Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

8/13/2010
09:49 AM
John H. Sawyer
John H. Sawyer
Commentary
50%
50%

Gaining A Foothold By Exploiting VxWorks Vulns

The VxWorks vulnerabilities recently announced in Las Vegas during the BSides and Defcon security conferences have opened a can of worms for hundreds of vendors, and even more consumers and companies using the vulnerable products -- the majority of whom have no idea they're vulnerable and potentially exposed to external attackers.

The VxWorks vulnerabilities recently announced in Las Vegas during the BSides and Defcon security conferences have opened a can of worms for hundreds of vendors, and even more consumers and companies using the vulnerable products -- the majority of whom have no idea they're vulnerable and potentially exposed to external attackers.I've spent several late nights exploring vulnerable VxWorks systems and digging through memory dumps from vulnerable systems. There are a couple of things that have become apparent. The first is these devices are everywhere. As I mentioned in my previous blog, VxWorks is found in webcams, enterprise SANs, and the Mars Rovers, which is impressive, but there's more.

You can find it running on printers, streaming multimedia devices, Fiber Channel and network switches, wireless access points and routers, VoIP phones, and videoconferencing products.

You get the point. VxWorks is everywhere. And best (or worst) of all, there's a treasure trove of information buried in their memory. Before we dig into what you can find in them, let's quickly cover finding them.

Identifying vulnerable VxWorks devices is extremely easy. The quickest, yet noisiest, method is scanning your target network with something like the Metasploit Framework's wdbrpc_bootline. You provide it with a single IP or subnet, and it probes UDP port 17185, then returns the VxWorks boot parameters if the device is vulnerable. It's super easy. Major vulnerability scanners should also have included detection capabilities by now -- I know Nessus and Rapid7 Nexpose do.

However, if you're looking to fly under the radar, then a scanner could cause some unwanted noise. SHODAN can help by providing a searchable index of service banners found by scanning Internet-accessible systems. Searching for "vxworks" returns nearly 18,000 publicly accessible devices that contained "vxworks" in their banners for HTTP, HTTPS, FTP, and Telnet.

That's a lot of devices, but let's say you're targeting a specific manufacturer or device. You can search for terms like "mcdata," which will return a handful of Fiber Channel switches. There are also numerous video-streaming devices that can be found by searching for "vbrick." What about scarier stuff like SCADA devices? It's all there, too, and disappointingly easy to find -- "SCHNEIDER TSX," for example.

Once you've found vulnerable VxWorks-based devices on your network (or your target's network), it's time to start dumping memory and digging for the good stuff. Be on the lookout for passwords, internal IPs, printed and scanned documents, e-mail addresses, and anything else that might help during a penetration test. Use the wdbrpc_memory_dump Metasploit module to dump memory from a device; if you have many and want to automate it, Dillon has written a blog titled "Metasploit VxWorks WDB Agent Attack Automation" on how to do it with Ruby.

Of course, if you're lazy like me, then you automated the dumping in one line of bash: for i in `cat hosts`; do ./msfcli auxiliary/admin/vxworks/wdbrpc_memory_dump RHOST=$i LPATH=/tmp/vxworks/$i E ; done

While you can find password hashes associated with the weak password hashing algorithm in memory, the tools to exploit the vulnerability will not be released until September. You could spend time generating your own table like a friend did, but there's other juicy tidbits to be found without much effort.

Two different devices I looked at had their management interfaces' user name and password in the memory dumps within a HTTP Basic Authentication header that can be easily decoded. I was scrolling through a dump with a hex editor when I found a full header with something like "Authorization: Basic YWRtaW46c3cxdGNocHcK." From there, I started searching dumps (grep -ai "Authorization: Basic" dump_file) and found several more. Unfortunately, finding these credentials was not consistent across all the devices I looked at.

There's also the potential for exposure of passwords to other systems. For example, multifunction copier devices can often send scanned documents via e-mail, upload them using WebDAV, or save them to a shared folder on a Windows system. On one device I found the WebDAV user name and password that was base64 encoded similar to the HTTP Basic Authentication headers above. On another device, there was what appeared to be an Active Directory service account with password.

Like I said, these vulnerabilities have opened a can of worms, and there's still so much left to explore. I'm sure there's more interesting information that can be gleaned from these systems' memory, so if you're bored this weekend, you know what you can do. You never know, it could lead to the foothold you need in your next penetration test.

Happy hacking!

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Florida Town Pays $600K to Ransomware Operators
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/20/2019
Pledges to Not Pay Ransomware Hit Reality
Robert Lemos, Contributing Writer,  6/21/2019
AWS CISO Talks Risk Reduction, Development, Recruitment
Kelly Sheridan, Staff Editor, Dark Reading,  6/25/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-10133
PUBLISHED: 2019-06-26
A flaw was found in Moodle before 3.7, 3.6.4, 3.5.6, 3.4.9 and 3.1.18. The form to upload cohorts contained a redirect field, which was not restricted to internal URLs.
CVE-2019-10134
PUBLISHED: 2019-06-26
A flaw was found in Moodle before 3.7, 3.6.4, 3.5.6, 3.4.9 and 3.1.18. The size of users' private file uploads via email were not correctly checked, so their quota allowance could be exceeded.
CVE-2019-10154
PUBLISHED: 2019-06-26
A flaw was found in Moodle before versions 3.7, 3.6.4. A web service fetching messages was not restricted to the current user's conversations.
CVE-2019-9039
PUBLISHED: 2019-06-26
The Couchbase Sync Gateway 2.1.2 in combination with a Couchbase Server is affected by a previously undisclosed N1QL-injection vulnerability in the REST API. An attacker with access to the public REST API can insert additional N1QL statements through the parameters ?startkey? and ?endkey? of the ?_a...
CVE-2018-20846
PUBLISHED: 2019-06-26
Out-of-bounds accesses in the functions pi_next_lrcp, pi_next_rlcp, pi_next_rpcl, pi_next_pcrl, pi_next_rpcl, and pi_next_cprl in openmj2/pi.c in OpenJPEG through 2.3.0 allow remote attackers to cause a denial of service (application crash).