Full Disclosure mailing list archives

Re: IRM Demonstrates Multiple Cisco IOS Exploitation Techniques

From: "Andy Davis" <andy.davis () irmplc com>
Date: Wed, 10 Oct 2007 13:10:18 +0100

It doesn't even need to be a remote vulnerability - all three techniques
could be used to perform privilege escalation attacks against local
vulnerabilities within IOS. 

Andy

-----Original Message-----
From: Rodrigo Rubira Branco (BSDaemon)
[mailto:rodrigo () kernelhacking com] 
Sent: 10 October 2007 10:46
To: Gaus; "full-disclosure () lists grok org uk"@fjaunet.com.br; Andy Davis
Subject: Re: [Full-disclosure] IRM Demonstrates Multiple Cisco IOS
Exploitation Techniques

Also if you have any vulnerability (remote) that can lead to code
execution,
right?


cya,


Rodrigo (BSDaemon).

--
http://www.kernelhacking.com/rodrigo

Kernel Hacking: If i really know, i can hack

GPG KeyID: 1FCEDEA1


--------- Mensagem Original --------
De: Gaus <gaus () cisco com>
Para: full-disclosure () lists grok org uk
<full-disclosure () lists grok org uk>,
Andy Davis <andy.davis () irmplc com>
Assunto: Re: [Full-disclosure] IRM Demonstrates Multiple Cisco IOS
Exploitation Techniques
Data: 10/10/07 09:18

Hello,

This is response from Cisco PSIRT related to this matter.

On Wed, Oct 10, 2007 at 10:55:54AM +0100, Andy Davis wrote:
&gt; During the research, three shellcode payloads for IOS exploits

were

&gt; developed - a &quot;reverse&quot; shell, a password-protected

&quot;bind&quot; shell and

&gt; another &quot;bind&quot; shell that is achieved using only two

1-byte
memory

&gt; overwrites. IRM have produced videos demonstrating each of these
&gt; payloads in action within a development environment. They can be

viewed



Cisco PSIRT is aware of the three videos IRM Plc. published on their
web site at

&lt;http://www.irmplc.com/index.php/153-Embedded-Systems-Security&gt;.


Cisco and IRM agree that the videos do not demonstrate or represent a
vulnerability in Cisco IOS. Specifically, the code to manipulate
Cisco IOS could be inserted only under the following conditions:

- Usage of the debugger functionality present in IOS

- Having physical access to the device

- Already logged in at the highest privilege level on the device.

IRM approached Cisco PSIRT with this information prior to its public
release and Cisco has confirmed the information provided is a
proof-of-concept that third party code could be inserted under these
specific conditions.

Regards,

Gaus

Damir Rajnovic &lt;psirt () cisco com&gt;, PSIRT Incident Manager, Cisco

Systems

&lt;http://www.cisco.com/go/psirt&gt;      Telephone: +44 7715 546 033
200 Longwater Avenue, Green Park, Reading, Berkshire RG2 6GB, GB
There are no insolvable problems.
The question is can you accept the solution?






_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


________________________________________________
Message sent using UebiMiau 2.7.2

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Re: IRM Demonstrates Multiple Cisco IOS Exploitation Techniques Rodrigo Rubira Branco (BSDaemon) (Oct 10)
- Re: IRM Demonstrates Multiple Cisco IOS Exploitation Techniques Andy Davis (Oct 10)
- <Possible follow-ups>
- Re: IRM Demonstrates Multiple Cisco IOS Exploitation Techniques Rodrigo Rubira Branco (BSDaemon) (Oct 10)
- Re: IRM Demonstrates Multiple Cisco IOS Exploitation Techniques Rodrigo Rubira Branco (BSDaemon) (Oct 10)