Full Disclosure mailing list archives
Re: IRM Demonstrates Multiple Cisco IOS Exploitation Techniques
From: "Rodrigo Rubira Branco (BSDaemon)" <rodrigo () kernelhacking com>
Date: Wed, 10 Oct 2007 10:36:45 -0000
Hey Andy, For sure the shellcodes can be used in a local attack, but I want to see you using a connect back shellcode locally in an IOS system ;) that´s why I said explicitly remote. cya, Rodrigo (BSDaemon). -- http://www.kernelhacking.com/rodrigo Kernel Hacking: If i really know, i can hack GPG KeyID: 1FCEDEA1 --------- Mensagem Original -------- De: Andy Davis <andy.davis () irmplc com> Para: Rodrigo Rubira Branco BSDaemon <rodrigo () kernelhacking com>, full-disclosure () lists grok org uk <full-disclosure () lists grok org uk> Assunto: RE: [Full-disclosure] IRM Demonstrates Multiple Cisco IOS Exploitation Techniques Data: 10/10/07 09:58
It doesn't even need to be a remote vulnerability - all three techniques could be used to perform privilege escalation attacks against local vulnerabilities within IOS. Andy -----Original Message----- From: Rodrigo Rubira Branco (BSDaemon) [mailto:rodrigo () kernelhacking com] Sent: 10 October 2007 10:46 To: Gaus; "full-disclosure () lists grok org uk"@fjaunet.com.br;
Andy Davis
Subject: Re: [Full-disclosure] IRM Demonstrates Multiple Cisco IOS Exploitation Techniques Also if you have any vulnerability (remote) that can lead to code execution, right? cya, Rodrigo (BSDaemon). -- http://www.kernelhacking.com/rodrigo Kernel Hacking: If i really know, i can hack GPG KeyID: 1FCEDEA1 --------- Mensagem Original -------- De: Gaus <gaus () cisco com> Para: full-disclosure () lists grok org uk <full-disclosure () lists grok org uk>, Andy Davis <andy.davis () irmplc com> Assunto: Re: [Full-disclosure] IRM Demonstrates Multiple Cisco IOS Exploitation Techniques Data: 10/10/07 09:18 > Hello, > > This is response from Cisco PSIRT related to this matter. > > On Wed, Oct 10, 2007 at 10:55:54AM +0100, Andy Davis wrote: > &gt; During the research, three shellcode payloads for IOS
exploits
were > &gt; developed - a &quot;reverse&quot; shell, a
password-protected
&quot;bind&quot; shell and > &gt; another &quot;bind&quot; shell that is achieved
using only two
1-byte memory > &gt; overwrites. IRM have produced videos demonstrating each of
these
> &gt; payloads in action within a development environment. They
can be
viewed > > > Cisco PSIRT is aware of the three videos IRM Plc. published on their > web site at
&lt;http://www.irmplc.com/index.php/153-Embedded-Systems-Security&gt;.
> > Cisco and IRM agree that the videos do not demonstrate or represent a > vulnerability in Cisco IOS. Specifically, the code to manipulate > Cisco IOS could be inserted only under the following conditions: > > - Usage of the debugger functionality present in IOS > > - Having physical access to the device > > - Already logged in at the highest privilege level on the device. > > IRM approached Cisco PSIRT with this information prior to its public > release and Cisco has confirmed the information provided is a > proof-of-concept that third party code could be inserted under these > specific conditions. > > Regards, > > Gaus > > Damir Rajnovic &lt;psirt () cisco com&gt;, PSIRT Incident
Manager, Cisco
Systems > &lt;http://www.cisco.com/go/psirt&gt; Telephone: +44
7715 546 033
> 200 Longwater Avenue, Green Park, Reading, Berkshire RG2 6GB, GB > There are no insolvable problems. > The question is can you accept the solution? > > > > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ ________________________________________________ Message sent using UebiMiau 2.7.2
________________________________________________ Message sent using UebiMiau 2.7.2 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: IRM Demonstrates Multiple Cisco IOS Exploitation Techniques Rodrigo Rubira Branco (BSDaemon) (Oct 10)
- Re: IRM Demonstrates Multiple Cisco IOS Exploitation Techniques Andy Davis (Oct 10)
- <Possible follow-ups>
- Re: IRM Demonstrates Multiple Cisco IOS Exploitation Techniques Rodrigo Rubira Branco (BSDaemon) (Oct 10)
- Re: IRM Demonstrates Multiple Cisco IOS Exploitation Techniques Rodrigo Rubira Branco (BSDaemon) (Oct 10)