Perimeter

8/2/2010
05:56 AM
John H. Sawyer
John H. Sawyer
Commentary
50%
50%

VxWorks Vulnerability Tools Released

If you haven't started scanning your network for UDP port 17185, then you better start now. This past week at BSides Las Vegas and Defcon, HD Moore, CSO of Rapid7 and Metasploit chief architect for the Metasploit project, demonstrated an exploit against VxWorks that affects hundreds of products from many different manufacturers.

If you haven't started scanning your network for UDP port 17185, then you better start now. This past week at BSides Las Vegas and Defcon, HD Moore, CSO of Rapid7 and Metasploit chief architect for the Metasploit project, demonstrated an exploit against VxWorks that affects hundreds of products from many different manufacturers.VxWorks is an embedded operating system used in devices that range from consumer-based products like webcams to the Mars Rover and enterprise storage systems. HD gave Dark Reading a preview of his talk prior to Black Hat, BSides, and Defcon and can be found here, "Researcher Pinpoints Widespread Common Flaw Among VxWorks Devices."

Since then, HD has given his talk two times with even more information about the vulnerabilities, including some details and demonstrations that were intentionally kept from being recorded because they demonstrated actual exploitation. Today, advisories from his research will be published by CERT with tools for scanning, while exploitation tools will follow next month.

What makes these vulnerabilities particularly concerning is that they can be performed without knowing the password and they affect many devices including important enterprise hardware. Successful exploitation allows an attacker to dump memory and scan for passwords in the memory dump. Similarly, memory can be modified and reloaded without requiring credentials allowing an attacker to arbitrarily modify the firmware remotely.

HD published a blog a couple hours ago with more information that he covered in his talk and shows output from two of the four new modules he just added to the Metasploit Framework: wdbrpc_bootline, wdbrpc_version, wdbrpc_memory_dump, and wdbrpc_reboot. The four auxiliary modules are split into two categories where the first two are for scanning and device enumeration and the latter two actually exploit the VxWorks debugger service to dump memory and reboot the device.

I had originally started testing for these vulnerabilities by scanning a couple of devices I had in my lab using nmap looking for UDP port 17185 (only used by the VxWorks debugger). Since HD released the new Metasploit modules a few hours ago, I've rerun some of my scans and found it faster and more informative to use his modules instead of nmap because they can provide detailed version information about the hosts.

Of course, I'd be remiss if I didn't go beyond the enumeration phase and confirm that all of the found devices were indeed vulnerable. I put together a quick script to use the wdbrpc_memory_dump module to dump memory from a device I had laying around. And, just for the sake of confirming that wdbrcp_reboot worked, I rebooted the same device while pinging it to be sure it went offline and came back up--worked like a champ.

I'll ask again. Have you started scanning your network for UDP port 17185? I'm sure I already know the answer. Go, update your Metasploit Framework, and start scanning now. And, if you have any hosts on public IP addresses, then immediately go and block 17185 at your Internet boundary to prevent them from getting exploited. While the real "exploit" tools will not be released for another month, it won't take much to modify the wdbrcp_reboot module to do more than just reboot a device based on the information in HD's presentation, so please put in protections now.

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
BEC Scammer Pleads Guilty
Dark Reading Staff 3/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-18913
PUBLISHED: 2019-03-21
Opera before 57.0.3098.106 is vulnerable to a DLL Search Order hijacking attack where an attacker can send a ZIP archive composed of an HTML page along with a malicious DLL to the target. Once the document is opened, it may allow the attacker to take full control of the system from any location with...
CVE-2018-20031
PUBLISHED: 2019-03-21
A Denial of Service vulnerability related to preemptive item deletion in lmgrd and vendor daemon components of FlexNet Publisher version 11.16.1.0 and earlier allows a remote attacker to send a combination of messages to lmgrd or the vendor daemon, causing the heartbeat between lmgrd and the vendor ...
CVE-2018-20032
PUBLISHED: 2019-03-21
A Denial of Service vulnerability related to message decoding in lmgrd and vendor daemon components of FlexNet Publisher version 11.16.1.0 and earlier allows a remote attacker to send a combination of messages to lmgrd or the vendor daemon, causing the heartbeat between lmgrd and the vendor daemon t...
CVE-2018-20034
PUBLISHED: 2019-03-21
A Denial of Service vulnerability related to adding an item to a list in lmgrd and vendor daemon components of FlexNet Publisher version 11.16.1.0 and earlier allows a remote attacker to send a combination of messages to lmgrd or the vendor daemon, causing the heartbeat between lmgrd and the vendor ...
CVE-2019-3855
PUBLISHED: 2019-03-21
An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.