| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 27 Jun 2007 14:06:15 -0400 From: Mike Caudill <mcaudill@...co.com> To: Andy Davis <andy.davis@...plc.com> Cc: full-disclosure@...ts.grok.org.uk, psirt@...co.com Subject: Re: IOS Exploitation Techniques Paper -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > Andy Davis <andy.davis@...plc.com> [2007-06-27 06:07] wrote: > It has been more than a year since Michael Lynn first demonstrated a reliable > code execution exploit on Cisco IOS at Black Hat 2005. Although his > presentation received a lot of media coverage in the security community, very > little is known about the attack and the technical details surrounding the IOS > check_heaps() vulnerability. This paper is a result of research carried out by > IRM to analyse and understand the check_heaps() attack and its impact on > similar embedded devices. Furthermore, it also helps developers understand > security-specific issues in embedded environments and developing mitigation > strategies for similar vulnerabilities. The paper primarily focuses on the > techniques developed for bypassing the check_heaps() process, which has > traditionally prevented reliable exploitation of memory-based overflows on the > IOS platform. Using inbuilt IOS commands, memory dumps and open source tools > IRM was able to recreate the vulnerability in a lab environment. The paper is > divided in three sections, which cover the ICMPv6 source-link attack vector, > IOS Operating System internals, and finally the analysis of the attack itself. > > The full paper can be downloaded from: > > http://www.irmplc.com/index.php/69-Whitepapers > As Andy stated, the IOS Exploitation Techniques whitepaper covers details regarding IOS vulnerabilities which have been previously disclosed. Further information regarding the vulnerabilities used in the exploit were resolved across two separate Cisco security advisories released in 2005. The first advisory covered the attack vector: Cisco Security Advisory: IPv6 Crafted Packet Vulnerability http://www.cisco.com/warp/public/707/cisco-sa-20050729-ipv6.shtml and the second advisory covered the underlying vulnerability which allowed for the possibility of remote code execution: Cisco Security Advisory: IOS Heap-based Overflow Vulnerability in System Timers. http://www.cisco.com/warp/public/707/cisco-sa-20051102-timers.shtml Cisco customers should reference those advisories (and more recently released advisories) to determine the version(s) of software needed to remediate any vulnerabilities within their network. We would like to thank Andy for his continued cooperation with us in the spirit of responsible disclosure and working to increase awareness of security issues. For information on working with the Cisco PSIRT regarding potential security issues, please see our contact information at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Thanks. - -Mike- - -- Mike Caudill <mcaudill@...co.com> PSIRT Incident Manager DSS PGP: 0xEBBD5271 +1.919.392.2855 / +1.919.522.4931 (cell) http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFGgqcXimPJSeu9UnERAoDCAJ9mKjGzZiG2/JDWMq1ACj6D0uPZ6QCg7Wyb a2KrlweRQMo8OMOdvTzU5Ks= =lMUS -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists