Re: Cisco IOS Shellcode Presentation

["lsi" <stuart () cyberdelix net>]

> Just store the program in a frikking *ROM*, and disallow execution of
> opcodes from RAM.  It's called a Harvard architecture.

The problem with this will be speed, will it not?  It could be cached 
into RAM - but then it would be modifiable ... 

I also have a query relating to the assertion by Lynn that worms 
would be difficult to make, because different firmware has different 
offsets.  Surely this would be as simple as looping though a list:

if (firmware == x) { attackstring = ABC }
elseif (firmware == y) {attackstring = DEF }
elseif (firmware == z) {attackstring = GHI }
...
etc

Finally, I note from the narrative on tomsnetworking that while the 
presentation did not describe exactly how to make an attack script 
that gets root, it nonetheless showed off exactly that.  "At the 
beginning of his talk, Michael Lynn connected to a Cisco router, ran 
his shell script and obtained the "enable" prompt." [1]  

I thus conclude it's only a matter of time before an "autorooter" is 
developed for use against a wide variety of routers.

The window of vulnerability, which is at least three weeks old, 
opened wide on the 27th, and remains so.  No amount of legal 
posturing by anybody can change this.

[1] http://www.tomsnetworking.com/Sections-article131-page4.php

---
Stuart Udall
stuart at () cyberdelix dot net - http://www.cyberdelix.net/

--- 
 * Origin: lsi: revolution through evolution (192:168/0.2)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/