logo

Critical Zero Days Remotely Compromise the Most Popular Real-Time OS

Conference:  BlackHat USA 2019

2019-08-08

Summary

The presentation discusses the vulnerabilities found in VxWorks, a real-time operating system used in many devices, due to the lack of security features implemented. The main focus is on the heap exploitation strategy used to gain control of the system.
  • VxWorks is a widely used real-time operating system in many devices but lacks security features
  • The heap exploitation strategy involves overflowing from an unallocated heap chunk to a free heap chunk and setting pointers to achieve a mirrored write
  • Function pointers in the heap are stolen to gain execution time and code is executed before another allocation or free occurs
  • The heap is frozen and allocation and free calls are hooked to prevent destruction of the system
  • A specific data buffer in the data section is set to values controlled by the attacker
The speaker mentions that identifying devices that use VxWorks can be a challenge as it is not an advertised operating system and not something that can be easily purchased in stores. Researchers must find a device that uses VxWorks for their research, which can be difficult as there are many devices that use VxWorks but do not advertise it.

Abstract

VxWorks is the most popular operating system you have never heard about. It is a real-time operating system, used by over 2 billion devices of all kinds - from airplanes to MRI machines, from firewalls to industrial control systems, and even by SpaceX’s Dragon Spacecraft. It is pervasive and trusted. But like many systems we have come to rely on, its security can break given a single vulnerability. Our talk will reveal 11 such zero-day vulnerabilities we’ve discovered in VxWorks.Even though VxWorks is probably the oldest real-time OS still maintained, only 13 CVEs are listed by MITRE as affecting it in its 32 years of existence, making it an intriguing target for research. Due to its uncharted nature, we were able to find unusually low-level vulnerabilities affecting every VxWorks version released in the last 13 years. The vulnerabilities reside in the TCP/IP stack used by VxWorks, called IPNET, 6 of which are classified critical RCEs, and have a staggering potential. By exploiting them, attackers can bypass traditional security measures and take control over any VxWorks device with a network connection, without any user interaction.In our talk, we will demo the exploitation of these vulnerabilities on several devices and demonstrate their dangerous aptitude. We will show how they can be used to breach a network safely secured behind a NAT and a firewall through a normal TCP connection between a printer and its Cloud, as well as the life-threatening effect of pwning sensitive devices running VxWorks, such as a hospital bedside patient monitor.

Materials:

Tags: