threadx logo
Image source: rtos.com
  • Four memory corruption problems were found to plague many versions of the ThreadX firmware.
  • One of them is especially easy to exploit, following standard escalation techniques.
  • Fixing patches are in the works, as billions of devices from around the globe are affected.

Update (25/01/2019)David Lamie from Express Logic has reached out to us for clarifications on the above piece of news. As it seems, both vulnerabilities that were discovered by the Embedi researcher concern memory corruption, so they are solely attributed to the Marvell firmware running on ThreadX, and not the RTOS itself. That said, not all of ThreadX deployments are vulnerable, but only those that run on the Marvell Avastar firmware. The original reporter has not updated the research report to clarify this point yet, but Lamie has assured us that he admitted the fact that the security issues are not rooted in ThreadX itself.

ThreadX is a real-time operating system (RTOS) developed by Express Logic, capable of running in a rich set of different platforms and devices. It is actually the most deployed RTOS, with over 6.2 billion deployments, including IoT (Internet of Things) devices, modems, laptops such as Samsung Chromebooks and Microsoft Surface, and even gaming consoles like the PS4 and Xbox One. Considering the above, the fact that two severe vulnerabilities were discovered by the Embedi security researcher Denis Selianin means that billions of users from all around the world are in danger of getting exploited.

The researcher has applied fuzzing techniques to uncover four memory corruption issues in the firmware that are present across various versions of it. The most interesting bug to be exploited, and one that the researcher calls “cool”, is one that allows block pool overflow exploitation. The reason why it’s especially cool is that it doesn’t require any user interaction, it can be triggered when the firmware scans for available networks (ever 5 minutes), it doesn’t require the inputting of WiFi credentials, and it only needs the device to be powered on.

The second vulnerability concerns a ThreadX exploitation that is specific to the implementation in the Marvell Avastar SoC (88W8897). This chip is to be found on Valve Steamlink, various TV boxes, and several models of smart TVs. The researcher has reversed engineered the wrapper functions of the memory management routines, achieving the capacity to execute arbitrary code on the SoC. As the first bug is generic, it applies to the Marvell Avastar as well, so this second exploitation channel is in addition to the above, not instead of it. The researcher states that the two vulnerabilities can be exploited when the memory blocks are inactive and busy respectively, so when combined, an attacker can have a reliable exploitation result.

The actual exploitation requires a couple of code execution rights escalation, but according to the researcher, this is very easy to do. As Selianin states: “The discovered vulnerability is extremely simple to exploit – a stack-based buffer overflow. There’s also no binary exploitation mitigations in the Linux kernel “3.8.13-mrvl”. However, AGAIN because of the I/D-cache incoherence and/or write-back buffer deffer commit, some preparatory stages are required. Also, there’s no control over stack because of function epilogues, which pops stack pointer from stack itself.”

Embedi has even released an “over the air” exploitation demo video on YouTube, showcasing the Marvell Avastar vulnerability. However, no proof of concept code was released for the public, as the patching work is still underway. The researcher concludes that the escalation possibilities are multiple and only require standard methodologies, there is no mitigation of such risks on wireless SoCs, and that wireless devices expose a huge attack surface.

Do you own a ThreadX powered device? Let us know what is your reception on the above in the comments below, and also hop to our socials on Facebook and Twitter to share your thoughts with our online community as well.