Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

8/2/2010
05:56 AM
John H. Sawyer
John H. Sawyer
Commentary
50%
50%

VxWorks Vulnerability Tools Released

If you haven't started scanning your network for UDP port 17185, then you better start now. This past week at BSides Las Vegas and Defcon, HD Moore, CSO of Rapid7 and Metasploit chief architect for the Metasploit project, demonstrated an exploit against VxWorks that affects hundreds of products from many different manufacturers.

If you haven't started scanning your network for UDP port 17185, then you better start now. This past week at BSides Las Vegas and Defcon, HD Moore, CSO of Rapid7 and Metasploit chief architect for the Metasploit project, demonstrated an exploit against VxWorks that affects hundreds of products from many different manufacturers.VxWorks is an embedded operating system used in devices that range from consumer-based products like webcams to the Mars Rover and enterprise storage systems. HD gave Dark Reading a preview of his talk prior to Black Hat, BSides, and Defcon and can be found here, "Researcher Pinpoints Widespread Common Flaw Among VxWorks Devices."

Since then, HD has given his talk two times with even more information about the vulnerabilities, including some details and demonstrations that were intentionally kept from being recorded because they demonstrated actual exploitation. Today, advisories from his research will be published by CERT with tools for scanning, while exploitation tools will follow next month.

What makes these vulnerabilities particularly concerning is that they can be performed without knowing the password and they affect many devices including important enterprise hardware. Successful exploitation allows an attacker to dump memory and scan for passwords in the memory dump. Similarly, memory can be modified and reloaded without requiring credentials allowing an attacker to arbitrarily modify the firmware remotely.

HD published a blog a couple hours ago with more information that he covered in his talk and shows output from two of the four new modules he just added to the Metasploit Framework: wdbrpc_bootline, wdbrpc_version, wdbrpc_memory_dump, and wdbrpc_reboot. The four auxiliary modules are split into two categories where the first two are for scanning and device enumeration and the latter two actually exploit the VxWorks debugger service to dump memory and reboot the device.

I had originally started testing for these vulnerabilities by scanning a couple of devices I had in my lab using nmap looking for UDP port 17185 (only used by the VxWorks debugger). Since HD released the new Metasploit modules a few hours ago, I've rerun some of my scans and found it faster and more informative to use his modules instead of nmap because they can provide detailed version information about the hosts.

Of course, I'd be remiss if I didn't go beyond the enumeration phase and confirm that all of the found devices were indeed vulnerable. I put together a quick script to use the wdbrpc_memory_dump module to dump memory from a device I had laying around. And, just for the sake of confirming that wdbrcp_reboot worked, I rebooted the same device while pinging it to be sure it went offline and came back up--worked like a champ.

I'll ask again. Have you started scanning your network for UDP port 17185? I'm sure I already know the answer. Go, update your Metasploit Framework, and start scanning now. And, if you have any hosts on public IP addresses, then immediately go and block 17185 at your Internet boundary to prevent them from getting exploited. While the real "exploit" tools will not be released for another month, it won't take much to modify the wdbrcp_reboot module to do more than just reboot a device based on the information in HD's presentation, so please put in protections now.

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
Fed Kaspersky Ban Made Permanent by New Rules
Dark Reading Staff 9/11/2019
NetCAT Vulnerability Is Out of the Bag
Dark Reading Staff 9/12/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16199
PUBLISHED: 2019-09-17
eQ-3 Homematic CCU2 before 2.47.18 and CCU3 before 3.47.18 allow Remote Code Execution by unauthenticated attackers with access to the web interface via an HTTP POST request to certain URLs related to the ReGa core process.
CVE-2019-16391
PUBLISHED: 2019-09-17
SPIP before 3.1.11 and 3.2 before 3.2.5 allows authenticated visitors to modify any published content and execute other modifications in the database. This is related to ecrire/inc/meta.php and ecrire/inc/securiser_action.php.
CVE-2019-16392
PUBLISHED: 2019-09-17
SPIP before 3.1.11 and 3.2 before 3.2.5 allows prive/formulaires/login.php XSS via error messages.
CVE-2019-16393
PUBLISHED: 2019-09-17
SPIP before 3.1.11 and 3.2 before 3.2.5 mishandles redirect URLs in ecrire/inc/headers.php with a %0D, %0A, or %20 character.
CVE-2019-16394
PUBLISHED: 2019-09-17
SPIP before 3.1.11 and 3.2 before 3.2.5 provides different error messages from the password-reminder page depending on whether an e-mail address exists, which might help attackers to enumerate subscribers.