Canadian security researcher Yannick Formaggio has detailed a significant flaw in VxWorks, the real-time operating system (RTOS) made by Intel subsidiary Wind River.
Speaking at the 44CON event made famous last week, Formaggio detailed how an integer overflow mess allows remote code execution in the operating system. Formaggio discovered the flaw after fuzzing the OS at the request of a client keen to understand its workings better. That effort led the researcher to declare that Wind River generally generally does a fine job of security and takes it seriously, but hadn't considered what might happen when a credential was set to a negative value.
Once Formaggio tried that trick, he found he could defeat or bypass all memory protections and set up a backdoor account. Which of course is just what you don't want to be possible in the kind of devices that require an RTOS, as most are expected to be extraordinarily reliable and secure so they can get on with jobs like running industrial equipment, planes and the Curiosity Rover that Wind River proudly claims as a customer.
Formaggio also found that the operating system's “FTP server is susceptible to ring buffer overflow when accessed at a high speed” and crashes when sent a “specially crafted username and password”.
Versions 5.5 through 220.127.116.11 have the problem, which means many millions of devices need patching. Wind River has acknowledged the flaw and is in the process of providing patches. Formaggio urges users of the operating system to check the Wind River knowledge library to get their fresh code fix.
The researcher's also said he'll detail his fuzzing apparatus here in coming weeks, but won't reveal exploit code “unless explicit authorisation given”. ®
Update: Wind River's been in touch to let us know there's a security advisory and patch available and to point out that Curiosity Rover doesn't run the version of VxWorks that the exploit impacts. Th company's also keen to point out that the exploit only works "when, and only when, the optional Remote Procedure Call feature is configured to be included in a device." Which may not be all the time.