lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Wed, 10 Oct 2007 10:36:45 -0000
From: "Rodrigo Rubira Branco (BSDaemon)" <rodrigo@...nelhacking.com>
To: "Andy Davis" <andy.davis@...plc.com>,
	"Rodrigo Rubira Branco BSDaemon" <rodrigo@...nelhacking.com>,
	"full-disclosure@...ts.grok.org.uk"@fjaunet.com.br
Subject: Re: IRM Demonstrates Multiple Cisco IOS
	Exploitation Techniques

Hey Andy,

For sure the shellcodes can be used in a local attack, but I want to see you
using a connect back shellcode locally in an IOS system ;) that´s why I said
explicitly remote.

cya,


Rodrigo (BSDaemon).

--
http://www.kernelhacking.com/rodrigo

Kernel Hacking: If i really know, i can hack

GPG KeyID: 1FCEDEA1


--------- Mensagem Original --------
De: Andy Davis <andy.davis@...plc.com>
Para: Rodrigo Rubira Branco BSDaemon <rodrigo@...nelhacking.com>,
full-disclosure@...ts.grok.org.uk <full-disclosure@...ts.grok.org.uk>
Assunto: RE: [Full-disclosure] IRM Demonstrates Multiple Cisco IOS
Exploitation Techniques
Data: 10/10/07 09:58

>
> It doesn't even need to be a remote vulnerability - all three techniques
> could be used to perform privilege escalation attacks against local
> vulnerabilities within IOS.
>
> Andy
>
> -----Original Message-----
> From: Rodrigo Rubira Branco (BSDaemon)
> [mailto:rodrigo@...nelhacking.com]
> Sent: 10 October 2007 10:46
> To: Gaus; &quot;full-disclosure@...ts.grok.org.uk&quot;@fjaunet.com.br;
Andy Davis
> Subject: Re: [Full-disclosure] IRM Demonstrates Multiple Cisco IOS
> Exploitation Techniques
>
> Also if you have any vulnerability (remote) that can lead to code
> execution,
> right?
>
>
> cya,
>
>
> Rodrigo (BSDaemon).
>
> --
> http://www.kernelhacking.com/rodrigo
>
> Kernel Hacking: If i really know, i can hack
>
> GPG KeyID: 1FCEDEA1
>
>
> --------- Mensagem Original --------
> De: Gaus &lt;gaus@...co.com&gt;
> Para: full-disclosure@...ts.grok.org.uk
> &lt;full-disclosure@...ts.grok.org.uk&gt;,
> Andy Davis &lt;andy.davis@...plc.com&gt;
> Assunto: Re: [Full-disclosure] IRM Demonstrates Multiple Cisco IOS
> Exploitation Techniques
> Data: 10/10/07 09:18
>
> &gt; Hello,
> &gt;
> &gt; This is response from Cisco PSIRT related to this matter.
> &gt;
> &gt; On Wed, Oct 10, 2007 at 10:55:54AM +0100, Andy Davis wrote:
> &gt; &amp;gt; During the research, three shellcode payloads for IOS
exploits
> were
> &gt; &amp;gt; developed - a &amp;quot;reverse&amp;quot; shell, a
password-protected
> &amp;quot;bind&amp;quot; shell and
> &gt; &amp;gt; another &amp;quot;bind&amp;quot; shell that is achieved
using only two
> 1-byte
> memory
> &gt; &amp;gt; overwrites. IRM have produced videos demonstrating each of
these
> &gt; &amp;gt; payloads in action within a development environment. They
can be
> viewed
> &gt;
> &gt;
> &gt; Cisco PSIRT is aware of the three videos IRM Plc. published on their
> &gt; web site at
>
&amp;lt;http://www.irmplc.com/index.php/153-Embedded-Systems-Security&amp;gt;.
> &gt;
> &gt; Cisco and IRM agree that the videos do not demonstrate or represent a
> &gt; vulnerability in Cisco IOS. Specifically, the code to manipulate
> &gt; Cisco IOS could be inserted only under the following conditions:
> &gt;
> &gt; - Usage of the debugger functionality present in IOS
> &gt;
> &gt; - Having physical access to the device
> &gt;
> &gt; - Already logged in at the highest privilege level on the device.
> &gt;
> &gt; IRM approached Cisco PSIRT with this information prior to its public
> &gt; release and Cisco has confirmed the information provided is a
> &gt; proof-of-concept that third party code could be inserted under these
> &gt; specific conditions.
> &gt;
> &gt; Regards,
> &gt;
> &gt; Gaus
> &gt;
> &gt; Damir Rajnovic &amp;lt;psirt@...co.com&amp;gt;, PSIRT Incident
Manager, Cisco
> Systems
> &gt; &amp;lt;http://www.cisco.com/go/psirt&amp;gt;      Telephone: +44
7715 546 033
> &gt; 200 Longwater Avenue, Green Park, Reading, Berkshire RG2 6GB, GB
> &gt; There are no insolvable problems.
> &gt; The question is can you accept the solution?
> &gt;
> &gt;
> &gt;
> &gt;
> &gt;
> &gt;
> &gt; _______________________________________________
> &gt; Full-Disclosure - We believe in it.
> &gt; Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> &gt; Hosted and sponsored by Secunia - http://secunia.com/
>
> ________________________________________________
> Message sent using UebiMiau 2.7.2
>
>
>
>
>
>

________________________________________________
Message sent using UebiMiau 2.7.2

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ