Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Full-disclosure] IOS Exploitation Techniques Paper

from [Mike Caudill] Network Security [Permanent Link]
Subject: Re: [Full-disclosure] IOS Exploitation Techniques Paper
Date: Wed, 27 Jun 2007 14:06:15 -0400 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Andy Davis <andy.davis@irmplc.com> [2007-06-27 06:07] wrote:
It has been more than a year since Michael Lynn first demonstrated a reliable
code execution exploit on Cisco IOS at Black Hat 2005. Although his
presentation received a lot of media coverage in the security community, very
little is known about the attack and the technical details surrounding the IOS
check_heaps() vulnerability. This paper is a result of research carried out by
IRM to analyse and understand the check_heaps() attack and its impact on
similar embedded devices. Furthermore, it also helps developers understand
security-specific issues in embedded environments and developing mitigation
strategies for similar vulnerabilities. The paper primarily focuses on the
techniques developed for bypassing the check_heaps() process, which has
traditionally prevented reliable exploitation of memory-based overflows on the
IOS platform. Using inbuilt IOS commands, memory dumps and open source tools
IRM was able to recreate the vulnerability in a lab environment. The paper is
divided in three sections, which cover the ICMPv6 source-link attack vector,
IOS Operating System internals, and finally the analysis of the attack itself.

The full paper can be downloaded from:

http://www.irmplc.com/index.php/69-Whitepapers



As Andy stated, the IOS Exploitation Techniques whitepaper covers
details regarding IOS vulnerabilities which have been previously
disclosed. Further information regarding the vulnerabilities used in
the exploit were resolved across two separate Cisco security advisories
released in 2005.

The first advisory covered the attack vector:

   Cisco Security Advisory:  IPv6 Crafted Packet Vulnerability
   http://www.cisco.com/warp/public/707/cisco-sa-20050729-ipv6.shtml

and the second advisory covered the underlying vulnerability which
allowed for the possibility of remote code execution:

   Cisco Security Advisory:  IOS Heap-based Overflow Vulnerability in System 
Timers.
   http://www.cisco.com/warp/public/707/cisco-sa-20051102-timers.shtml

Cisco customers should reference those advisories (and more recently
released advisories) to determine the version(s) of software needed to
remediate any vulnerabilities within their network.

We would like to thank Andy for his continued cooperation with us in the
spirit of responsible disclosure and working to increase awareness of
security issues.

For information on working with the Cisco PSIRT regarding potential
security issues, please see our contact information at

  
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

Thanks.

- -Mike-

- -- 

Mike Caudill  <mcaudill@cisco.com>     
PSIRT Incident Manager                
DSS PGP: 0xEBBD5271                     
+1.919.392.2855 / +1.919.522.4931 (cell) 
http://www.cisco.com/go/psirt        

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFGgqcXimPJSeu9UnERAoDCAJ9mKjGzZiG2/JDWMq1ACj6D0uPZ6QCg7Wyb
a2KrlweRQMo8OMOdvTzU5Ks=
=lMUS
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Full-disclosure] Month of Random Hashes: DAY FOURTEEN, Joey Mengele
Next by Date:  Re: [Full-disclosure] Month of Random Hashes: DAY FOURTEEN, Joey Mengele
Previous by Thread:  [Full-disclosure] IOS Exploitation Techniques Paper, Andy Davis
Next by Thread:  [Full-disclosure] deviantArt does not check authorization for image download, Timothy Redaelli
Indexes:  [Date] [Thread] [Top] [All Lists]