[the online version of this article has a link to the PDF - Stu]
Lynn presentation leaks onto Net
By Kieren McCarthy, Techworld
The controversial presentation by researcher Michael Lynn regarding
exploitation of known holes in Cisco's router software has leaked
onto the Internet.
Copies of the 1.9MB PDF file have popped up on a number of websites,
risking the kind of widespread and global dissemination that Cisco
had sought to avoid.
This week, Cisco first pressured Lynn's former company Internet
Security Systems (ISS) into removing the presentation from the line-
up at the Black Hat security conference in Las Vegas.
Then, when Lynn resigned from ISS in protest and threatened to go
ahead with the presentation, Cisco took out an injunction against
him. Lynn nevertheless did the presentation stating that he "had to
do what was right for the country and the national infrastructure".
Cisco, ISS, Black Hat and Lynn have since signed a legal agreement in
which Black Hat and Lynn promised not to make the material available
to anyone else. Lynn was also put under a series of controls
including "unlawfully disassembling or reverse engineering Cisco code
in the future ... [and] using Cisco decompiled code currently in his
possession or control for any purpose."
Cisco's heavy-handed approach has backfired however, with the story
making news bulletins across the world and turning a relatively
obscure presentation into a much sought-after item. Despite Cisco's
best efforts, the Internet appears to have done what it is best at -
providing information to vast amounts of people in an extremely short
period of time. Any efforts by Cisco to keep the presentation under
wraps are now more likely to increase the Internet community's
determination to expose it.
It is not difficult to see why Cisco was irritated with the
presentation, even though the flaws are known and even though Lynn
does not provide all the information necessary to exploit them.
The second slide of the presentation, teasingly titled "The Holy
Grail: Cisco IOS Shellcode and Explotation Techniques", pictures the
Titanic sinking with the legend "Another Unbreakable System".
The presentation then goes into why the problem with holes in Cisco's
code are so significant - basically Cisco routers are a good chunk on
the Internet. It lists "Misconceptions" such as "It is not possible
to overflow buffers on IOS"; "There is no way to exploit buffer
overflows on IOS"; and "Every router is so different that an exploit
might work on one router but never another". You can see where he's
headed.
It goes on to list the weaknesses in Cisco's IOS, such as addresses
are static and that it prefer rebooting over correcting errors. And
it warns that exploitation can be made reliable - i.e. attack can be
automated, making it possible to stick in a hacking toolkit and make
the problem a million times worse.
Nevertheless, Lynn says that the IOS code is better than most and
Cisco appears to be aware of most normal security problems.
However, Lynn then goes on to show how IOS has been exploited and how
it can continue to be exploited. It's technical stuff but it gives
all the relevant pointers and troubleshooting points. He outlines how
to make a system think it is crashing, providing a few minutes in
which a heap overflow can be exploited to get at valuable
information.
He then runs through the process by which this information can then
be fired back at a system to gain access. The nine-point process
outlined is summised thus:
1. Get execution
2. Clean up what we broke
3. Spawn process
4. Allocate and setup TTY
5. Make connect-back TCB
6. Start Shell
7. Kill logger process
8. Exit Initial
9. World Domination
The last slide asks "Is this the end of the world?" Yes and no,
mostly no, is the answer. Cisco is working on the problem, keeping
firmware images up-to-date should cover people, and making a variety
of worms will be very difficult.
However - and this was clearly another concerns of Cisco's - Lynn
warns that Cisco is going to make the problem significantly bigger if
it continues with its plan to add "virtual processes" to IOS.
You can download a copy of the presentation [pdf] at Infowarrior.org
and a number of other sites around the Net.
---
* Origin: [adminz] tech, security, support (192:168/0.2)
generated by msg2page 0.06 on Jul 21, 2006 at 19:03:45
search: