Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

8/2/2010
05:56 AM
John H. Sawyer
John H. Sawyer
Commentary
50%
50%

VxWorks Vulnerability Tools Released

If you haven't started scanning your network for UDP port 17185, then you better start now. This past week at BSides Las Vegas and Defcon, HD Moore, CSO of Rapid7 and Metasploit chief architect for the Metasploit project, demonstrated an exploit against VxWorks that affects hundreds of products from many different manufacturers.

If you haven't started scanning your network for UDP port 17185, then you better start now. This past week at BSides Las Vegas and Defcon, HD Moore, CSO of Rapid7 and Metasploit chief architect for the Metasploit project, demonstrated an exploit against VxWorks that affects hundreds of products from many different manufacturers.VxWorks is an embedded operating system used in devices that range from consumer-based products like webcams to the Mars Rover and enterprise storage systems. HD gave Dark Reading a preview of his talk prior to Black Hat, BSides, and Defcon and can be found here, "Researcher Pinpoints Widespread Common Flaw Among VxWorks Devices."

Since then, HD has given his talk two times with even more information about the vulnerabilities, including some details and demonstrations that were intentionally kept from being recorded because they demonstrated actual exploitation. Today, advisories from his research will be published by CERT with tools for scanning, while exploitation tools will follow next month.

What makes these vulnerabilities particularly concerning is that they can be performed without knowing the password and they affect many devices including important enterprise hardware. Successful exploitation allows an attacker to dump memory and scan for passwords in the memory dump. Similarly, memory can be modified and reloaded without requiring credentials allowing an attacker to arbitrarily modify the firmware remotely.

HD published a blog a couple hours ago with more information that he covered in his talk and shows output from two of the four new modules he just added to the Metasploit Framework: wdbrpc_bootline, wdbrpc_version, wdbrpc_memory_dump, and wdbrpc_reboot. The four auxiliary modules are split into two categories where the first two are for scanning and device enumeration and the latter two actually exploit the VxWorks debugger service to dump memory and reboot the device.

I had originally started testing for these vulnerabilities by scanning a couple of devices I had in my lab using nmap looking for UDP port 17185 (only used by the VxWorks debugger). Since HD released the new Metasploit modules a few hours ago, I've rerun some of my scans and found it faster and more informative to use his modules instead of nmap because they can provide detailed version information about the hosts.

Of course, I'd be remiss if I didn't go beyond the enumeration phase and confirm that all of the found devices were indeed vulnerable. I put together a quick script to use the wdbrpc_memory_dump module to dump memory from a device I had laying around. And, just for the sake of confirming that wdbrcp_reboot worked, I rebooted the same device while pinging it to be sure it went offline and came back up--worked like a champ.

I'll ask again. Have you started scanning your network for UDP port 17185? I'm sure I already know the answer. Go, update your Metasploit Framework, and start scanning now. And, if you have any hosts on public IP addresses, then immediately go and block 17185 at your Internet boundary to prevent them from getting exploited. While the real "exploit" tools will not be released for another month, it won't take much to modify the wdbrcp_reboot module to do more than just reboot a device based on the information in HD's presentation, so please put in protections now.

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
Breaches Are Inevitable, So Embrace the Chaos
Ariel Zeitlin, Chief Technology Officer & Co-Founder, Guardicore,  11/13/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-2916
PUBLISHED: 2019-11-15
qtnx 0.9 stores non-custom SSH keys in a world-readable configuration file. If a user has a world-readable or world-executable home directory, another local system user could obtain the private key used to connect to remote NX sessions.
CVE-2019-12757
PUBLISHED: 2019-11-15
Symantec Endpoint Protection (SEP), prior to 14.2 RU2 & 12.1 RU6 MP10 and Symantec Endpoint Protection Small Business Edition (SEP SBE) prior to 12.1 RU6 MP10d (12.1.7510.7002), may be susceptible to a privilege escalation vulnerability, which is a type of issue whereby an attacker may attempt t...
CVE-2019-12758
PUBLISHED: 2019-11-15
Symantec Endpoint Protection, prior to 14.2 RU2, may be susceptible to an unsigned code execution vulnerability, which may allow an individual to execute code without a resident proper digital signature.
CVE-2019-12759
PUBLISHED: 2019-11-15
Symantec Endpoint Protection Manager (SEPM) and Symantec Mail Security for MS Exchange (SMSMSE), prior to versions 14.2 RU2 and 7.5.x respectively, may be susceptible to a privilege escalation vulnerability, which is a type of issue whereby an attacker may attempt to compromise the software applicat...
CVE-2019-18372
PUBLISHED: 2019-11-15
Symantec Endpoint Protection, prior to 14.2 RU2, may be susceptible to a privilege escalation vulnerability, which is a type of issue whereby an attacker may attempt to compromise the software application to gain elevated access to resources that are normally protected from an application or user.