Bugtraqmailing list archives
[R7-0034] VxWorks WDB Agent Debug Service Exposure
From: HD Moore <HD_Moore () rapid7 com>
Date: Mon, 2 Aug 2010 23:55:03 -0400
R7-0034: VxWorks WDB Agent Debug Service ExposureAugust 2, 2010-- Rapid7 Customer Protection:Rapid7 NeXpose customers have access to a vulnerability check for thisflaw as of the latest update. More information about this check can befound online at:http://www.rapid7.com/vulndb/lookup/vxworks-wdbrpc-exposed-- Vulnerability Details:This vulnerability allows remote attackers to read memory, write memory,execute code, and ultimately take complete control of the affecteddevice. This issue affects over 100 different vendors and a multitude ofproducts, both shipping and end-of-life. A spreadsheet of identifiedproducts affected by this flaw can be found at the URL below. This indexis not comprehensive and not all devices found are still supported.http://www.metasploit.com/data/confs/bsideslv2010/VxWorksDevices.xlsThis flaw occurs due to an insecure setting in the configuration file ofthe manufacturer's source code. This setting results in a system- debugservice being exposed on UDP port 17185. This service does not requireauthentication to access. More information about this issue can be foundat the Metasploit blog:http://blog.metasploit.com/2010/08/vxworks-vulnerabilities.html-- Vendor Response:Wind River Systems has notified their customers of the issue andindicated that the WDB agent should be disabled for production builds.CERT has notified every vendor with an identified, shipping productcontaining this vulnerability. Responses for each specific vendor can befound in the CERT advisory:http://www.kb.cert.org/vuls/id/362332-- Disclosure Timeline:2010-06-02 - Vulnerability reported to CERT for vendor notification2010-08-02 - Coordinated public release of advisory-- Credit:This vulnerability had been discovered in specific devices in multipleinstances, first by Bennett Todd in 2002 and then Shawn Merdinger in2005. A comprehensive analysis of all affected devices was conducted byHD Moore in 2010.-- About Rapid7 SecurityRapid7 provides vulnerability management, compliance and penetrationtesting solutions for Web application, network and database security. Inaddition to developing the NeXpose Vulnerability Management system,Rapid7 manages the Metasploit Project and is the primary sponsor of theW3AF web assessment tool.Our vulnerability disclosure policy is available online at:http://www.rapid7.com/disclosure.jsp
Current thread:
- [R7-0034] VxWorks WDB Agent Debug Service ExposureHD Moore (Aug 03)