Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[REVS] Cisco IOS Exploitation Techniques Paper

from [SecuriTeam] Network Security [Permanent Link]
Subject: [REVS] Cisco IOS Exploitation Techniques Paper
Date: 27 Jun 2007 16:21:35 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Cisco IOS Exploitation Techniques Paper
------------------------------------------------------------------------


SUMMARY

It has been more than a year since Michael Lynn first demonstrated a 
reliable code execution exploit on Cisco IOS at Black Hat 2005. Although 
his presentation received a lot of media coverage in the security 
community, very little is known about the attack and the technical details 
surrounding the IOS check_heaps() vulnerability. This paper is a result of 
research carried out by IRM to analyse and understand the check_heaps() 
attack and its impact on similar embedded devices. Furthermore, it also 
helps developers understand security-specific issues in embedded 
environments and developing mitigation strategies for similar 
vulnerabilities. The paper primarily focuses on the techniques developed 
for bypassing the check_heaps() process, which has traditionally prevented 
reliable exploitation of memory-based overflows on the IOS platform. Using 
inbuilt IOS commands, memory dumps and open source tools IRM was able to 
recreate the vulnerability in a lab environment. The paper is divided in 
three sections, which cover the ICMPv6 source-link attack vector, IOS 
Operating System internals, and finally the analysis of the attack itself.

DETAILS

Conclusions:
The check_heaps() vulnerability was mainly due to design issues and 
further exploitable due to the lack of memory protection support between 
processes. Many embedded system vendors still rely on choosing performance 
and speed over security. As more and more "intelligence" is built into 
consume and commercial devices using embedded operating systems and 
software, the more significant these potential vulnerabilities may become. 
Therefore embedded systems vendors need to be aware of the potential 
attacks against their systems and the fact that many hackers are getting 
bored with researching traditional operating systems and are turning to 
embedded devices for a new challenge.


ADDITIONAL INFORMATION

The information has been provided by  <mailto:andy.davis@irmplc.com> Andy 
Davis.
The original article can be found at:  
<http://www.irmplc.com/download_pdf.php?src=Cisco_IOS_Exploitation_Techniques.pdf&force=yes>
 
http://www.irmplc.com/download_pdf.php?src=Cisco_IOS_Exploitation_Techniques.pdf&force=yes



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [REVS] Cisco IOS Exploitation Techniques Paper, SecuriTeam <=
Previous by Date:  [NEWS] CheckPoint VPN-1 UTM Edge Cross Site Request Forgery Vulnerability, SecuriTeam
Next by Date:  [NT] Symantec Mail Security for SMTP Boundary Errors, SecuriTeam
Previous by Thread:  [NEWS] CheckPoint VPN-1 UTM Edge Cross Site Request Forgery Vulnerability, SecuriTeam
Next by Thread:  [NT] Symantec Mail Security for SMTP Boundary Errors, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]