The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


[REVS] Cisco IOS Exploitation Techniques Paper


<< Previous INDEX Search src / Print Next >>
From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Date: 27 Jun 2007 16:21:35 +0200
Subject: [REVS] Cisco IOS Exploitation Techniques Paper
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20070627144207.4620A5AFC@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -




  Cisco IOS Exploitation Techniques Paper
------------------------------------------------------------------------


SUMMARY

It has been more than a year since Michael Lynn first demonstrated a 
reliable code execution exploit on Cisco IOS at Black Hat 2005. Although 
his presentation received a lot of media coverage in the security 
community, very little is known about the attack and the technical details 
surrounding the IOS check_heaps() vulnerability. This paper is a result of 
research carried out by IRM to analyse and understand the check_heaps() 
attack and its impact on similar embedded devices. Furthermore, it also 
helps developers understand security-specific issues in embedded 
environments and developing mitigation strategies for similar 
vulnerabilities. The paper primarily focuses on the techniques developed 
for bypassing the check_heaps() process, which has traditionally prevented 
reliable exploitation of memory-based overflows on the IOS platform. Using 
inbuilt IOS commands, memory dumps and open source tools IRM was able to 
recreate the vulnerability in a lab environment. The paper is divided in 
three sections, which cover the ICMPv6 source-link attack vector, IOS 
Operating System internals, and finally the analysis of the attack itself.

DETAILS

Conclusions:
The check_heaps() vulnerability was mainly due to design issues and 
further exploitable due to the lack of memory protection support between 
processes. Many embedded system vendors still rely on choosing performance 
and speed over security. As more and more "intelligence" is built into 
consume and commercial devices using embedded operating systems and 
software, the more significant these potential vulnerabilities may become. 
Therefore embedded systems vendors need to be aware of the potential 
attacks against their systems and the fact that many hackers are getting 
bored with researching traditional operating systems and are turning to 
embedded devices for a new challenge.


ADDITIONAL INFORMATION

The information has been provided by  <mailto:andy.davis@irmplc.com.> Andy 
Davis.
The original article can be found at:  
<http://www.irmplc.com/download_pdf.php?src=Cisco_IOS_Exploitation_Techniques.pdf&force=yes>; http://www.irmplc.com/download_pdf.php?src=Cisco_IOS_Exploitation_Techniques.pdf&force=yes




This bulletin is sent to members of the SecuriTeam mailing list. To unsubscribe from the list, send mail with an empty subject line and body to: [email protected] In order to subscribe to the mailing list, simply forward this email to: [email protected]

DISCLAIMER: The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

<< Previous INDEX Search src / Print Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру