Vulnerability Development mailing list archives
Re: vxWorks WND checker?
From: Iván Arce <core.lists.exploit-dev () core-sdi com>
Date: Tue, 7 May 2002 22:51:14 -0300
In an almost completly irresponsable post (since i have not RTFS or even the fine manual) i would suggest sending an RPC request for PROC_NULL err NULLPROC ( 0 ) This takes no arguments and receives nothing but an error code in return.. errcode = client_call(....,NULLPROC,...) any meaningfull RPC errcode implies that there is something on the other end that understands RPC as opposed to some random listener. while this does not prove that it is the WND program it is probably a good enough test and pretty easy to develop too -i --- "Understanding. A cerebral secretion that enables one having it to know a house from a horse by the roof on the house, Its nature and laws have been exhaustively expounded by Locke, who rode a house, and Kant, who lived in a horse." - Ambrose Bierce Ivan Arce CTO CORE SECURITY TECHNOLOGIES 44 Wall Street - New York, NY 10005 Ph: (212) 461-2345 Fax: (212) 461-2346 http://www.corest.com PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836 B25D 207B E78E 2AD1 F65A ----- Original Message ----- From: Bennett Todd <core.lists.exploit-dev () core-sdi com> To: <vuln-dev () securityfocus com> Sent: Tuesday, May 07, 2002 5:12 PM Subject: vxWorks WND checker?
Doing some routine auditing of a wireless net, I found that some of the
access
points were listening on UDP port 17185. Turns out that makes sense,
that's
the wndrpc port, for WindRiver Network Debugging --- it uses a private
ONCRPC
protocol (according to docs turned up through google, on RPC program
number
55555555 version 1) to support remote debugging. This is a scary thing to
find
left enabled in a shipped product. Does anybody have any idea how someone who doesn't own a copy of vxWorks
could
test to find out for sure whether this port is really active, or whether
the
IP stack is just failing to return an error for packets thrown at it
despite
having WND disabled? NB: I don't need an exploit, or even a dos; a simple ping would be fine.
Or
even enough details about the protocol to craft one. Seems I can't find
any of
the fine details for the over-the-wire protocol, and the rpc header files
are
part of the vxWorks product, not publicly available. -Bennett
--- for a personal reply use: =?iso-8859-1?Q?Iv=E1n_Arce?= <ivan.arce () corest com>
Current thread:
- vxWorks WND checker? Bennett Todd (May 07)
- Re: vxWorks WND checker? KF (May 07)
- Re: vxWorks WND checker? KF (May 07)
- Re: vxWorks WND checker? Iván Arce (May 07)