Re: vxWorks WND checker?

From: Iván Arce (core.lists.exploit-dev@core-sdi.com)
Date: Tue May 07 2002 - 18:51:14 PDT

Next message: ash: "Re: Publishing Nimda Logs"

Previous message: Erik Fichtner: "Re: Publishing Nimda Logs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In an almost completly irresponsable post (since i have not RTFS or
even the fine manual) i would suggest sending an RPC request for PROC_NULL
err NULLPROC ( 0 )

This takes no arguments and receives nothing but an error code in
return..
errcode = client_call(....,NULLPROC,...)

any meaningfull RPC errcode implies that there is something on the
other end that understands RPC as opposed to some random listener.
while this does not prove that it is the WND program it is probably a
good enough test and pretty easy to develop too

-i


---

"Understanding. A cerebral secretion that enables one having it to know
 a house from a horse by the roof on the house,
 Its nature and laws have been exhaustively expounded by Locke,
 who rode a house, and Kant, who lived in a horse." - Ambrose Bierce

Ivan Arce
CTO
CORE SECURITY TECHNOLOGIES

44 Wall Street - New York, NY 10005
Ph: (212) 461-2345
Fax: (212) 461-2346
http://www.corest.com

PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836  B25D 207B E78E 2AD1 F65A

----- Original Message -----
From: Bennett Todd <core.lists.exploit-dev@core-sdi.com>
To: <vuln-devat_private>
Sent: Tuesday, May 07, 2002 5:12 PM
Subject: vxWorks WND checker?


> Doing some routine auditing of a wireless net, I found that some of the
access
> points were listening on UDP port 17185. Turns out that makes sense,
that's
> the wndrpc port, for WindRiver Network Debugging --- it uses a private
ONCRPC
> protocol (according to docs turned up through google, on RPC program
number
> 55555555 version 1) to support remote debugging. This is a scary thing to
find
> left enabled in a shipped product.
>
> Does anybody have any idea how someone who doesn't own a copy of vxWorks
could
> test to find out for sure whether this port is really active, or whether
the
> IP stack is just failing to return an error for packets thrown at it
despite
> having WND disabled?
>
> NB: I don't need an exploit, or even a dos; a simple ping would be fine.
Or
> even enough details about the protocol to craft one. Seems I can't find
any of
> the fine details for the over-the-wire protocol, and the rpc header files
are
> part of the vxWorks product, not publicly available.
>
> -Bennett


--- for a personal reply use: =?iso-8859-1?Q?Iv=E1n_Arce?= <ivan.arceat_private>

Next message: ash: "Re: Publishing Nimda Logs"
Previous message: Erik Fichtner: "Re: Publishing Nimda Logs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue May 07 2002 - 19:50:49 PDT