SSD Advisory – VxWorks RPC Buffer Overflow
The following advisory describes a vulnerability found in the Remote Procedure Call (RPC) component of the VxWorks real-time Opearting System, which suffers from a buffer overflow, this buffer overflow can be exploited to cause the component to execute arbitrary code.
An independent Security Researcher, Yu Zhou, has reported this vulnerability to SSD Secure Disclosure program.
VxWorks OS version 6.6
As previously mentioned, the vulnerability is inside the RPC component. The vulnerable function which contains the buffer overflow is _svcauth_unix. At _svcauth_unix + 0x67, will get the value 0xffffffff from the malicious packet (content will be viewed later).
Afterwards, in the cmp eax, 0FFh it will check whether the value (packet content size) is greater than 255 without considering the option of a negative value. The value 0xffffffff is used as the third parameter (nbytes) of the bcopy function, which will finaly cause a buffer overflow.
This is the packet that will be sent to the RPC Service:
import socket host = "192.168.15.199" rpcPort = 111 f = open("pkt", 'rb') # pkt is the file which contains the payload to send. data = f.read() f.close() sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((host, rpcPort)) sock.send(data) sock.close()