Vulnerability Development mailing list archives

Re: vxWorks WND checker?

From: Iván Arce <core.lists.exploit-dev () core-sdi com>
Date: Tue, 7 May 2002 22:51:14 -0300

In an almost completly irresponsable post (since i have not RTFS or
even the fine manual) i would suggest sending an RPC request for PROC_NULL
err NULLPROC ( 0 )

This takes no arguments and receives nothing but an error code in
return..
errcode = client_call(....,NULLPROC,...)

any meaningfull RPC errcode implies that there is something on the
other end that understands RPC as opposed to some random listener.
while this does not prove that it is the WND program it is probably a
good enough test and pretty easy to develop too

-i


---

"Understanding. A cerebral secretion that enables one having it to know
 a house from a horse by the roof on the house,
 Its nature and laws have been exhaustively expounded by Locke,
 who rode a house, and Kant, who lived in a horse." - Ambrose Bierce

Ivan Arce
CTO
CORE SECURITY TECHNOLOGIES

44 Wall Street - New York, NY 10005
Ph: (212) 461-2345
Fax: (212) 461-2346
http://www.corest.com

PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836  B25D 207B E78E 2AD1 F65A

----- Original Message -----
From: Bennett Todd <core.lists.exploit-dev () core-sdi com>
To: <vuln-dev () securityfocus com>
Sent: Tuesday, May 07, 2002 5:12 PM
Subject: vxWorks WND checker?

Doing some routine auditing of a wireless net, I found that some of the

access

points were listening on UDP port 17185. Turns out that makes sense,

that's

the wndrpc port, for WindRiver Network Debugging --- it uses a private

ONCRPC

protocol (according to docs turned up through google, on RPC program

number

55555555 version 1) to support remote debugging. This is a scary thing to

find

left enabled in a shipped product.

Does anybody have any idea how someone who doesn't own a copy of vxWorks

could

test to find out for sure whether this port is really active, or whether

the

IP stack is just failing to return an error for packets thrown at it

despite

having WND disabled?

NB: I don't need an exploit, or even a dos; a simple ping would be fine.

Or

even enough details about the protocol to craft one. Seems I can't find

any of

the fine details for the over-the-wire protocol, and the rpc header files

are

part of the vxWorks product, not publicly available.

-Bennett



--- for a personal reply use: =?iso-8859-1?Q?Iv=E1n_Arce?= <ivan.arce () corest com>

Current thread:

vxWorks WND checker? Bennett Todd (May 07)
- Re: vxWorks WND checker? KF (May 07)
- Re: vxWorks WND checker? KF (May 07)
- Re: vxWorks WND checker? Iván Arce (May 07)