Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Whether this is about ha.ckers.org, sla.ckers.org or some other project you are interested in or want to talk about, throw it in here to get feedback. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Windows embedded (XPE) and Enhanced Write Filter
Posted by: dicipulus
Date: June 26, 2008 07:23PM

I am attempting to compromise a system that is mine. The OS is XPE SP2. The thing I cannot get around is EWF.
For those who don't know, it locks the "C: drive ona flash card and doesn't allow changes. Anything that is used is passed to a file overlay.
Windows XP Pro and XP Embedded are constantly reading from and writing to a disk. This translates into many flash erase cycles, of which CompactFlash and mini-IDE flash memory devices have a limited number. Without sophisticated wear-leveling technology, CompactFlash and mini-IDE flash cards will wear out much faster than in normal consumer-electronic style use.

To protect the life of the flash, thin client manufacturers implement XP Embedded's Enhanced Write Filter (EWF) to prevent writes (erase cycles) to the flash drive. All writes are redirected to the RAM disk (a.k.a. overlay). If you need to make any changes to the OS -- such as domain connectivity or change TCP/IP static address -- the EWF can be disabled to allow updating of this data, and then re-enabled. Setting up EWF is a bit tricky, especially when it comes to CompactFlash cards. When you are recreating an XPe image for your thin client you will have to get familiar with EWF setup.

And there is the rub. I know I should be able to gain a toe hold, and execute the exe to disable EWF, but I can't seem to get there. The "empty" space on the flash drive doesn't leave me much room to work with.

nmap run in a very through mode shows ports that are TCPwrapped, which since this is a Gray box operation I know is from the dongle that gets connected to the boxes by the clients to set changes.

My concern is:
1. These images, when on a network and unlocked, can be infected. If you look it up, there is very little to no Anti Virus to work with XPE due to the restrictions set in the beginning. There is FBWF that tries to address the Anti-virus thing and allow new definitions to be written to it.
2. The prevailing attitude of the XPE community is that with EWF, anti-virus and firewalls aren't needed since a power off of the system sets everything to a "known" state.

XPE is just like XP Pro, it scans the same way, runs FTP servers and other stuff. We all know it isn't too too secure, but I guess I haven’t learned enough to know how to own one.

So, dear readers, I pose it to you all......I welcome your comments.

***Edit***
This isn't a, tell me how to be Hax0r, rather it is a prod me in a different direction. I sorta know what I need to do, just not sure how to approach it.



Edited 1 time(s). Last edit at 06/26/2008 08:01PM by dicipulus.

Options: ReplyQuote
Re: Windows embedded (XPE) and Enhanced Write Filter
Posted by: joshbw
Date: June 30, 2008 08:54AM

"XPE is just like XP Pro"

This is not precisely correct. It would be the equivalent of saying that Wind River Linux (an embedded offering) is the same as RedHat Enterprise. A foolish OEM could make XPE just like XP Pro if they chose, but XPE is very moduler and any OEM that knows even squat about it is only going to put in the bare minimum components necessary. That is going to substantially reduce the attack surface available, and it is also going to create a pretty big variation in installed components between XPE products. ATMs, for example, don't even run explorer. They have the kernal, networking stack, security components, and in more flashy implementations GDI and dependent subsystems. Point of Sales (yes, Windows PoS) has most of windows present, including solitaire.

Security in this space is interesting, because it is still mostly at the place where vulnerabilities are mostly OS-sentric. (Mostly) People aren't surfing the net, or opening various documents in applications, or running much software at all. Any attack vector based off of browsing the internet or convincing the user to install something, or open a malicous file, is right out the window (mostly), and that is how the preponderance of malware is currently circulated. Attacks that scan for open file shares, DCOM listeners, etc, are also pretty much out the window, since XPE doesn't even have admin file shares by default and most installs don't need DCOM services.

The attack vectors are therefore essentially threefold- compromise a network connected application running on the device (probably a custom app, so there is promise in this), compromise network services in the OS (contrary to popular belief, XP, post SP 2, which comprise the base components of most current XPE installs, is not actually full of network remote execution vulnerabilities), or get physical access and hope they did something dumb like include either USB ports or removable media AND automatically execute off of them (you would actually be surprised how many OEMs think that is a good mechanism to pass updates).

If you wanted to try and compromise an XPE device you can try and profile it to see which OS network services are running, then check technet bulletins to see if any vulnerabilities were patched in said services, and then grab metasploit to try and craft an exploit hoping that there is no update service running on the device. You could alternatively profile any network connected applications running on top of XPE and see if you can compromise those.

"The prevailing attitude of the XPE community is that with EWF, anti-virus and firewalls aren't needed since a power off of the system sets everything to a "known" state."

This isn't unique to the XPE community, but rather the entire embedded community, linux shops included. Most of these places are hardware companies first and foremost, so security is pretty far from their minds. They also assume that since they have a much more limited attack surface, and largely have mitigated user based attack vectors, and that further they often aren't economically worth the effort to exploit, they are safe. It isn't true that they are safe, and if you could ever bot infect an embedded device most often the only solution is to throw it away (many you can reset from ROM to clean off, but it just goes back to a vulnerable state), but the last arguement about economis is absolutely true. If it isn't economically worth exploiting OS X (and looking at the vulnerability reports and security response between Redmond and Cupertino that can be the only explanation) than it sure isn't worth exploiting XPE (even though the install base is many times larger). Windows desktop is where the big money is. It is easier to get to, runs on more powerful machines, and has more useful data to steal. That is the biggest security virtue for XPE.

Options: ReplyQuote
Re: Windows embedded (XPE) and Enhanced Write Filter
Posted by: dicipulus
Date: June 30, 2008 12:31PM

"XPE is just like XP Pro"
That was a poor choice of words on my part. XPE is not "just like" XP Pro, otherwise I would have rooted it. I should have stated that they run similar programs and scan in similar ways.
I have found, with physical access, ways to gain a toehold on the machines, but have yet to find a way to get beyond the RAM overlay.
It has been a great learning experience for me, even with physical access, it isn't just a matter of installing Cain (or PW cracker of choice) and running it. Limited modules and DLL's make for tougher going.
My concern was that these networked devices were subject to exploit in ways the XP Pro are. That isn't the case so far. A custom exploit I wrote and ran via metasploit did work, but that had to do with some recent news from Redmond.
Unlocking the EWF is done with a command via CLI on the box, my guess is with a good exploit and reverse shell I could execute the .exe and unlock the file system.
But overall, they seem fairly robust.
Thanks for the reply!

Options: ReplyQuote
Re: Windows embedded (XPE) and Enhanced Write Filter
Posted by: joshbw
Date: June 30, 2008 01:34PM

"My concern was that these networked devices were subject to exploit in ways the XP Pro are. That isn't the case so far. "

I think the main barrier is just the much more limited attack surface (because as you say, the EWF is just a speed bump, not security), as my experience is that embedded devices have squat for security, the OEMs don't even know where to start when it comes to security, and that these devices are increasingly connected. They are also often gateways into more lucrative targets. For example, a coffee machine that grants access to XP: http://news.cnet.com/8301-10784_3-9970757-7.html?part=rss&subj=news&tag=2547-1_3-0-20

Good luck with the embedded hacking.

Options: ReplyQuote
Re: Windows embedded (XPE) and Enhanced Write Filter
Posted by: dicipulus
Date: July 01, 2008 08:32PM

Down the rabbit hole I go.
I found a toe hold and then some. Guess I just needed to "think out loud"

Options: ReplyQuote


Sorry, only registered users may post in this forum.