A classic format string bug (CWE-134) in the undocumented "prompt" command of Interpeak IPCOMShell on Green Hills INTEGRITY RTOS 5.0.4.
The vulnerability allows:
Memory leaks via %p/%x/%s specifiers (defeating ASLR)
Arbitrary memory writes via %n
Potential control-flow hijacking in the TELNET shell
This is a 2019 CVE that was part of a larger batch of issues in the Interpeak stack used in safety-critical systems. The report includes a working PoC demonstrating the full leak → write chain in a simulated avionics ground maintenance environment.
Green Hills INTEGRITY is a high-assurance separation kernel widely used in aerospace, defense, and safety-critical applications.
Would be interesting to hear from people who have worked with INTEGRITY or similar RTOSes on:
How common it still is to expose TELNET/maintenance interfaces during ground testing?
Modern mitigation practices (partitioning, disabled networking in critical partitions, etc.)
No remote attack surface in normal flight configuration is claimed — only ground maintenance scenario.
A classic format string bug (CWE-134) in the undocumented "prompt" command of Interpeak IPCOMShell on Green Hills INTEGRITY RTOS 5.0.4. The vulnerability allows:
Memory leaks via %p/%x/%s specifiers (defeating ASLR) Arbitrary memory writes via %n Potential control-flow hijacking in the TELNET shell
This is a 2019 CVE that was part of a larger batch of issues in the Interpeak stack used in safety-critical systems. The report includes a working PoC demonstrating the full leak → write chain in a simulated avionics ground maintenance environment. Green Hills INTEGRITY is a high-assurance separation kernel widely used in aerospace, defense, and safety-critical applications. Would be interesting to hear from people who have worked with INTEGRITY or similar RTOSes on:
How common it still is to expose TELNET/maintenance interfaces during ground testing? Modern mitigation practices (partitioning, disabled networking in critical partitions, etc.)
No remote attack surface in normal flight configuration is claimed — only ground maintenance scenario.