VxWorks is the most popular operating system you have never heard about. It is a real-time operating system, used by over 2 billion devices of all kinds - from airplanes to MRI machines, from firewalls to industrial control systems, and even by SpaceX’s Dragon Spacecraft. It is pervasive and trusted. But like many systems we have come to rely on, its security can break given a single vulnerability. Our talk will reveal 11 such zero-day vulnerabilities we’ve discovered in VxWorks.
Even though VxWorks is probably the oldest real-time OS still maintained, only 13 CVEs are listed by MITRE as affecting it in its 32 years of existence, making it an intriguing target for research. Due to its uncharted nature, we were able to find unusually low-level vulnerabilities affecting every VxWorks version released in the last 13 years. The vulnerabilities reside in the TCP/IP stack used by VxWorks, called IPNET, 6 of which are classified critical RCEs, and have a staggering potential. By exploiting them, attackers can bypass traditional security measures and take control over any VxWorks device with a network connection, without any user interaction.
In our talk, we will demo the exploitation of these vulnerabilities on several devices and demonstrate their dangerous aptitude. We will show how they can be used to breach a network safely secured behind a NAT and a firewall through a normal TCP connection between a printer and its Cloud, as well as the life-threatening effect of pwning sensitive devices running VxWorks, such as a hospital bedside patient monitor.