Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:49 AM
John H. Sawyer
John H. Sawyer

Gaining A Foothold By Exploiting VxWorks Vulns

The VxWorks vulnerabilities recently announced in Las Vegas during the BSides and Defcon security conferences have opened a can of worms for hundreds of vendors, and even more consumers and companies using the vulnerable products -- the majority of whom have no idea they're vulnerable and potentially exposed to external attackers.

The VxWorks vulnerabilities recently announced in Las Vegas during the BSides and Defcon security conferences have opened a can of worms for hundreds of vendors, and even more consumers and companies using the vulnerable products -- the majority of whom have no idea they're vulnerable and potentially exposed to external attackers.I've spent several late nights exploring vulnerable VxWorks systems and digging through memory dumps from vulnerable systems. There are a couple of things that have become apparent. The first is these devices are everywhere. As I mentioned in my previous blog, VxWorks is found in webcams, enterprise SANs, and the Mars Rovers, which is impressive, but there's more.

You can find it running on printers, streaming multimedia devices, Fiber Channel and network switches, wireless access points and routers, VoIP phones, and videoconferencing products.

You get the point. VxWorks is everywhere. And best (or worst) of all, there's a treasure trove of information buried in their memory. Before we dig into what you can find in them, let's quickly cover finding them.

Identifying vulnerable VxWorks devices is extremely easy. The quickest, yet noisiest, method is scanning your target network with something like the Metasploit Framework's wdbrpc_bootline. You provide it with a single IP or subnet, and it probes UDP port 17185, then returns the VxWorks boot parameters if the device is vulnerable. It's super easy. Major vulnerability scanners should also have included detection capabilities by now -- I know Nessus and Rapid7 Nexpose do.

However, if you're looking to fly under the radar, then a scanner could cause some unwanted noise. SHODAN can help by providing a searchable index of service banners found by scanning Internet-accessible systems. Searching for "vxworks" returns nearly 18,000 publicly accessible devices that contained "vxworks" in their banners for HTTP, HTTPS, FTP, and Telnet.

That's a lot of devices, but let's say you're targeting a specific manufacturer or device. You can search for terms like "mcdata," which will return a handful of Fiber Channel switches. There are also numerous video-streaming devices that can be found by searching for "vbrick." What about scarier stuff like SCADA devices? It's all there, too, and disappointingly easy to find -- "SCHNEIDER TSX," for example.

Once you've found vulnerable VxWorks-based devices on your network (or your target's network), it's time to start dumping memory and digging for the good stuff. Be on the lookout for passwords, internal IPs, printed and scanned documents, e-mail addresses, and anything else that might help during a penetration test. Use the wdbrpc_memory_dump Metasploit module to dump memory from a device; if you have many and want to automate it, Dillon has written a blog titled "Metasploit VxWorks WDB Agent Attack Automation" on how to do it with Ruby.

Of course, if you're lazy like me, then you automated the dumping in one line of bash: for i in `cat hosts`; do ./msfcli auxiliary/admin/vxworks/wdbrpc_memory_dump RHOST=$i LPATH=/tmp/vxworks/$i E ; done

While you can find password hashes associated with the weak password hashing algorithm in memory, the tools to exploit the vulnerability will not be released until September. You could spend time generating your own table like a friend did, but there's other juicy tidbits to be found without much effort.

Two different devices I looked at had their management interfaces' user name and password in the memory dumps within a HTTP Basic Authentication header that can be easily decoded. I was scrolling through a dump with a hex editor when I found a full header with something like "Authorization: Basic YWRtaW46c3cxdGNocHcK." From there, I started searching dumps (grep -ai "Authorization: Basic" dump_file) and found several more. Unfortunately, finding these credentials was not consistent across all the devices I looked at.

There's also the potential for exposure of passwords to other systems. For example, multifunction copier devices can often send scanned documents via e-mail, upload them using WebDAV, or save them to a shared folder on a Windows system. On one device I found the WebDAV user name and password that was base64 encoded similar to the HTTP Basic Authentication headers above. On another device, there was what appeared to be an Active Directory service account with password.

Like I said, these vulnerabilities have opened a can of worms, and there's still so much left to explore. I'm sure there's more interesting information that can be gleaned from these systems' memory, so if you're bored this weekend, you know what you can do. You never know, it could lead to the foothold you need in your next penetration test.

Happy hacking!

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
The Cold Truth about Cyber Insurance
Chris Kennedy, CISO & VP Customer Success, AttackIQ,  11/7/2019
Black Hat Q&A: Hacking a '90s Sports Car
Black Hat Staff, ,  11/7/2019
The State of Email Security and Protection
Mike Flouton, Vice President of Email Security at Barracuda Networks,  11/5/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprise
Assessing Cybersecurity Risk in Today's Enterprise
Security leaders are struggling to understand their organizations risk exposure. While many are confident in their security strategies and processes, theyre also more concerned than ever about getting breached. Download this report today and get insights on how today's enterprises assess and perceive the risks they face in 2019!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-11-12
WSO2 IS as Key Manager 5.7.0 allows unauthenticated reflected XSS in the dashboard user profile.
PUBLISHED: 2019-11-12
WSO2 IS as Key Manager 5.7.0 allows stored XSS in download-userinfo.jag because Content-Type is mishandled.
PUBLISHED: 2019-11-12
FUDForum 3.0.9 is vulnerable to Stored XSS via the User-Agent HTTP header. This may result in remote code execution. An attacker can use a user account to fully compromise the system via a GET request. When the admin visits user information under "User Manager" in the control panel, the pa...
PUBLISHED: 2019-11-12
psutil (aka python-psutil) through 5.6.5 can have a double free. This occurs because of refcount mishandling within a while or for loop that converts system data into a Python object.
PUBLISHED: 2019-11-11
maidag in GNU Mailutils before 3.8 is installed setuid and allows local privilege escalation in the url mode.