lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <f8db07905073020306b4af68d@mail.gmail.com>
Date: Sun Jul 31 04:30:41 2005
From: neville.aga at gmail.com (Neville Aga)
Subject: RE: Cisco IOS Shellcode Presentation

The presentation Larry posted is not the same presentation Mike Lynn
delivered at Blackhat. I was there and saw his presentation. It was
one of the best presentations I have ever seen. It was delivered with
intelligence and passion and care. I wonder when my time comes for
something like that I will have the fortitude to do what I believe to
be right under threats from a corporation as powerful as Cisco.  What
has been posted is irresponsible.

Michael was responsible with his information. The slides that are
posted here and are now going to float around the internet forever
have full text in the slides titled finding malloc() and finding
CreateThread(), complete with the critical offsets needed to reproduce
the attack. The slides he presented had all that blacked out. He gave
nothing to a blackhat attendee to go out and reproduce the attack
themselves. Instead he made a point about cisco IOS, namely:

1. You get one Cisco BGP internet router, it has a route to all other
routers and therefore a path to the entire network, not one system
(OK, you knew that)

2. Cisco IOS source code has been stolen at least twice. There is no
good reason to steal it other than to attack it. If Mike Lynn can
figure this one attack technique out, how many more attack techniques
can be figured out by people holding source code?

3. During the presentation, Mike Lynn said a substantial amount of his
research in this subject came from English translations of Chinese
hacking web sites. Consider That!!

4. Most importantly, the real threat here is a self replicating worm
that has a destructive payload to modify BGP routes or write back boot
sectors to make thousands of routers simultaneously useless (the
digital Pearl Harbor he alluded to). Mike said that that is not really
feasible today with this particular technique because the way code is
implemented you would need to know the exact IOS version and some
other hardware details for each router, so unless you have a 17MB worm
that has precompiled exploit code for each possible instance, then the
worm scenario is not possible, and a 17MB worm is not practical.

4A. However (consider this one reason why Mike may ultimately be
remembered as a hero) Cisco's roadmap is moving to a new memory
structure where the offsets would be the same for all hardware. That
could make your router worm a real possibility, not with this exploit
(I am sure everyone will patch their routers to prevent this exploit),
but with the next flaw someone else figures out. Do you think Cisco
may reconsider that design after this? I certainly think they will, or
else they should have their collective head examined. Remember, some
Chinese hackers were already thinking down these paths before Mike
was.


In my opinion a real loser in all this is ISS. The strength of any
company is its people. Management should trust and defend their best
and brightest, not sue them and force them to resign. In the case of
illegal activities of course management has no obligation to defend
criminals. However that is not what happened here. Cisco saying this
was illegal did not make it so. The talk was delivered in a
responsible and professional way. ISS did not care to see the details
and the way Mike presented this particular talk, they just caved to
Cisco pressure, co-suing Mike with Cisco to make Mike look like a
rogue and becoming a puppet for a business partner instead of helping
an employee.


Neville

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ