ThreadX is a real-time operating system (RTOS) developed by Express Logic, capable of running in a rich set of different platforms and devices.
It is actually the most deployed RTOS, with over 6.2 billion deployments, including IoT (Internet of Things) devices, modems, laptops such as Samsung Chromebooks and Microsoft Surface, and even gaming consoles like the PS4 and Xbox One.
Considering the above, the fact that two severe vulnerabilities were discovered by the Embedi security researcher Denis Selianin means that billions of users from all around the world are in danger of getting exploited.
The researcher has applied fuzzing techniques to uncover four memory corruption issues in the firmware that are present across various versions of it. The most interesting bug to be exploited, and one that the researcher calls “cool”, is one that allows block pool overflow exploitation.
The reason why it’s especially cool is that it doesn’t require any user interaction, it can be triggered when the firmware scans for available networks (every 5 minutes), it doesn’t require the inputting of WiFi credentials, and it only needs the device to be powered on.
The second vulnerability concerns a ThreadX exploitation that is specific to the implementation in the Marvell Avastar SoC (88W8897). This chip is to be found on Valve Steamlink, various TV boxes, and several models of smart TVs.
The researcher has reversed engineered the wrapper functions of the memory management routines, achieving the capacity to execute arbitrary code on the SoC. As the first bug is generic, it applies to the Marvell Avastar as well, so this second exploitation channel is in addition to the above, not instead of it.
The researcher states that the two vulnerabilities can be exploited when the memory blocks are inactive and busy respectively, so when combined, an attacker can have a reliable exploitation result.
The actual exploitation requires a couple of code execution rights escalation, but according to the researcher, this is very easy to do. The vulnerability is extremely simple to exploit – a stack-based buffer overflow.
The patching work is still underway. The researcher affirms that the escalation possibilities are multiple and only require standard methodologies, there is no mitigation of such risks on wireless SoCs, and that wireless devices expose a huge attack surface.