From: robbie (robbie@packetized.org)
Date: Tue Aug 02 2005 - 10:17:29 GMT-3
I've seen semi-specific information about how this occurs. Basically,
it's nothing new vulnerability wise, it's just a new and fantastic way
of exploiting arbitrary buffer/stack overflows to produce a condition
that one has finegrained control over, ie: being able to write to heap
memory space and not have a process crash the router (as is normally the
case). Once this occurs, a port is opened with enable access. It's
pretty damned elegant.
Also, realistically speaking, how much separation is there of your
control plane from the data plane? All one really has to do is gain
control of a distribution layer router with iBGP or IGP peering with the
rest of your network, and you're pretty much owned. If you're really
hardcore about security (and we all should be, but most of us just
simply aren't) you'd have a complete OAM network built out of band of
your transit network.
Maybe I'm just talking out of my rear. But it certainly doesn't appear
that this is merely a shot in the dark. I'd be shocked if the next
buffer/stack overflow vuln that gets exposed doesn't get exploited using
this method.
-- Cheers, RobbieChurch, Chuck wrote: > It's starting to look more and more that this vulnerability is a real > shot in the dark. Doing a 'sh ip sockets' on a few routers I've got on > the 'net (various customers, etc), shows the 12.1 and 12.2T not > listening on any ports above SNMP - 162. But a 12.3 I looked at was > listening on 52122, not really sure why. 'sh ip sock' doesn't appear to > give you info about TCP ports, not sure if there is an equivalent > command. So it seems that sending these crafted packets to random high > ports would be real trick, because they may not exist. Even if they do > exist, control plane policing may drop some if the rate is too high. > Certainly an IDS watching for these packets aimed at a router interface > would have time to shun that remote host before anything was > compromised. At least that's what I'm thinking. Of course, an internet > connected router with no access lists at all is probably just waiting to > be compromised. Next week or so should be interesting... > > > Chuck Church > Lead Design Engineer > CCIE #8776, MCNE, MCSE > Netco Government Services - Design & Implementation Team > 1210 N. Parker Rd. > Greenville, SC 29609 > Home office: 864-335-9473 > Cell: 864-266-3978 > cchurch@netcogov.com > PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4371A48D > > > -----Original Message----- > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of > Church, Chuck > Sent: Monday, August 01, 2005 5:42 PM > To: Scott Morris; Simon Hamilton-Wilkes; security@groupstudy.com > Subject: RE: The Cisco, Black Hat News.... > > That makes sense. So a locked-down control plane on a router should be > fairly resistant to attack? Assume I've got an internet-facing router, > with an access-list that blocks all IP where the destination is the > router's interface itself. (Or perhaps I'm only allowing in > authenticated BGP and ICMP echo). No other traffic is allowed to hit > router interfaces directly from the outside. Would that stop the crash, > or could more insidious methods crash the stack, such as a transiting > packet with IP options set, or something else that forces it to hit the > CPU, rather than be fast switched? With all the anti-DOS stuff Cisco > has rolled into IOS lately, it seems there might be a non-upgrade method > of mitigating this... > > > Chuck Church > Lead Design Engineer > CCIE #8776, MCNE, MCSE > Netco Government Services - Design & Implementation Team > 1210 N. Parker Rd. > Greenville, SC 29609 > Home office: 864-335-9473 > Cell: 864-266-3978 > cchurch@netcogov.com > PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4371A48D > > > -----Original Message----- > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of > Scott Morris > Sent: Monday, August 01, 2005 4:00 PM > To: Church, Chuck; 'Simon Hamilton-Wilkes'; security@groupstudy.com > Subject: RE: The Cisco, Black Hat News.... > > He did a pseudo-telnet through a higher port by specially crafted > packets > that crashed the stack within IPv6 processing and gave him a terminal > prompt. So it's certainly nothing that a "normal" person does to access > a > router, but nobody ever accused hackers of being normal. :) > > It is an attack that certainly involves much more code-level programming > knowledge than any normal sane person has. > > Scott > > > -----Original Message----- > From: Church, Chuck [mailto:cchurch@netcogov.com] > Sent: Monday, August 01, 2005 3:13 PM > To: Scott Morris; Simon Hamilton-Wilkes; security@groupstudy.com > Subject: RE: The Cisco, Black Hat News.... > > The thing that I'm still unsure about is how this 'vulnerability' is > actually exploited. The details of the conference told of Lynn running > a > shell script on the router - > http://www.tomsnetworking.com/Sections-article131-page4.php > > How exactly did he connect? Console, telnet, some remote unix-type > command? > To my knowledge, no self-respecting ISP is going to leave any of those > access methods open to the outside. Nor are they going to hack their > own > routers from the inside. Is this whole thing blown out of proportion? > > > Chuck Church > Lead Design Engineer > CCIE #8776, MCNE, MCSE > Netco Government Services - Design & Implementation Team 1210 N. Parker > Rd. > Greenville, SC 29609 > Home office: 864-335-9473 > Cell: 864-266-3978 > cchurch@netcogov.com > PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4371A48D > > > -----Original Message----- > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of > Scott Morris > Sent: Monday, August 01, 2005 12:23 PM > To: 'Simon Hamilton-Wilkes'; security@groupstudy.com > Subject: RE: The Cisco, Black Hat News.... > > I have gone through the preso, and spoken to some that were there. > > Yes, the preso is about stack heaps and memory-related things. But not > every compiled routine has vulnerabilities. :) It's kind of like me > describing to you that locks are easy to pick. Some are, some aren't > and > not everything that has a lock has a vulnerable one. > > The code he used to demonstrate the attack was IPv6-related. > > Scott > > > -----Original Message----- > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of > Simon Hamilton-Wilkes > Sent: Monday, August 01, 2005 10:47 AM > To: security@groupstudy.com > Subject: RE: The Cisco, Black Hat News.... > > This is not correct at all, have you read the presentation? > The IPv6 is unrelated, this one is an architectural issue within IOS, > and > though it's specific to an IOS version (due to requiring a specific > memory > offset for each one) it's still out there. > Cisco should know better than to try and suppress the presentation now > anyhow, it's mirrored all over the Internet now. > > Simon > > -----Original Message----- > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of > Scott Morris > Sent: Friday, July 29, 2005 9:05 PM > To: chon_mon@nym.hush.com; ccielab@groupstudy.com; > security@groupstudy.com > Subject: RE: The Cisco, Black Hat News.... > > Only if you are running IPv6. And only if someone is on a locally > attached > network... > > And only if that person doing so has some really good coding > capabilities. > > And only when three moons of Jupiter are in perfect alignment. (This is > where the entertainment comes in for weighing statistical POSSIBILITY > against statistical PROBABILITY, especially when it's a vulnerability > created with very specific knowledge that most people don't have.) > > It's an interesting presentation all in all, and sure, it's a > vulnerability. > But there's more hoopla about the whole PROCESS that happened at Black > Hat > than any other part. :) It was a horrible day or two in PR for all > involved. > > Check out PSIRT. There's a free IOS upgrade in it even for non-contract > holders (gotta call TAC). > > HTH, > > Scott > > -----Original Message----- > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of > chon_mon@nym.hush.com > Sent: Friday, July 29, 2005 9:08 PM > To: ccielab@groupstudy.com; security@groupstudy.com > Subject: The Cisco, Black Hat News.... > > Did anyone catch the news on this particular IOS flaw? > > http://cbs2.com/finance/CA--Cisco-SecurityCra- > kf/resources_news_html > > Does anyone know which versions have this flaw? Does it affect all > Cisco > devices? > > Thanks, > Sean
This archive was generated by hypermail 2.1.4 : Sun Sep 04 2005 - 17:01:18 GMT-3