lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20070627180615.GB4965@cisco.com>
Date: Wed, 27 Jun 2007 14:06:15 -0400
From: Mike Caudill <mcaudill@...co.com>
To: Andy Davis <andy.davis@...plc.com>
Cc: full-disclosure@...ts.grok.org.uk, psirt@...co.com
Subject: Re: IOS Exploitation Techniques Paper

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> Andy Davis <andy.davis@...plc.com> [2007-06-27 06:07] wrote:
> It has been more than a year since Michael Lynn first demonstrated a reliable
> code execution exploit on Cisco IOS at Black Hat 2005. Although his
> presentation received a lot of media coverage in the security community, very
> little is known about the attack and the technical details surrounding the IOS
> check_heaps() vulnerability. This paper is a result of research carried out by
> IRM to analyse and understand the check_heaps() attack and its impact on
> similar embedded devices. Furthermore, it also helps developers understand
> security-specific issues in embedded environments and developing mitigation
> strategies for similar vulnerabilities. The paper primarily focuses on the
> techniques developed for bypassing the check_heaps() process, which has
> traditionally prevented reliable exploitation of memory-based overflows on the
> IOS platform. Using inbuilt IOS commands, memory dumps and open source tools
> IRM was able to recreate the vulnerability in a lab environment. The paper is
> divided in three sections, which cover the ICMPv6 source-link attack vector,
> IOS Operating System internals, and finally the analysis of the attack itself.
> 
> The full paper can be downloaded from:
> 
> http://www.irmplc.com/index.php/69-Whitepapers
> 

As Andy stated, the IOS Exploitation Techniques whitepaper covers
details regarding IOS vulnerabilities which have been previously
disclosed. Further information regarding the vulnerabilities used in
the exploit were resolved across two separate Cisco security advisories
released in 2005.

The first advisory covered the attack vector:

   Cisco Security Advisory:  IPv6 Crafted Packet Vulnerability
   http://www.cisco.com/warp/public/707/cisco-sa-20050729-ipv6.shtml

and the second advisory covered the underlying vulnerability which
allowed for the possibility of remote code execution:

   Cisco Security Advisory:  IOS Heap-based Overflow Vulnerability in System Timers.
   http://www.cisco.com/warp/public/707/cisco-sa-20051102-timers.shtml

Cisco customers should reference those advisories (and more recently
released advisories) to determine the version(s) of software needed to
remediate any vulnerabilities within their network.

We would like to thank Andy for his continued cooperation with us in the
spirit of responsible disclosure and working to increase awareness of
security issues.

For information on working with the Cisco PSIRT regarding potential
security issues, please see our contact information at

  http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

Thanks.

- -Mike-

- -- 

Mike Caudill  <mcaudill@...co.com>     
PSIRT Incident Manager                
DSS PGP: 0xEBBD5271                     
+1.919.392.2855 / +1.919.522.4931 (cell) 
http://www.cisco.com/go/psirt        

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFGgqcXimPJSeu9UnERAoDCAJ9mKjGzZiG2/JDWMq1ACj6D0uPZ6QCg7Wyb
a2KrlweRQMo8OMOdvTzU5Ks=
=lMUS
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ