logo

Breaking Extreme Networks WingOS: How to own millions of devices running on Aircrafts, Government, Smart cities and more.

Conference:  Defcon 26

2018-08-01

Summary

The presentation discusses vulnerabilities found in the Wing OS used in Motorola access points and the process of exploiting them.
  • The Wing OS used in Motorola access points has several vulnerabilities that can be exploited through the command-line interface or Wi-Fi connection
  • One vulnerability is a hidden root shell that can be accessed through a command-line interface
  • Another vulnerability is a mint vulnerability that can be exploited through Wi-Fi to trigger a stack overflow
  • The presentation includes a demonstration of exploiting the mint vulnerability to gain a reverse shell
  • Extreme Networks was responsive to the research and provided fixes and patches for the vulnerabilities
  • There is room for improvement in the Wing OS to address more vulnerabilities and improve security
The presentation includes a demonstration of exploiting the mint vulnerability to gain a reverse shell through Wi-Fi, showing the potential impact of the vulnerabilities in the Wing OS.

Abstract

Extreme network's embedded WingOS (Originally created by Motorola) is an operating system used in several wireless devices such as access points and controllers. This OS is being used in Motorola devices, Zebra devices and Extreme network's devices. This research started focusing in an access point widely used in many Aircrafts by several worldwide airlines but ended up in something bigger in terms of devices affected as this embedded operating system is not only used in AP's for Aircrafts but also in Healthcare, Government, Transportation, Smart cities, small to big enterprises... and more. Based on public information, we will see how vulnerable devices are actively used (outdoors) in big cities around the world. But also in Universities, Hotels,Casinos, Big companies, Mines, Hospitals and provides the Wi-Fi access for places such as the New york City Subway. In this presentation we will show with technical details how several critical vulnerabilities were found in this embedded OS. First we will introduce some internals and details about the OS and then we will show the techniques used to reverse engineering the mipsN32 ABI code for the Cavium Octeon processor. It will be discussed how some code was emulated to detect how a dynamic password is generated with a cryptographic algorithm for a root shell backdoor. Besides, it will be shown how some protocols used by some services were reverse engineered to find unauthenticated heap and stack overflow vulnerabilities that could be exploitable trough Wireless or Ethernet connection. This OS also uses a proprietary layer 2/3 protocol called MiNT. This protocol is used for communication between WingOS devices through VLAN or IP. This protocol was also reverse engineered and remote heap/stack overflow vulnerabilities were found on services using this protocol and will be shown. As a live demonstration, 2 devices will be used to exploit a remote stack overflow chaining several vulnerabilities as the attacker could do inside an aircraft (or other scenarios) through the Wi-Fi. As there are not public shellcodes for mipsN32 ABI, the particularities of creating a Shellcode for mipsN32 ABI will be also discussed.

Materials:

Tags: