Scribd
Upload
40 views72 pages

Dive Into VxWorkis Based IoT Device - Debug The Undebugable Device - Resize

This document summarizes how to debug an undebuggable VxWorks-based IoT device. It introduces VxWorks, describes methods to analyze the VxWorks firmware to locate symbols and load addresses. It then discusses designing a custom debugger called VxSerial Debugger that allows setting breakpoints, reading/writing memory, and viewing tasks/registers. The document finds a DNS request buffer overflow vulnerability and uses the debugger to analyze how it crashes the device. It shows how to exploit the vulnerability by overwriting bits to gain remote code execution.

Uploaded by

ognarf
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
40 views72 pages

Dive Into VxWorkis Based IoT Device - Debug The Undebugable Device - Resize

This document summarizes how to debug an undebuggable VxWorks-based IoT device. It introduces VxWorks, describes methods to analyze the VxWorks firmware to locate symbols and load addresses. It then discusses designing a custom debugger called VxSerial Debugger that allows setting breakpoints, reading/writing memory, and viewing tasks/registers. The document finds a DNS request buffer overflow vulnerability and uses the debugger to analyze how it crashes the device. It shows how to exploit the vulnerability by overwriting bits to gain remote code execution.

Uploaded by

ognarf
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 72

Dive into VxWorks Based IoT Device

Debug the Undebugable Device


Who Are We?
• Wenzhe Zhu (@dark_lbp) • Yu Zhou(@504137480)
• Pingan Galaxy Lab • Ant-Financial Light-Year Security Lab
• ICS/IoT • Fuzzing/IoT/AI
Outline
• Introduction to VxWorks

• VxWorks firmware analyze

• Hunting vulnerabilities

• Build customized debugger – VxSerial Debugger

• Analyze and exploit vulnerabilities


Introduction VxWorks
• Embedded RTOS
• First released in 1987 by Wind River
• Closed-source

• [1996~2002] - VxWorks 5.x


• [2004~2009] - VxWorks 6.x
• [2014] - VxWorks 7
VxWorks Customers
Previous Research Papers
• 2010 - Shiny Old VxWorks Vulnerabilities - HD Moore
• 4 Metasploit modules targeting WDB RPC
• Weak password hash entropy

• 2012 - Reversing Industrial firmware for fun and backdoors - Ruben Santamarta
• VxWorks firmware analyzing

• 2015 – Attacking VxWorks From stone age to interstellar - Yannick Formaggio & Eric Liu
• CVE-2015-7599 RPC Integer overflow
• Using WDB-RPC to detect and get crash information during fuzzing progress
XX-Link Router
Breaking HW
U-Boot Infomation
VxWorks CmdTask Commands
Memory Read/Write Command
Flash Command
Analyze VxWorks Firmware
Preparatory Works Before Analyze VxWorks Firmware
• Locate VxWorks image load address
• Locate symbols from firmware and rename functions in IDA
Method 1 - Read From Image Header
TPHEAD in Flash Dump
Method 2 - Locate Initial Stack
VxWorks Image in MIPS Memory Layout
Initial Stack Description
UsrInit Description
VxWorks Image Startup Codes

Correct load address is 0x80001000

Set Initial Stack to 0x80000ff0

Jump to usrInit
Other Methods
• Read the boot Info from UART
• Read the developer document
• Use bss end address - image size to calculate the load address
•…
Load Image With Correct Address In IDA
Load image to 0x00 Load image to 0x80001000
Preparatory Works Before Analyze VxWorks Firmware
• Locate VxWorks image load address
• Locate symbols from firmware and rename functions in IDA
Compiled-in Symbol Table In VxWorks 5.5 Image
Stand Alone Symbol File From Firmware

Symbol file length Symbol count Symbol data Symbol Name table Addrss = 0x08 + 0x08 * 0x13ef = 0x9f80
load Symbols

6694 functions Now


Hidden Shell Command Parameter
CmdTask Command Register Codes
system Command Help
system Command Parser Code
Hidden Parameter - moduletree
Hidden Parameter - symble
Hunting Vulnerabilities
Memory Fuzzing Design

• Written in C and converted to MIPS assembly


• Write assembly code to the router through the serial port
Fuzzing Approaches

• Generation Based • Mutation Based


• Data Fields • Random byte filp
• byte ubyte
• short ushort
• int uint
• string
• Calculated Fields
• checksum
• size
Grammar Design

• Operation
• data size cksum
• Data type
• byte short int …
• Endian
• big-endian(1) little-endian(0)
• Value
• Depends
• the area that the size or checksum operation depends on
Crash Detection
Fuzzing Targets
• Parser functions
• json xml url …

• Protocols
• http dns upnp …
DNS Example
DNS Example

More fuzzing results: https://github.com/PAGalaxyLab/VulInfo/tree/master/TP-Link/WR886N


Debug The Target
How Can We Debug IT?
• Undebuggable
• No WDB, no command line debugger, no JTAG
• No known solution

• Possibility
• Target running in kernel mode
• We can read/write kernel memory
• We have firmware with symbols
VxSerial Debugger
• Python and instruction based debugger
• Depends
• Keystone - Generation machine code dynamically
• Capstone – Disassembly codes from memory
• Scapy - Parse various data structures in memory
• Support function
• Set breakpoint
• Read/Write memory
• Task status viewer(stacks, register)
• VxWorks structs viewer(netpool, mBlk, etc)
• ……
Overall Design
Debug Shellcode
Debug Loop Codes
Default Breakpoint Output
Condition Breakpoint(CallBack)
Break point parameters Custom condition function
Condition Breakpoint(CallBack)
Get packet address from MBlk header Print packet data
Analyze Vulnerabilities
CVE-2018-19528 DNS Request Buffer Overflow
Vulnerability Description
• Our target router will use domainFilter function to filter all dns request
packets and resolve tplogin.cn domain name to it’s own IP address by
directly modifying the original request packet in netBufLib Memory Pool.
Packet In netBufLib Memory Pool
What Does domainFilter Do?
Direct modify request dns packet in Mblk Call ip_output to send modified packet
It’s Time To Debugging The POC
Packet(Cluster) Data Modified By domainFilter
Packet data before modify Packet data after modify
MBLK Header Modified By domainFilter
Mblk header before modify Mblk header after modify
ip_output -> ip_deliver_packet -> connection_pullup(Root Cause Found)
netTupleGet
netTupleGet parameters Mblk returned by netTupleGet
Copy Modified Mblk Chain Data Using netMblkToBufCopy
netMblkToBufCopy
Copy Chain Data To Target Buffer netMblkToBufCopy Parameters
Buffer Data(Cluster) Before Copy
Buffer Data(Cluster) After Copy
Crash Logs

Crash in _clBlkFree function Crash in excExcHandle function


Exploitability
Exploit - Overwrite Arbitrary Bit Value To 1 In _clBlkFree Function
Example Exploit Data
Fake clpool and cluster Example
Exploit – Bit Overwrite To RCE Using Exception Hook
excExcHandle Function Codes
Demo
Thanks!

You might also like