This is part 3 of Team82’s four-part series on our analysis of the Windows CE attack surface. CE is a legacy OS still found in many operational technology environments. In part 1 of this series, we wrote about simple Windows CE application development, which helped us understand the OS and further our research. In part 2, we examined Windows CE’s debugger constructs.
Team82’s vulnerability research on critical applications and devices is usually focused on commercially available, production-ready applications. This contrasts the research in part 1 of our series on the Windows CE attack surface where we developed a simple Windows CE application and debugged it.
Researching closed-source applications presents a major challenge for us when it comes to debugging; Visual Studio 2005 was the only debugger we found for Windows CE environments, however it was not built for debugging close-source applications. In part 2 of our series, for example, we provided a breakdown of the debugging constructs utilized when debugging with Visual Studio 2005. With our understanding of the constructs, we arrived at the conclusion that we are actually capable of introducing our own debugging tools that will utilize these remote debugging protocols.
In this blog, we will present our open-source debugger that allows researchers and developers to debug any Windows CE application from the comfort of your host machine. This debugger is focused on the essential components that allow a security researcher to debug and test an application for analysis and vulnerability hunting.
We invite you to download and use the debugger here.
It seems that as a legacy platform, Visual Studio—the main Windows CE application development environment—is also the main utility applicable for application testing. And so as we drilled down into testing such applications, we needed to invest in building a setup for our vulnerability research. We learned this is not an especially accessible platform for eager vulnerability researchers that want to test an application. Two main hurdles consumed much of our valuable research time:
First, was setting up an emulator/device and a Windows virtual machine capable of running older versions of Visual Studio.
Second was that debugging an executable without having its source code required us to patch-in a breakpoint into the tested application to enable debugging.
A Windows CE based device or an emulator
Debugging agent executables (can be found as part of the Visual Studio 2005 installation):
Clisenshutdown.exe: Shutdown commanding agent service
CMAccept.exe: Make commanding agent service accept incoming clients connections
CommandClient.exe: Execute commanding agent service
DeviceDMA.dll: Device memory manipulation related routines library
eDbgTL.dll: Debugging library
TcpConnectionA.dll: Network related routines library
Edm.exe: Agent implementing debugging routines
Team82’s Windows CE debugging client: Debugging client custom made and implemented in Python to help us with Windows CE application vulnerability research.
Our goal is to debug the application we created in part 1 of this series, to showcase the debugging capabilities provided by our custom utility. We will make modifications to the running application to present these capabilities.
The debugger project is composed of two separate components: a background connection component and the debugger client itself. The first component we will explain how to use is the background component, which initiates communication between the client debugger and a remote Windows CE system where our target application runs.
It’s simple to use this component. All you need to do is to invoke the agents located on the remote system. If you recall in a previous blog, similarly to how you start debugging with Visual Studio.
Then we run the Python module:
As a side note, this component allows users to upload a target executable, using the –target optional parameter, to the device in a predetermined location. This becomes very handy when needing to debug a new executable.
After following the steps above, we can start our debugging client with the following command in the terminal.
The debugger client enables researchers to dynamically analyze Windows CE applications and test for security issues in them. The client is composed of several essential components. All the components except for a log view are interactive and enable researchers to remotely interact with the underlying process of a debugged application. Implementing this client relied on an analysis we conducted and showcased in a previous blog. In this analysis, we researched the original debugging constructs implemented by Microsoft Visual Studio, used to debug Windows CE applications.
Before jumping into debugging our application we will present the different components that make up our debugger client.
Memory-hex view enables the researcher to have a preview of the memory segment in the process. The view has an interactive cursor moved by using the arrow keys. This view also allows researchers to edit live memory by entering edit mode with the Insert key and editing the hexadecimal values and pressing the Enter key to commit changes.
The log view, as the name suggests, is responsible for presenting the debugger logs, allowing keeping track of the different events during a debugging session.
The Breakpoints view allows researchers to keep track of the different breakpoints in the debugging session and also manage them in a single spot.
Thread-contexts view displays the threads and the corresponding registers in the context of the debugged process. This view also enables the modification of register values, which is essential when testing the application.
Now that we are fairly familiar with the different components of our debugger we can try to debug our application to showcase the utility in action. As you may recall from part 1 of this series we created a Windows CE application with graphical user interface. To set a goal for our debugging attempt, we decided we will modify the application behavior during runtime.
First thing we should do is to execute our background component and upload our target application binary.
With that done we can go ahead and run our debugger to execute the target application in a new debugging session.
As you can see, the debugger utility puts a breakpoint on the entry point of our developed application, allowing us to place another breakpoint in the specific code area where we intend to apply our modifications.
In our case, we placed the breakpoint right before the graphical component is initialized with its relevant parameters.
We intend to modify the text about to be displayed into a different string. Doing so, we present the memory editing feature of our debugger which is an essential part of debugging and application testing.
Having our modified memory set, we can continue the program execution and see the results.
As you can see in the image provided above, we managed to actively change the behavior of a running application on a remote Windows CE system with our custom debugger. This is apparent by the change of the title artifact in the application that changed to the value “AAAAAA”.
This was a brief example for a use case using our debugger utility, in which we as security researchers are interested in interacting with the underlying process of a target application. This is for instance a common scenario when a researcher wants to develop an exploit payload for a discovered vulnerability. It is also beneficial to us as we continue this series toward real vulnerability research we conducted on Windows CE systems used in critical infrastructure.
CWE-547 USE OF HARD-CODED, SECURITY-RELEVANT CONSTANTS:
Optigo Networks Visual BACnet Capture Tool and Optigo Visual Networks Capture Tool version 3.1.2rc11 are vulnerable to an attacker impersonating the web application service and mislead victim clients.
Optigo Networks recommends users to upgrade to the following:
CVSS v3: 7.5
CWE-288 AUTHENTICATION BYPASS USING AN ALTERNATE PATH OR CHANNEL:
Optigo Networks Visual BACnet Capture Tool and Optigo Visual Networks Capture Tool version 3.1.2rc11 contain an exposed web management service that could allow an attacker to bypass authentication measures and gain controls over utilities within the products.
Optigo Networks recommends users to upgrade to the following:
CVSS v3: 9.8
CWE-547 USE OF HARD-CODED, SECURITY-RELEVANT CONSTANTS:
Optigo Networks Visual BACnet Capture Tool and Optigo Visual Networks Capture Tool version 3.1.2rc11 contain a hard coded secret key. This could allow an attacker to generate valid JWT (JSON Web Token) sessions.
Optigo Networks recommends users to upgrade to the following:
CVSS v3: 7.5
CWE-912 HIDDEN FUNCTIONALITY:
The "update" binary in the firmware of the affected product sends attempts to mount to a hard-coded, routable IP address, bypassing existing device network settings to do so. The function triggers if the 'C' button is pressed at a specific time during the boot process. If an attacker is able to control or impersonate this IP address, they could upload and overwrite files on the device.
Per FDA recommendation, CISA recommends users remove any Contec CMS8000 devices from their networks.
If asset owners cannot remove the devices from their networks, users should block 202.114.4.0/24 from their networks, or block 202.114.4.119 and 202.114.4.120.
Please note that this device may be re-labeled and sold by resellers.
Read more here: Do the CONTEC CMS8000 Patient Monitors Contain a Chinese Backdoor? The Reality is More Complicated….
CVSS v3: 7.5
CWE-295 IMPROPER CERTIFICATE VALIDATION:
The affected product is vulnerable due to failure of the update mechanism to verify the update server's certificate which could allow an attacker to alter network traffic and carry out a machine-in-the-middle attack (MITM). An attacker could modify the server's response and deliver a malicious update to the user.
Medixant recommends users download the v2025.1 or later version of their software.
CVSS v3: 5.7
