From: SecuriTeam <support@securiteam.com.>
To: list@securiteam.com
Date: 27 Jun 2007 16:21:35 +0200
Subject: [REVS] Cisco IOS Exploitation Techniques Paper
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20070627144207.4620A5AFC@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Cisco IOS Exploitation Techniques Paper
------------------------------------------------------------------------
SUMMARY
It has been more than a year since Michael Lynn first demonstrated a
reliable code execution exploit on Cisco IOS at Black Hat 2005. Although
his presentation received a lot of media coverage in the security
community, very little is known about the attack and the technical details
surrounding the IOS check_heaps() vulnerability. This paper is a result of
research carried out by IRM to analyse and understand the check_heaps()
attack and its impact on similar embedded devices. Furthermore, it also
helps developers understand security-specific issues in embedded
environments and developing mitigation strategies for similar
vulnerabilities. The paper primarily focuses on the techniques developed
for bypassing the check_heaps() process, which has traditionally prevented
reliable exploitation of memory-based overflows on the IOS platform. Using
inbuilt IOS commands, memory dumps and open source tools IRM was able to
recreate the vulnerability in a lab environment. The paper is divided in
three sections, which cover the ICMPv6 source-link attack vector, IOS
Operating System internals, and finally the analysis of the attack itself.
DETAILS
Conclusions:
The check_heaps() vulnerability was mainly due to design issues and
further exploitable due to the lack of memory protection support between
processes. Many embedded system vendors still rely on choosing performance
and speed over security. As more and more "intelligence" is built into
consume and commercial devices using embedded operating systems and
software, the more significant these potential vulnerabilities may become.
Therefore embedded systems vendors need to be aware of the potential
attacks against their systems and the fact that many hackers are getting
bored with researching traditional operating systems and are turning to
embedded devices for a new challenge.
ADDITIONAL INFORMATION
The information has been provided by <mailto:andy.davis@irmplc.com.> Andy
Davis.
The original article can be found at:
<http://www.irmplc.com/download_pdf.php?src=Cisco_IOS_Exploitation_Techniques.pdf&force=yes>; http://www.irmplc.com/download_pdf.php?src=Cisco_IOS_Exploitation_Techniques.pdf&force=yes
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
