In the second part of its four-part series on analysis of the Windows CE attack surface, a legacy OS still found in many OT (operational technology) environments, Claroty, a cyber-physical systems (CPS) protection firm, provided analysis of Windows CE debugging constructs. During the research, two interesting proprietary control and debugging protocols were discovered and analyzed. The post shares the research process that was later used to build custom research utilities.
“Visual Studio comes bundled with a built-in debugging utility allowing you to debug remote device applications over ethernet,” Tomer Goldschmidt, a Claroty vulnerability researcher, wrote in a Wednesday blog post. “This utility expects to connect to debugging agent services executed on the remote device. These services are implemented in binaries provided in the installation of Visual Studio for a wide variety of architectures.”
Goldschmidt added that “even though we were able to debug an application using Visual Studio, we were still curious about how this construct works and how debugging actually works on Windows CE platforms. We started off by reviewing the configuration of the remote debugger agent. Equipped with this knowledge, we used Wireshark to take a ‘pcap’ of the network traffic between the debugger agent and Visual Studio.”
Analyzing the network traffic and the state of the debugged system, the researchers managed to understand some parts of the protocol implementation. Some of these include verifying if a file exists, sending file functionality, starting the process, and terminating the process. “As we unraveled the protocol implementation, we noticed that our debugger interactions were missing from the filtered traffic. Using Wireshark’s ‘Statistics → Endpoints’ utility to verify if there are any other interesting endpoints, we noticed TCP port 6510.”
Goldschmidt said that analyzing this protocol was simple because the request packets contain descriptive functionality strings.
As the researchers unraveled the protocol used to debug a native process on the device, it became clear that this is an RPC network interface wrapping native Windows debugging API functions. “We decided to learn more about these API functions to have a better understanding of the RPC interface we are provided with. To do so, we used a trusty source of information— MSDN—and decided to put these API function specifications in this document.”
Goldschmidt added that as they went further with researching these protocols, “we started to experiment with building client scripts to interact with the processes we debugged. This became very useful when debugging researched applications. Being able to debug a Windows CE application from our own Linux host machine and having the ability to customize the experience of researching this type of device was a great benefit.”
This week, Claroty appointed Amir Preminger as chief technology officer (CTO). In his role as CTO, Preminger will continue to lead Claroty’s research group, Team82, while expanding his impact by driving innovation across the company’s products and services, strengthening the link between technology and business growth.
