| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun Jul 31 04:30:41 2005 From: neville.aga at gmail.com (Neville Aga) Subject: RE: Cisco IOS Shellcode Presentation The presentation Larry posted is not the same presentation Mike Lynn delivered at Blackhat. I was there and saw his presentation. It was one of the best presentations I have ever seen. It was delivered with intelligence and passion and care. I wonder when my time comes for something like that I will have the fortitude to do what I believe to be right under threats from a corporation as powerful as Cisco. What has been posted is irresponsible. Michael was responsible with his information. The slides that are posted here and are now going to float around the internet forever have full text in the slides titled finding malloc() and finding CreateThread(), complete with the critical offsets needed to reproduce the attack. The slides he presented had all that blacked out. He gave nothing to a blackhat attendee to go out and reproduce the attack themselves. Instead he made a point about cisco IOS, namely: 1. You get one Cisco BGP internet router, it has a route to all other routers and therefore a path to the entire network, not one system (OK, you knew that) 2. Cisco IOS source code has been stolen at least twice. There is no good reason to steal it other than to attack it. If Mike Lynn can figure this one attack technique out, how many more attack techniques can be figured out by people holding source code? 3. During the presentation, Mike Lynn said a substantial amount of his research in this subject came from English translations of Chinese hacking web sites. Consider That!! 4. Most importantly, the real threat here is a self replicating worm that has a destructive payload to modify BGP routes or write back boot sectors to make thousands of routers simultaneously useless (the digital Pearl Harbor he alluded to). Mike said that that is not really feasible today with this particular technique because the way code is implemented you would need to know the exact IOS version and some other hardware details for each router, so unless you have a 17MB worm that has precompiled exploit code for each possible instance, then the worm scenario is not possible, and a 17MB worm is not practical. 4A. However (consider this one reason why Mike may ultimately be remembered as a hero) Cisco's roadmap is moving to a new memory structure where the offsets would be the same for all hardware. That could make your router worm a real possibility, not with this exploit (I am sure everyone will patch their routers to prevent this exploit), but with the next flaw someone else figures out. Do you think Cisco may reconsider that design after this? I certainly think they will, or else they should have their collective head examined. Remember, some Chinese hackers were already thinking down these paths before Mike was. In my opinion a real loser in all this is ISS. The strength of any company is its people. Management should trust and defend their best and brightest, not sue them and force them to resign. In the case of illegal activities of course management has no obligation to defend criminals. However that is not what happened here. Cisco saying this was illegal did not make it so. The talk was delivered in a responsible and professional way. ISS did not care to see the details and the way Mike presented this particular talk, they just caved to Cisco pressure, co-suing Mike with Cisco to make Mike look like a rogue and becoming a puppet for a business partner instead of helping an employee. Neville
Powered by blists - more mailing lists