIONS 17
  • 18. X86 MEMORY LAYOUT: UPPER MEMORY IDT (2KB) Addresss 0x0000 + LOCAL_MEM_LOCAL_ADRS GDT + 0x800 SM Anchor + 0x1100 Boot Line + 0x1200 Exception message + 0x1300 FD DMA Area + 0x2000 + 0x5000 (no memory) + 0xa0000 Initial Stack + 0x100000 System Image + 0x108000 _end WDB Memory Pool Interrupt stack System Memory Pool … sysMemTop() Available Reserved KEY 18
  • 19. X86 UPPER MEMORY IDT (2KB) Addresss 0x0000 + LOCAL_MEM_LOCAL_ADRS GDT + 0x800 SM Anchor + 0x1100 Boot Line + 0x1200 Exception message + 0x1300 FD DMA Area + 0x2000 + 0x5000 (no memory) + 0xa0000 Initial Stack + 0x100000 System Image + 0x108000 _end WDB Memory Pool Interrupt stack System Memory Pool … sysMemTop() Available Reserved KEY Interrupt Descriptor/Vector Table 19
  • 20. X86 UPPER MEMORY IDT (2KB) Addresss 0x0000 + LOCAL_MEM_LOCAL_ADRS GDT + 0x800 SM Anchor + 0x1100 Boot Line + 0x1200 Exception message + 0x1300 FD DMA Area + 0x2000 + 0x5000 (no memory) + 0xa0000 Initial Stack + 0x100000 System Image + 0x108000 _end WDB Memory Pool Interrupt stack System Memory Pool … sysMemTop() Available Reserved KEY Interrupt Descriptor/Vector Table ASCII string for fatal exception message 20
  • 21. X86 UPPER MEMORY IDT (2KB) Addresss 0x0000 + LOCAL_MEM_LOCAL_ADRS GDT + 0x800 SM Anchor + 0x1100 Boot Line + 0x1200 Exception message + 0x1300 FD DMA Area + 0x2000 + 0x5000 (no memory) + 0xa0000 Initial Stack + 0x100000 System Image + 0x108000 _end WDB Memory Pool Interrupt stack System Memory Pool … sysMemTop() Available Reserved KEY Interrupt Decriptor/Vector Table ASCII string for fatal exception message VxWorks image entry point 21
  • 22. X86 UPPER MEMORY IDT (2KB) Addresss 0x0000 + LOCAL_MEM_LOCAL_ADRS GDT + 0x800 SM Anchor + 0x1100 Boot Line + 0x1200 Exception message + 0x1300 FD DMA Area + 0x2000 + 0x5000 (no memory) + 0xa0000 Initial Stack + 0x100000 System Image + 0x108000 _end WDB Memory Pool Interrupt stack System Memory Pool … sysMemTop() Available Reserved KEY Interrupt Descriptor/Vector Table ASCII string for fatal exception message VxWorks image entry point WDB shared memory 22
  • 23. MEMORY PROTECTIONS VxWorks provides MMU-based features in addition to the virtual memory support Non MMU based protections: Heap Error Detection 23
  • 24. MEMORY PROTECTION: Task stack overrun and underrun detection Interrupt stack overrun and underrun detection Stack pages Stack Start Stop 24
  • 25. MEMORY PROTECTION Non-executable task stacks & Non- writable Text Segment INCLUDE_TASK_STACK_NO_EXEC INCLUDE_PROTECT_TEXT Task stack size = MMU page size Program pages Read Only Raw Data r+w .TEXT.DATA 25
  • 27. HEAP BLOCK OVERRUN DETECTION / USAGE TRACKING & LEAKAGE DETECTION 27
  • 28. FROM FUZZING TO EXPLOIT 28
  • 29. FUZZING TARGETS Network protocols: Portmap (RPC) FTP TFTP NTP … 29
  • 30. FUZZING Used Sulley fuzzing framework Problem: no accurate crash detection available Solution: using WdbRPC 30
  • 31. WHAT’S WDB RPC? Debugging Interface Service running on port UDP/17185 Based on SUN-RPC protocol Provides direct access to system memory 31
  • 32. WDB PROTOCOL V2 Target Server Target Agent WDB Shell Debugger Browser Other tools HOST VxWorks WTX OS 32
  • 33. WDB PROTOCOL V2 CALL: SENT BY TARGET SERVER IP HEADER (20 bytes) UDP HEADER (8 bytes) RPC Request Header (40 bytes) WDB Param Wrapper (12 bytes) XDR Encoded parameters XDR Encoded stream Checksum (4 bytes) Length (4 bytes) Sequence # (4 bytes) 33
  • 34. WDB PROTOCOL V2 REPLY: SENT BY TARGET AGENT IP HEADER (20 bytes) UDP HEADER (8 bytes) RPC Reply Header (24 bytes) WDB Param Wrapper (12 bytes) XDR Encoded parameters XDR Encoded stream Checksum (4 bytes) Length (4 bytes) Error code (4 bytes) 34
  • 35. STEPS FOR PROCESS MONITORING USING WDB: VXWORKS 5.X HOST TARGET CALL REPLY 35
  • 36. STEPS FOR PROCESS MONITORING USING WDB: VXWORKS 5.X HOST TARGET CALL REPLY 36
  • 37. STEPS FOR PROCESS MONITORING USING WDB: VXWORKS 5.X HOST TARGET CALL REPLY 37
  • 38. STEPS FOR PROCESS MONITORING USING WDB: VXWORKS 5.X HOST TARGET CALL REPLY 38
  • 39. STEPS FOR PROCESS MONITORING USING WDB: VXWORKS 5.X HOST TARGET CALL REPLY 39
  • 40. STEPS FOR PROCESS MONITORING USING WDB: VXWORKS 5.X HOST TARGET CALL REPLY 40
  • 41. STEPS FOR PROCESS MONITORING USING WDB: VXWORKS 5.X HOST TARGET CALL REPLY 41
  • 42. STEPS FOR PROCESS MONITORING USING WDB: VXWORKS 5.X HOST TARGET CALL REPLY 42
  • 43. STEPS FOR PROCESS MONITORING USING WDB: VXWORKS 6.X HOST TARGET CALL REPLY … 43 Small interpreted language Two objects: pointer and tape Result of the eval stored in tape Tape content returned to the host More info on Gopher
  • 44. STEPS FOR PROCESS MONITORING USING WDB: VXWORKS 6.X CALL REPLY 44 HOST TARGET … Host reads the pointed memory addresses
  • 45. CRASH DETECTION Target sends event notification 45 HOST TARGET
  • 46. CRASH DETECTION Target sends event notification Host acknowledges 46 HOST TARGET
  • 47. CRASH DETECTION Target sends event notification Host acknowledges Host ask more information (registers content, memory area, …) 47 HOST TARGET
  • 48. WDBRPC FRAMEWORK Python 2.7 Supports VxWorks 5.x and 6.x Partially implements WDBRPC protocol Implements a basic remote debugger: WdbDbg 48
  • 49. WDBRPC FRAMEWORK Python 2.7 Supports VxWorks 5.x and 6.x Partially implements WDBRPC protocol Implements a basic remote debugger: WdbDbg 49
  • 50. WDBRPC FRAMEWORK Some externals dependencies: PyElfTools: reads the imports from the VxWorks Image Capstone Engine: disassemble code around crash area 50
  • 51. INTERFACING WITH SULLEY Inspiration from the process_monitor.py script coming with Sulley Implementation: DebuggerThread instantiates WdbDbg and implements callback to call when crash occurs ProcessMonitorPedRPCServer interfaces with Sulley’s ped-rpc routines VxMon wraps everything 51
  • 54. CRASH ANALYSIS Portmap task crashed many times on the same RPC field: credential flavor When set to a negative value => PC is set to arbitrary memory value 54
  • 62. RESPONSIBLE DISCLOSURE Vuln reported to Wind River on July 22nd and acknowledged on 23rd Confirmed August 11th that versions between 5.5 and 6.9.4.1 are vulnerable Wind River is providing patches Every VxWorks customers should check the Knowledge Library for details On Sept 9th 2015 I’ve been authorised to disclose details 62
  • 63. HOW TO EXPLOIT? Integer overflow leading to RCE Heap spray to place the shellcode Compute credential flavor value Jump into shellcode directly all memory protections bypassed/defeated backdoor account set up 63
  • 65. ABOUT THE REAL TARGETS Schneider Modicon Quantum PLC runs VxWorks and has port 111 open (https://www.digitalbond.co m/tools/basecamp/schneide r-modicon-quantum/) 65
  • 66. SOME NUMBERS Schneider Modicon Quantum PLC runs VxWorks 5.4 and has port 111 open 66
  • 68. MORE BUGS FOUND DURING FUZZING FTP server is susceptible to ring buffer overflow when accessed at a high speed 68
  • 69. MORE BUGS FOUND DURING FUZZING FTP server crashes when received specially crafted username and password  network stack down 69
  • 70. CONCLUSION WindRiver takes VxWorks’ security seriously Implemented a lot of memory protections Being defeated by a simple integer overflow bug 70
  • 71. FUTURE WORK ? VxWorks 7 More complete WDBRPC protocol and Wdb over serial implementation Continuing to find bugs 71
  • 72. CODE RELEASE The WdbDbg framework should be released in the next weeks here: https://bitbucket.org/yformaggio/wdbdbg Exploit code will not be released unless explicit authorisation given 72