lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <7B01ACCEDD4FFE48B12A55E2DB16A9301D83B8@dccheltenham.local.irmplc.com>
Date: Thu, 11 Oct 2007 08:32:19 +0100
From: "Andy Davis" <andy.davis@...plc.com>
To: "Halvar Flake" <halvar.flake@...re-security.com>,
	<bugtraq@...urityfocus.com>
Subject: RE: Cisco PSIRT response on IRM Demonstrates Multiple Cisco IOS Exploitation Techniques

Halvar,

The primary objective of the research was to understand how to create a
remote high privilege shell on IOS (as Michael Lynn demonstrated at
BlackHat 2005) - this was achieved and in the process, we discovered
three ways of doing it. Because we had worked out how to use gdb with
IOS, the easiest way for us to develop the shellcode was by using gdb to
upload the code to some spare IOS memory and hook into an IOS process
that was already running to execute it.

The secondary objective was making the shellcode as compact as possible,
with the minimal number of hard-coded function addresses as possible
(due to the monolithic nature of IOS - every version will have these
functions at slightly different addresses). During this process we
discovered the "tiny shell" technique (demonstrated in one of the
videos) - all that is required to gain a remote shell on IOS (that has
at least one VTY enabled) is two 1-byte memory overwrites. The first
byte modification removes access control to the VTY and the second
privilege escalates to Level 15.

Personally I think these techniques are pretty cool we're really pleased
with the results of the research - I think it may be clearer to everyone
when we release the higher resolution videos that are easier to watch.

Cheers,

Andy

-----Original Message-----
From: Halvar Flake [mailto:halvar.flake@...re-security.com] 
Sent: 12 October 2007 07:32
To: Andy Davis; bugtraq@...urityfocus.com
Subject: Re: Cisco PSIRT response on IRM Demonstrates Multiple Cisco IOS
Exploitation Techniques

Hey Andy,

thanks. So the core of IRMs work is "ways of getting a Cisco shell over
the 
network
with a small/minimal number of hardcoded addresses" ?

Cheers,
Halvar

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ