[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <7B01ACCEDD4FFE48B12A55E2DB16A9300BE841@dccheltenham.local.irmplc.com>
Date: Wed, 27 Jun 2007 10:56:12 +0100
From: "Andy Davis" <andy.davis@...plc.com>
To: <full-disclosure@...ts.grok.org.uk>
Subject: IOS Exploitation Techniques Paper
It has been more than a year since Michael Lynn first demonstrated a
reliable code execution exploit on Cisco IOS at Black Hat 2005. Although
his presentation received a lot of media coverage in the security
community, very little is known about the attack and the technical
details surrounding the IOS check_heaps() vulnerability. This paper is a
result of research carried out by IRM to analyse and understand the
check_heaps() attack and its impact on similar embedded devices.
Furthermore, it also helps developers understand security-specific
issues in embedded environments and developing mitigation strategies for
similar vulnerabilities. The paper primarily focuses on the techniques
developed for bypassing the check_heaps() process, which has
traditionally prevented reliable exploitation of memory-based overflows
on the IOS platform. Using inbuilt IOS commands, memory dumps and open
source tools IRM was able to recreate the vulnerability in a lab
environment. The paper is divided in three sections, which cover the
ICMPv6 source-link attack vector, IOS Operating System internals, and
finally the analysis of the attack itself.
The full paper can be downloaded from:
http://www.irmplc.com/index.php/69-Whitepapers
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists