| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 25 Jan 2007 00:38:35 -0700 From: "Andre Gironda" <andre@...rations.net> To: "Kevin Graham" <mahargk@...il.com> Cc: full-disclosure@...ts.grok.org.uk, nanog@...it.edu, cisco-nsp@...k.nether.net Subject: Re: [c-nsp] Cisco Security Advisory: Crafted IP Option Vulnerability I would say that this would work: http://addxorrol.blogspot.com/2007/01/one-of-most-amusing-new-features-of.html It requires expensive software, BinNavi and IDA Pro Advanced, but anyone equipped with those tools could do it. I heard that parts of PaiMei work under BSD/Linux, and certainly GPF and Autodafé could be used for fault injection during step-mode debugging. PaiMei also uses IDA. The other tools are open-source including PaiMei itself. Using PyDBG in PaiMei could speed up the debugging faster than gdb by way of scripting, which could allow things like process stalking. If that's the case, I could invision anyone with a symbol table could get PoC remote code execution (ala Mike Lynn and Hacking Exposed: Cisco Networks) within 3 hours and have a reliable exploit within 10 hours. Worm at 11. But PaiMei doesn't do that (yet), and nobody has the rest of the resources to accomplish this task. Right? But, you don't really even need a symbol table if you have lots of time to debug and design the exploit. This is more advanced and would require somebody like Halvar Flake, FX, or Pedram Amini. All three of which I credit for this vulnerability information feasibility fact-finding. So it's too late. Don't bother upgrading now; you're already owned. Unless they are blocking it at the ISP borders in the same way they blocked out the Cisco IPv4 Crafted DoS vulnerability in 2003. ISP's probably got the patch (or at least Cisco's ISP's did) a week ago. Had rolling reboots lately? Don't know why? Lots of "miscellaneous" ISP maintenace. I wonder... Hey Cisco - listen up. Hire some vulnerability assessors before the future probable Month-of-Cisco-Bugs becomes Year-of-Cisco-Bugs aka loss of 10B US dollars in revenue. Or whatever John Chambers makes, whichever is lower. -dre On 1/24/07, Kevin Graham <mahargk@...il.com> wrote: > On Wed, 24 Jan 2007, Cisco Systems Product Security Incident Response > Team wrote: > > > Cisco Security Advisory: Crafted IP Option Vulnerability > > If I recall correctly, this is the first (PSIRT acknowledged) > stack/heap vulnerability since Michael Lynn's much-publicized BlackHat > presentation. While there was plenty of brief speculation at the time > of what Chinese/Russian/American-xenophobic-target hax0rs had already > implemented, not much bubbled up to the operational world... > > Does anyone more active in the security community have pointers as to > how generic (and common) are tools targeting IOS exist? > > On 1/24/07, Paul Stewart <paul@...lstewart.org> wrote: > > > I have read over this and am "fearful" of what I read.. my first thought > is > > to drop everything, get emergency maintenance window releases and spend a > > couple of nights upgrading like crazy... > > "20070124-crafted-tcp" seems obvious enough (though it would've been > good for PSIRT to indicate how "small" the leakage per packet is to > gauge CoPP values), but "20070124-crafted-ip-option" likely should > tingle your spine. > _______________________________________________ > cisco-nsp mailing list cisco-nsp@...k.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists