At Black Hat Briefings Michael Lynn was to do a presentation on security issues with Cisco’s IOS. His employer ISS and Cisco agreed he shouldn’t give the presentation they showed up with “an armada of lawyers” at Black Hat and spend the night before the conference tearing and cutting out the slides for Lynn’s talk out of the proceedings. When the presentation was due, some representative of Black Hat announced that the scheduled talk was cancelled and Lynn would present on “VoIP Security”. Lynn showed a first (ISS branded) slide from that talk, the people booooed and he asked if somebody would prefer on Cisco Security – the audience did. So he gave a good show with somewhat thrown together slides after announced that he doesn’t work at ISS anymore. The core of his talk was a presentation where he exploited a flaw in IOS using a playload in his exploit which his a connect shell giving him an enable prompt.
For further coverage see – the comments at supernicety and in Brian Kerbs ’securityfix’ Weblog there are several articles covering the issue: 1, 2, 3. More coverage can be found at other blogs: Security Blanket, Security Blog, Tao Security, News from the Lab, Security Awareness for Ma, Pa and the Corporate Clueless, Martin McKeay’s Network Security Blog, slashdot, Tom’s Hardware: 1, 2 and in the press: Security Focus, InformationWeek, The Register, CNet, techworld, CRN, BBC, NetworkWorld, Wired, ZDNet, heise, eWeek: 1, 2.
There are some things I’m missing in the coverage on the issue so far.
- Lynn did not talk about a flaw on Ciscos IOS. He demonstrated how to exploit flaws in IOS. So far there was only very little success in exploiting vulnerabilities in IOS to do something useful for an attacker. But nobody with real experience in system penetration would have claimed that it is impossible. It was hard. Nobody did it so far – or at least nobody who did it talked about it in public. Lynn set down and implemented the techniques to exploit (arbitary) flaws in IOS. A very nifty hack very elegantely implemented.
- This is not about an bug in IOS. To use the techniques Lynn demonstrated he heeds to be able to write to memory locations in a Cisco. Because Cisco IOS has no memory protection since all processes run on the same privilege level per definition everybody who can write to arbitrary memory locations can control the router. There is no protection against that. And that’s not a flaw, it’s the way it’ is meant to be.
- Lynn used an actual flaw to demonstrate his technique. But this flaw was completely irrelevant to the presentation.
- Lynn worked for ISS was was (I’m told) payed to research this issue. I’m also told Cisco provided him even with the sourcecode of IOS. If this is true I can toa certain degree understand that ISS and Cisco are trying to keep him from presenting on the issue.
Comments 3
Sourcecode
Sourcecode
Lynn did not have source code available to him during the research of this exploit. I am not aware of the details of the relationship between ISS and Cisco, and I cannot confirm whether or not ISS as a organization had access to this (I doubt it), but I do know that this research was developed only through reverse engineering of the IOS images shipped with their routers (these are available for download if you have a router through TAC, CCO, and other Cisco outlets)
This comment was originally posted on 20050728T23:23:47
Posted 16 Oct 2008 at 7:51 ¶That’s nice to hear. The question remains if he did it for ISS or on his sparetime (which I doubt).
This comment was originally posted on 20050729T00:48:01
Posted 16 Oct 2008 at 7:51 ¶A slasdot posting by (probably) Mike Lynn states (as I do) that this was not about a vulnerability but about a (very elegant) technique of exploiting Ciscos. Read some more on the rammifications here.
This comment was originally posted on 20050729T00:50:33
Posted 16 Oct 2008 at 7:51 ¶Post a Comment