Full Disclosure mailing list archives

Re: IRM Demonstrates Multiple Cisco IOS Exploitation Techniques

From: "Rodrigo Rubira Branco (BSDaemon)" <rodrigo () kernelhacking com>
Date: Wed, 10 Oct 2007 10:36:45 -0000

Hey Andy,

For sure the shellcodes can be used in a local attack, but I want to see you
using a connect back shellcode locally in an IOS system ;) that´s why I said
explicitly remote.

cya,


Rodrigo (BSDaemon).

--
http://www.kernelhacking.com/rodrigo

Kernel Hacking: If i really know, i can hack

GPG KeyID: 1FCEDEA1


--------- Mensagem Original --------
De: Andy Davis <andy.davis () irmplc com>
Para: Rodrigo Rubira Branco BSDaemon <rodrigo () kernelhacking com>,
full-disclosure () lists grok org uk <full-disclosure () lists grok org uk>
Assunto: RE: [Full-disclosure] IRM Demonstrates Multiple Cisco IOS
Exploitation Techniques
Data: 10/10/07 09:58


It doesn't even need to be a remote vulnerability - all three techniques
could be used to perform privilege escalation attacks against local
vulnerabilities within IOS.

Andy

-----Original Message-----
From: Rodrigo Rubira Branco (BSDaemon)
[mailto:rodrigo () kernelhacking com]
Sent: 10 October 2007 10:46
To: Gaus; &quot;full-disclosure () lists grok org uk&quot;@fjaunet.com.br;

Andy Davis

Subject: Re: [Full-disclosure] IRM Demonstrates Multiple Cisco IOS
Exploitation Techniques

Also if you have any vulnerability (remote) that can lead to code
execution,
right?


cya,


Rodrigo (BSDaemon).

--
http://www.kernelhacking.com/rodrigo

Kernel Hacking: If i really know, i can hack

GPG KeyID: 1FCEDEA1


--------- Mensagem Original --------
De: Gaus &lt;gaus () cisco com&gt;
Para: full-disclosure () lists grok org uk
&lt;full-disclosure () lists grok org uk&gt;,
Andy Davis &lt;andy.davis () irmplc com&gt;
Assunto: Re: [Full-disclosure] IRM Demonstrates Multiple Cisco IOS
Exploitation Techniques
Data: 10/10/07 09:18

&gt; Hello,
&gt;
&gt; This is response from Cisco PSIRT related to this matter.
&gt;
&gt; On Wed, Oct 10, 2007 at 10:55:54AM +0100, Andy Davis wrote:
&gt; &amp;gt; During the research, three shellcode payloads for IOS

exploits

were
&gt; &amp;gt; developed - a &amp;quot;reverse&amp;quot; shell, a

password-protected

&amp;quot;bind&amp;quot; shell and
&gt; &amp;gt; another &amp;quot;bind&amp;quot; shell that is achieved

using only two

1-byte
memory
&gt; &amp;gt; overwrites. IRM have produced videos demonstrating each of

these

&gt; &amp;gt; payloads in action within a development environment. They

can be

viewed
&gt;
&gt;
&gt; Cisco PSIRT is aware of the three videos IRM Plc. published on their
&gt; web site at

&amp;lt;http://www.irmplc.com/index.php/153-Embedded-Systems-Security&amp;gt;.

&gt;
&gt; Cisco and IRM agree that the videos do not demonstrate or represent a
&gt; vulnerability in Cisco IOS. Specifically, the code to manipulate
&gt; Cisco IOS could be inserted only under the following conditions:
&gt;
&gt; - Usage of the debugger functionality present in IOS
&gt;
&gt; - Having physical access to the device
&gt;
&gt; - Already logged in at the highest privilege level on the device.
&gt;
&gt; IRM approached Cisco PSIRT with this information prior to its public
&gt; release and Cisco has confirmed the information provided is a
&gt; proof-of-concept that third party code could be inserted under these
&gt; specific conditions.
&gt;
&gt; Regards,
&gt;
&gt; Gaus
&gt;
&gt; Damir Rajnovic &amp;lt;psirt () cisco com&amp;gt;, PSIRT Incident

Manager, Cisco

Systems
&gt; &amp;lt;http://www.cisco.com/go/psirt&amp;gt;      Telephone: +44

7715 546 033

&gt; 200 Longwater Avenue, Green Park, Reading, Berkshire RG2 6GB, GB
&gt; There are no insolvable problems.
&gt; The question is can you accept the solution?
&gt;
&gt;
&gt;
&gt;
&gt;
&gt;
&gt; _______________________________________________
&gt; Full-Disclosure - We believe in it.
&gt; Charter: http://lists.grok.org.uk/full-disclosure-charter.html
&gt; Hosted and sponsored by Secunia - http://secunia.com/

________________________________________________
Message sent using UebiMiau 2.7.2


________________________________________________
Message sent using UebiMiau 2.7.2

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Re: IRM Demonstrates Multiple Cisco IOS Exploitation Techniques Rodrigo Rubira Branco (BSDaemon) (Oct 10)
- Re: IRM Demonstrates Multiple Cisco IOS Exploitation Techniques Andy Davis (Oct 10)
- <Possible follow-ups>
- Re: IRM Demonstrates Multiple Cisco IOS Exploitation Techniques Rodrigo Rubira Branco (BSDaemon) (Oct 10)
- Re: IRM Demonstrates Multiple Cisco IOS Exploitation Techniques Rodrigo Rubira Branco (BSDaemon) (Oct 10)