Slide 1

Slide 1 text

ATTACKING VXWORKS FROM STONE AGE TO INTERSTELLAR Syscan+360 Beijing 10/22/2015 YANNICK FORMAGGIO, WENZHE ZHU, RICHARD HSU & ERIC LIU

Slide 2

Slide 2 text

ABOUT ME Yannick Formaggio Security Researcher at Istuary Innovation Labs @TheLumberJhack || yannickformaggio on LinkedIn Eric Liu Lead Security Researcher With help from 朱文哲 (Wenzhe Zhu), Richard Hsu 2

Slide 3

Slide 3 text

AGENDA 1.  Introduction to VxWorks & previous papers 2.  Inside VxWorks: Memory management & protections 3.  From fuzzing to exploit: RPC Integer Overflow RCE 3

Slide 4

Slide 4 text

INTRODUCTION 4

Slide 5

Slide 5 text

WHAT’S VXWORKS?   #1 Embedded devices RTOS   Developed by Wind River   Claimed > 1.5 billions devices   Supports lot of CPU architectures

Slide 6

Slide 6 text

WHAT’S VXWORKS? 1987 •  First release •  32 bits processing 1990’s •  VxWorks 5 released •  1st RTOS w/ network stack 2000’s •  VxWorks 6.x (12-2004) •  Security improvements (RTPs, no more task shared memory) 2014 •  VxWorks 7.x (02-2014) •  64bits, more security improvements

Slide 7

Slide 7 text

“ ” The Real-Time Operating System for the Internet of Things Powering billions of intelligent devices, VxWorks® delivers an industry-leading combination of scalability, safety, security, and virtualization capabilities to meet next-generation requirements. Windriver VxWorks product 7

Slide 8

Slide 8 text

SOME CUSTOMERS 8

Slide 9

Slide 9 text

SOME STATS 9

Slide 10

Slide 10 text

VXWORKS & SECURITY Source: http://www.cvedetails.com/product/15063/Windriver-Vxworks.html?vendor_id=95 10

Slide 11

Slide 11 text

VXWORKS & SECURITY   Wind River treats VxWorks security seriously   Partnership with McAffee in Feb 2011 Source: http://www.windriver.com/news/press/pr.html?ID=8801

Slide 12

Slide 12 text

VXWORKS & SECURITY   Wind River treats VxWorks security seriously   Partnership with McAffee in Feb 2011   6.x introduced some memory protections   7.x improved way further:   Digitally signed modules (X.509)   Encryption   Centralized user database   Password management (SHA-256 algorithm)   Ability to create/delete users at run time   Encrypted data storage

Slide 13

Slide 13 text

PREVIOUS RESEARCH PAPERS & INSPIRATIONS

Slide 14

Slide 14 text

PREVIOUS RESEARCH & INSPIRATIONS 2010: “Shiny Old VxWorks Vulnerabilities” HD Moore 4 Metasploit modules targeting WDB RPC   (Re)sources on pudn.com …   Weak password hash entropy è rainbow table containing around 200k hashed passwords 14

Slide 15

Slide 15 text

PREVIOUS RESEARCH & INSPIRATIONS “Reverse Engineering VxWorks Firmware: WRT54Gv8” /dev/ttyS0 15

Slide 16

Slide 16 text

PREVIOUS RESEARCH & INSPIRATIONS 2011: “Digging Inside the VxWorks OS and Firmware The Holistic Security” Aditya K Sood (0kn0ck) – SecNiche Security Lab   WDB debugging Interface (again)   OS Security 16

Slide 17

Slide 17 text

INSIDE VXWORKS MEMORY LAYOUT & PROTECTIONS 17

Slide 18

Slide 18 text

X86 MEMORY LAYOUT: UPPER MEMORY IDT (2KB) Addresss 0x0000 + LOCAL_MEM_LOCAL_ADRS GDT + 0x800 SM Anchor + 0x1100 Boot Line + 0x1200 Exception message + 0x1300 FD DMA Area + 0x2000 + 0x5000 (no memory) + 0xa0000 Initial Stack + 0x100000 System Image + 0x108000 _end WDB Memory Pool Interrupt stack System Memory Pool … sysMemTop() Available Reserved KEY 18

Slide 19

Slide 19 text

X86 UPPER MEMORY IDT (2KB) Addresss 0x0000 + LOCAL_MEM_LOCAL_ADRS GDT + 0x800 SM Anchor + 0x1100 Boot Line + 0x1200 Exception message + 0x1300 FD DMA Area + 0x2000 + 0x5000 (no memory) + 0xa0000 Initial Stack + 0x100000 System Image + 0x108000 _end WDB Memory Pool Interrupt stack System Memory Pool … sysMemTop() Available Reserved KEY   Interrupt Descriptor/ Vector Table 19

Slide 20

Slide 20 text

X86 UPPER MEMORY IDT (2KB) Addresss 0x0000 + LOCAL_MEM_LOCAL_ADRS GDT + 0x800 SM Anchor + 0x1100 Boot Line + 0x1200 Exception message + 0x1300 FD DMA Area + 0x2000 + 0x5000 (no memory) + 0xa0000 Initial Stack + 0x100000 System Image + 0x108000 _end WDB Memory Pool Interrupt stack System Memory Pool … sysMemTop() Available Reserved KEY   Interrupt Descriptor/ Vector Table   ASCII string for fatal exception message 20

Slide 21

Slide 21 text

X86 UPPER MEMORY IDT (2KB) Addresss 0x0000 + LOCAL_MEM_LOCAL_ADRS GDT + 0x800 SM Anchor + 0x1100 Boot Line + 0x1200 Exception message + 0x1300 FD DMA Area + 0x2000 + 0x5000 (no memory) + 0xa0000 Initial Stack + 0x100000 System Image + 0x108000 _end WDB Memory Pool Interrupt stack System Memory Pool … sysMemTop() Available Reserved KEY   Interrupt Decriptor/ Vector Table   ASCII string for fatal exception message   VxWorks image entry point 21

Slide 22

Slide 22 text

X86 UPPER MEMORY IDT (2KB) Addresss 0x0000 + LOCAL_MEM_LOCAL_ADRS GDT + 0x800 SM Anchor + 0x1100 Boot Line + 0x1200 Exception message + 0x1300 FD DMA Area + 0x2000 + 0x5000 (no memory) + 0xa0000 Initial Stack + 0x100000 System Image + 0x108000 _end WDB Memory Pool Interrupt stack System Memory Pool … sysMemTop() Available Reserved KEY   Interrupt Descriptor/ Vector Table   ASCII string for fatal exception message   VxWorks image entry point   WDB shared memory 22

Slide 23

Slide 23 text

MEMORY PROTECTIONS 1.  Stack protections 2.  Heap protections 23

Slide 24

Slide 24 text

MEMORY PROTECTION: Task and interrupt stack overrun and underrun protections Stack pages Stack Start Stop 24

Slide 25

Slide 25 text

MEMORY PROTECTION Non-executable task stacks & Non- writable Text Segment Program pages Read Only Raw Data r+w . T E X T .DATA 25

Slide 26

Slide 26 text

MEMORY PROTECTION -r-w-x Address Space 0x00000000 NULL Pointer usage/dereference detection 26

Slide 27

Slide 27 text

MEMORY PROTECTION HEAP BLOCK OVERRUN DETECTION / USAGE TRACKING & LEAKAGE DETECTION 27

Slide 28

Slide 28 text

FROM FUZZING TO EXPLOIT 28

Slide 29

Slide 29 text

FUZZING TARGETS  Network protocols:   Portmap (RPC)   FTP   TFTP   NTP   … 29

Slide 30

Slide 30 text

FUZZING   Used Sulley fuzzing framework   Problem: no accurate crash detection available   Solution: using WdbRPC 30

Slide 31

Slide 31 text

WHAT’S WDB RPC?   Debugging Interface   Service running on port UDP/17185   Based on SUN-RPC protocol   Provides direct access to system memory 31

Slide 32

Slide 32 text

WDB PROTOCOL V2 Target Server Target Agent WDB Shell Debugger Browser Other tools HOST VxWorks WTX 32 OS

Slide 33

Slide 33 text

STEPS FOR PROCESS MONITORING USING WDB: VXWORKS 5.X HOST TARGET CALL REPLY 33

Slide 34

Slide 34 text

STEPS FOR PROCESS MONITORING USING WDB: VXWORKS 5.X WDB_TARGET_CONNECT HOST TARGET CALL REPLY 34

Slide 35

Slide 35 text

STEPS FOR PROCESS MONITORING USING WDB: VXWORKS 5.X WDB_TARGET_CONNECT HOST TARGET WDB_TARGET_CONNECT CALL REPLY 35 1. Connect

Slide 36

Slide 36 text

STEPS FOR PROCESS MONITORING USING WDB: VXWORKS 5.X WDB_TARGET_CONNECT HOST TARGET WDB_TARGET_CONNECT WDB_FUNC_CALL CALL REPLY 36 1. Connect

Slide 37

Slide 37 text

STEPS FOR PROCESS MONITORING USING WDB: VXWORKS 5.X WDB_TARGET_CONNECT HOST TARGET WDB_TARGET_CONNECT WDB_FUNC_CALL WDB_FUNC_CALL CALL REPLY 37 1. Connect 2. Set task breakable

Slide 38

Slide 38 text

STEPS FOR PROCESS MONITORING USING WDB: VXWORKS 5.X WDB_TARGET_CONNECT HOST TARGET WDB_TARGET_CONNECT WDB_FUNC_CALL WDB_FUNC_CALL CALL REPLY WDB_CONTEXT_SUSPEND WDB_CONTEXT_SUSPEND 38 1. Connect 2. Set task breakable 3. Suspend execution

Slide 39

Slide 39 text

STEPS FOR PROCESS MONITORING USING WDB: VXWORKS 5.X WDB_TARGET_CONNECT HOST TARGET WDB_TARGET_CONNECT WDB_FUNC_CALL WDB_FUNC_CALL CALL REPLY WDB_CONTEXT_SUSPEND WDB_CONTEXT_SUSPEND WDB_EVENTPOINT_ADD WDB_EVENTPOINT_ADD 39 1. Connect 2. Set task breakable 3. Suspend execution 4. Set breakpoint

Slide 40

Slide 40 text

STEPS FOR PROCESS MONITORING USING WDB: VXWORKS 5.X WDB_TARGET_CONNECT HOST TARGET WDB_TARGET_CONNECT WDB_FUNC_CALL WDB_FUNC_CALL CALL REPLY WDB_CONTEXT_SUSPEND WDB_CONTEXT_SUSPEND WDB_EVENTPOINT_ADD WDB_EVENTPOINT_ADD WDB_CONTEXT_CONT WDB_CONTEXT_CONT 40 1. Connect 2. Set task breakable 3. Suspend execution 4. Set breakpoint/attach 5. Continue Execution

Slide 41

Slide 41 text

STEPS FOR PROCESS MONITORING USING WDB: VXWORKS 6.X WDB_TARGET_CONNECT2 HOST TARGET WDB_TARGET_CONNECT2 WDB_FUNC_CALL WDB_FUNC_CALL CALL REPLY WDB_EVALUATE_GOPHER WDB_EVALUATE_GOPHER WDB_EVALUATE_GOPHER WDB_EVALUATE_GOPHER … 41 More info on Gopher 1. Connect 2. Set task breakable 3. Set breakpoint/attach

Slide 42

Slide 42 text

STEPS FOR PROCESS MONITORING USING WDB: VXWORKS 6.X CALL REPLY 42 WDB_TARGET_CONNECT2 HOST TARGET WDB_TARGET_CONNECT2 WDB_FUNC_CALL WDB_FUNC_CALL WDB_EVALUATE_GOPHER WDB_EVALUATE_GOPHER … WDB_MEM_READ WDB_MEM_READ  Host reads the pointed memory addresses

Slide 43

Slide 43 text

CRASH DETECTION   Target sends event notification 43 HOST TARGET EVENT NOTICATION

Slide 44

Slide 44 text

CRASH DETECTION   Target sends event notification   Host acknowledges 44 HOST TARGET EVENT NOTICATION WDB_EVENT_GET

Slide 45

Slide 45 text

CRASH DETECTION 1)  Target sends event notification 2)  Host acknowledges 3)  Host ask more information (registers content, memory area, …) 45 HOST TARGET EVENT NOTICATION WDB_EVENT_GET WDB_EVENT_GET WDB_REGS_GET WDB_MEM_READ

Slide 46

Slide 46 text

WDBRPC FRAMEWORK   Python 2.7   Supports VxWorks 5.x and 6.x   Partially implements WDBRPC protocol   Implements a basic remote debugger: WdbDbg 46

Slide 47

Slide 47 text

WDBRPC FRAMEWORK   Some externals dependencies:   PyElfTools: reads the imports from the VxWorks Image   Capstone Engine: disassemble code around crash area 47

Slide 48

Slide 48 text

FUZZING 48 Sulley Fuzzer VxWorks Target Test cases VxWorks Process Monitor PED RPC WDB RPC WdbDbg

Slide 49

Slide 49 text

DEMO 49

Slide 50

Slide 50 text

RESULTS 50

Slide 51

Slide 51 text

CRASH ANALYSIS   Portmap task crashed many times on the same RPC field: credential flavor   When set to a negative value => PC is set to arbitrary memory value 51

Slide 52

Slide 52 text

CRASH ANALYSIS 52

Slide 53

Slide 53 text

CRASH ANALYSIS 53

Slide 54

Slide 54 text

CRASH ANALYSIS 54

Slide 55

Slide 55 text

CRASH ANALYSIS 55

Slide 56

Slide 56 text

CRASH ANALYSIS 56 O_o

Slide 57

Slide 57 text

CRASH ANALYSIS 57

Slide 58

Slide 58 text

CRASH ANALYSIS 58

Slide 59

Slide 59 text

CVE-2015-7599   Vuln reported to Wind River on July 22nd and acknowledged on 23rd   Confirmed August 11th Wind River is providing patches   Every VxWorks customers should check the Knowledge Library for details   On Sept 9th 2015 I’ve been authorised to disclose details 59

Slide 60

Slide 60 text

AFFECTED VERSIONS

Slide 61

Slide 61 text

HOW TO EXPLOIT?   Integer overflow leading to RCE   Heap spray to place the shellcode   Compute credential flavor value   Jump into shellcode directly   all memory protections bypassed/defeated   backdoor account set up 61

Slide 62

Slide 62 text

EXPLOITATION DEMO 62

Slide 63

Slide 63 text

WHAT ABOUT A REAL TARGETS?   Schneider Modicon Quantum PLC runs VxWorks and has port 111 open ( https:// www.digitalbond.com/tools/ basecamp/schneider- modicon-quantum/) 63

Slide 64

Slide 64 text

… BUT   Currently shipped module: portmap unavailable by default   Previous releases have a patch now

Slide 65

Slide 65 text

SOME NUMBERS   Schneider Modicon Quantum PLC runs VxWorks 5.4 and has port 111 open 65

Slide 66

Slide 66 text

FUN FACT 66

Slide 67

Slide 67 text

MORE BUGS FOUND DURING FUZZING FTP server is susceptible to ring buffer overflow when accessed at a high speed 67

Slide 68

Slide 68 text

MORE BUGS FOUND DURING FUZZING FTP server crashes when received specially crafted username è network stack down 68

Slide 69

Slide 69 text

CONCLUSION   Wind River takes VxWorks’ security seriously   Implemented a lot of memory protections   Being defeated by a simple integer overflow bug   And now we have a debugging framework to find more! 69

Slide 70

Slide 70 text

FUTURE WORK ?   VxWorks 7?   More complete WDBRPC protocol and Wdb over serial implementation   Continuing to find bugs 70

Slide 71

Slide 71 text

QUESTIONS ? 71

Slide 72

Slide 72 text

THANKS !

Slide 73

Slide 73 text

CODE RELEASE   The WdbDbg framework will be available here: https://bitbucket.org/istuarysecurityteam/wdbdbg   Exploit code will not be released unless explicit authorisation given 73

Slide 74

Slide 74 text

LINKS http://www.vxdev.com/docs/vx55man/tornado-api/wdbpcl/wdb.html http://www.uio.no/[...]/vxworks_architecture_supplement_6.2.pdf http://www.uio.no/[...]/vxworks_kernel_programmers_guide_6.2.pdf http://cimsol-mc.sourceforge.net/files/vxworks/VxWorks60.pdf Digging Inside the VxWorks OS and Firmware The Holistic Security HD Moore - Fun with VxWorks 74